| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180315144959.GB19643@redhat.com>
Date: Thu, 15 Mar 2018 15:49:59 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: Ravi Bangoria <ravi.bangoria@...ux.vnet.ibm.com>
Cc: mhiramat@...nel.org, peterz@...radead.org,
srikar@...ux.vnet.ibm.com, acme@...nel.org,
ananth@...ux.vnet.ibm.com, akpm@...ux-foundation.org,
alexander.shishkin@...ux.intel.com, alexis.berlemont@...il.com,
corbet@....net, dan.j.williams@...el.com,
gregkh@...uxfoundation.org, huawei.libin@...wei.com,
hughd@...gle.com, jack@...e.cz, jglisse@...hat.com,
jolsa@...hat.com, kan.liang@...el.com,
kirill.shutemov@...ux.intel.com, kjlx@...pleofstupid.com,
kstewart@...uxfoundation.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org, mhocko@...e.com,
milian.wolff@...b.com, mingo@...hat.com, namhyung@...nel.org,
naveen.n.rao@...ux.vnet.ibm.com, pc@...ibm.com,
pombredanne@...b.com, rostedt@...dmis.org, tglx@...utronix.de,
tmricht@...ux.vnet.ibm.com, willy@...radead.org,
yao.jin@...ux.intel.com, fengguang.wu@...el.com
Subject: Re: [PATCH 6/8] trace_uprobe/sdt: Fix multiple update of same
reference counter
On 03/13, Ravi Bangoria wrote:
>
> For tiny binaries/libraries, different mmap regions points to the
> same file portion. In such cases, we may increment reference counter
> multiple times.
Yes,
> But while de-registration, reference counter will get
> decremented only by once
could you explain why this happens? sdt_increment_ref_ctr() and
sdt_decrement_ref_ctr() look symmetrical, _decrement_ should see
the same mappings?
Ether way, this patch doesn't look right at first glance... Just
for example,
> +static bool sdt_check_mm_list(struct trace_uprobe *tu, struct mm_struct *mm)
> +{
> + struct sdt_mm_list *tmp = tu->sml;
> +
> + if (!tu->sml || !mm)
> + return false;
> +
> + while (tmp) {
> + if (tmp->mm == mm)
> + return true;
> + tmp = tmp->next;
> + }
> +
> + return false;
...
> +}
> +
> +static void sdt_add_mm_list(struct trace_uprobe *tu, struct mm_struct *mm)
> +{
> + struct sdt_mm_list *tmp;
> +
> + tmp = kzalloc(sizeof(*tmp), GFP_KERNEL);
> + if (!tmp)
> + return;
> +
> + tmp->mm = mm;
> + tmp->next = tu->sml;
> + tu->sml = tmp;
> +}
> +
...
> @@ -1020,8 +1104,16 @@ void trace_uprobe_mmap_callback(struct vm_area_struct *vma)
> !trace_probe_is_enabled(&tu->tp))
> continue;
>
> + down_write(&tu->sml_rw_sem);
> + if (sdt_check_mm_list(tu, vma->vm_mm))
> + goto cont;
> +
> vaddr = vma_offset_to_vaddr(vma, tu->ref_ctr_offset);
> - sdt_update_ref_ctr(vma->vm_mm, vaddr, 1);
> + if (!sdt_update_ref_ctr(vma->vm_mm, vaddr, 1))
> + sdt_add_mm_list(tu, vma->vm_mm);
> +
> +cont:
> + up_write(&tu->sml_rw_sem);
To simplify, suppose that tu->sml is empty.
Some process calls this function, increments the counter and adds its ->mm into
the list.
Then it exits, ->mm is freed.
The next fork/exec allocates the same memory for the new ->mm, the new process
calls trace_uprobe_mmap_callback() and sdt_check_mm_list() returns T?
Oleg.
Powered by blists - more mailing lists