lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120601164725.GK24279@linux.vnet.ibm.com>
Date:	Fri, 1 Jun 2012 22:17:25 +0530
From:	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...e.hu>,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	Anton Arapov <anton@...hat.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] uprobes: install_breakpoint() should fail if
 is_swbp_insn() == T

* Oleg Nesterov <oleg@...hat.com> [2012-05-31 20:53:39]:

> On 05/30, Peter Zijlstra wrote:
> >
> > register's vma
> > iteration is very careful not to have the same vma twice,
> 
> Hmm. I am wondering if it is careful enough...
> 
> Just in case, I think your patch is great. But it seems to me
> there is another problem.
> 
> __find_next_vma_info() checks tmpvi->mm == vma->vm_mm to detect the
> already visited mm/vma. However, afaics this can be false positive?
> 
> The caller, register_for_each_vma(), does mmput() and after that
> this memory can be freed and re-used as another mm_struct.
> 

Before we do a mmput(), we take the mmap_sem for that mm. So this mm
cannot be freed until we complete insertion/removal.  If the mm gets
reused after the insertion/removal, and maps the inode, then we are
doing the right thing by parsing it.

Or are you hinting at some other problem?


> I'll recheck this, but perhaps we need something like below?
> 
> Oleg.
> 
> --- x/kernel/events/uprobes.c
> +++ x/kernel/events/uprobes.c
> @@ -851,7 +851,6 @@ static int register_for_each_vma(struct 
>  			list_del(&vi->probe_list);
>  			kfree(vi);
>  			up_write(&mm->mmap_sem);
> -			mmput(mm);

If we want to do this, then we have to even move the list_del and kfree
along with mmput.  Otherwise we may leak mm's.  I see no advantages
except for decrease in code.  I might be missing something trivial. 

On the other side, moving the lines below would mean keeping extra
elements in the list that have to be traversed again. i.e if we
determine in this pass that elements of the list can be removed, then
why keep them till the next pass.

>  			continue;
>  		}
>  		vaddr = vma_address(vma, uprobe->offset);
> @@ -860,7 +859,6 @@ static int register_for_each_vma(struct 
>  			list_del(&vi->probe_list);
>  			kfree(vi);
>  			up_write(&mm->mmap_sem);
> -			mmput(mm);
>  			continue;
>  		}
> 
> @@ -870,7 +868,6 @@ static int register_for_each_vma(struct 
>  			remove_breakpoint(uprobe, mm, vi->vaddr);
> 
>  		up_write(&mm->mmap_sem);
> -		mmput(mm);
>  		if (is_register) {
>  			if (ret && ret == -EEXIST)
>  				ret = 0;
> @@ -881,6 +878,7 @@ static int register_for_each_vma(struct 
> 
>  	list_for_each_entry_safe(vi, tmpvi, &try_list, probe_list) {
>  		list_del(&vi->probe_list);
> +		mmput(vi->mm)
>  		kfree(vi);
>  	}
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ