| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240710235159.23b8bc0f5247c358ccea699d@kernel.org> Date: Wed, 10 Jul 2024 23:51:59 +0900 From: Masami Hiramatsu (Google) <mhiramat@...nel.org> To: Oleg Nesterov <oleg@...hat.com> Cc: andrii@...nel.org, peterz@...radead.org, clm@...a.com, jolsa@...nel.org, mingo@...nel.org, paulmck@...nel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] uprobes: document the usage of mm->mmap_lock On Wed, 10 Jul 2024 16:00:45 +0200 Oleg Nesterov <oleg@...hat.com> wrote: > The comment above uprobe_write_opcode() is wrong, unapply_uprobe() calls > it under mmap_read_lock() and this is correct. > > And it is completely unclear why register_for_each_vma() takes mmap_lock > for writing, add a comment to explain that mmap_write_lock() is needed to > avoid the following race: > > - A task T hits the bp installed by uprobe and calls > find_active_uprobe() > > - uprobe_unregister() removes this uprobe/bp > > - T calls find_uprobe() which returns NULL > > - another uprobe_register() installs the bp at the same address > > - T calls is_trap_at_addr() which returns true > > - T returns to handle_swbp() and gets SIGTRAP. > > Reported-by: Andrii Nakryiko <andrii@...nel.org> > Signed-off-by: Oleg Nesterov <oleg@...hat.com> > --- > kernel/events/uprobes.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > index 2c83ba776fc7..d52b624a50fa 100644 > --- a/kernel/events/uprobes.c > +++ b/kernel/events/uprobes.c > @@ -453,7 +453,7 @@ static int update_ref_ctr(struct uprobe *uprobe, struct mm_struct *mm, > * @vaddr: the virtual address to store the opcode. > * @opcode: opcode to be written at @vaddr. > * > - * Called with mm->mmap_lock held for write. > + * Called with mm->mmap_lock held for read or write. > * Return 0 (success) or a negative errno. > */ > int uprobe_write_opcode(struct arch_uprobe *auprobe, struct mm_struct *mm, > @@ -1046,7 +1046,12 @@ register_for_each_vma(struct uprobe *uprobe, struct uprobe_consumer *new) > > if (err && is_register) > goto free; > - > + /* > + * We take mmap_lock for writing to avoid the race with > + * find_active_uprobe(), install_breakpoint() must not > + * make is_trap_at_addr() true right after find_uprobe() > + * returns NULL. Sorry, I couldn't catch the latter part. What is the relationship of taking the mmap_lock and install_breakpoint() and is_trap_at_addr() here? You meant that find_active_uprobe() is using find_uprobe() which searchs uprobe form rbtree? But it seems uprobe is already inserted to the rbtree in alloc_uprobe() so find_uprobe() will not return NULL here, right? Thank you, > + */ > mmap_write_lock(mm); > vma = find_vma(mm, info->vaddr); > if (!vma || !valid_vma(vma, is_register) || > -- > 2.25.1.362.g51ebf55 > > -- Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists