| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2011 20:23:08 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc: Ingo Molnar <mingo@...e.hu>, Steven Rostedt <rostedt@...dmis.org>,
Linux-mm <linux-mm@...ck.org>,
Arnaldo Carvalho de Melo <acme@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andi Kleen <andi@...stfloor.org>,
Hugh Dickins <hughd@...gle.com>,
Christoph Hellwig <hch@...radead.org>,
Jonathan Corbet <corbet@....net>,
Thomas Gleixner <tglx@...utronix.de>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
Oleg Nesterov <oleg@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
Jim Keniston <jkenisto@...ux.vnet.ibm.com>,
Roland McGrath <roland@...k.frob.com>,
Ananth N Mavinakayanahalli <ananth@...ibm.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks.
On Thu, 2011-06-16 at 18:30 +0530, Srikar Dronamraju wrote:
> Now since a register and mmap operations can run in parallel, we could
> have subtle race conditions like this:
>
> 1. register_uprobe inserts the uprobe in RB tree.
> 2. register_uprobe loops thro vmas and inserts breakpoints.
>
> 3. mmap is called for same inode, mmap_uprobe() takes reference;
> 4. mmap completes insertion and releases reference.
>
> 5. register uprobe tries to install breakpoint on one vma fails and not
> due to -ESRCH or -EEXIST.
> 6. register_uprobe rolls back all install breakpoints except the one
> inserted by mmap.
>
> We end up with breakpoints that we have inserted by havent cleared.
>
> Similarly unregister_uprobe might be looping to remove the breakpoints
> when mmap comes in installs the breakpoint and returns.
> unregister_uprobe might erase the uprobe from rbtree after mmap is done.
Well yes, but that's mostly because of how you use those lists.
int __register_uprobe(...)
{
uprobe = alloc_uprobe(...); // find or insert in tree
vma_prio_tree_foreach(..) {
// get mm ref, add to list blah blah
}
list_for_each_entry_safe() {
// del from list etc..
down_read(mm->mmap_sem);
ret = install_breakpoint();
if (ret && (ret != -ESRCH || ret != -EEXIST)) {
up_read(..);
goto fail;
}
return 0;
fail:
list_for_each_entry_safe() {
// del from list, put mm
}
return ret;
}
void __unregister_uprobe(...)
{
uprobe = find_uprobe(); // ref++
if (delete_consumer(...)); // includes tree removal on last consumer
// implies we own the last ref
return; // consumers
vma_prio_tree_foreach() {
// create list
}
list_for_each_entry_safe() {
// remove from list
remove_breakpoint(); // unconditional, if it wasn't there
// its a nop anyway, can't get any new
// new probes on account of holding
// uprobes_mutex and mmap() doesn't see
// it due to tree removal.
}
}
int register_uprobe(...)
{
int ret;
mutex_lock(&uprobes_mutex);
ret = __register_uprobe(...);
if (!ret)
__unregister_uprobe(...);
mutex_unlock(&uprobes_mutex);
ret;
}
int mmap_uprobe(...)
{
spin_lock(&uprobes_treelock);
for_each_probe_in_inode() {
// create list;
}
spin_unlock(..);
list_for_each_entry_safe() {
// remove from list
ret = install_breakpoint();
if (ret)
goto fail;
if (!uprobe_still_there()) // takes treelock
remove_breakpoint();
}
return 0;
fail:
list_for_each_entry_safe() {
// destroy list
}
return ret;
}
Should work I think, no?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists