* [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails @ 2012-08-19 17:09 Oleg Nesterov 2012-08-19 17:09 ` Oleg Nesterov 2012-08-19 17:10 ` [PATCH 1/1] " Oleg Nesterov 0 siblings, 2 replies; 5+ messages in thread From: Oleg Nesterov @ 2012-08-19 17:09 UTC (permalink / raw) To: Linus Torvalds Cc: Anton Arapov, Ingo Molnar, Srikar Dronamraju, William Cohen, linux-kernel Hello. I guess this patch was forgotten due to the lengthy discussion, see http://marc.info/?t=134349366100001 I am re-sending it because it fixes the serious and easy-to-trigger problem. Just do something like # echo "p /bin/true:OFFSET_OF_INVALID_INSN" > tracing/uprobe_events # /bin/true to crash the kernel. I think this is 3.6/stable material, the patch is simple and obviously can't make any harm. Just in case... Yes, this is not what we want in the long term, but there is no simple fix for now and we need other changes in uprobe.c before we can teach mmap_region() to handle the error from uprobe_mmap(). Oleg. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails 2012-08-19 17:09 [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails Oleg Nesterov @ 2012-08-19 17:09 ` Oleg Nesterov 2012-08-19 17:13 ` Oleg Nesterov 2012-08-19 17:10 ` [PATCH 1/1] " Oleg Nesterov 1 sibling, 1 reply; 5+ messages in thread From: Oleg Nesterov @ 2012-08-19 17:09 UTC (permalink / raw) To: Linus Torvalds Cc: Anton Arapov, Ingo Molnar, Srikar Dronamraju, William Cohen, linux-kernel https://bugzilla.redhat.com/show_bug.cgi?id=843640 If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path does unmap_region() but does not remove the soon-to-be-freed vma from rb tree. Actually there are more problems but this is how William noticed this bug. Perhaps we could do do_munmap() + return in this case, but in fact it is simply wrong to abort if uprobe_mmap() fails. Until at least we move the !UPROBE_COPY_INSN code from install_breakpoint() to uprobe_register(). For example, uprobe_mmap()->install_breakpoint() can fail if the probed insn is not supported (remember, uprobe_register() succeeds if nobody mmaps inode/offset), mmap() should not fail in this case. dup_mmap()->uprobe_mmap() is wrong too by the same reason, fork() can race with uprobe_register() and fail for no reason if it wins the race and does install_breakpoint() first. And, if nothing else, both mmap_region() and dup_mmap() return success if uprobe_mmap() fails. Change them to ignore the error code from uprobe_mmap(). Reported-and-tested-by: William Cohen <wcohen@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> # v3.5 --- kernel/fork.c | 4 ++-- mm/mmap.c | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index ab5211b..54bb88a 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -454,8 +454,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; - if (file && uprobe_mmap(tmp)) - goto out; + if (file) + uprobe_mmap(tmp); } /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); diff --git a/mm/mmap.c b/mm/mmap.c index 4fe2697..f25fd3f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1355,9 +1355,8 @@ out: } else if ((flags & MAP_POPULATE) && !(flags & MAP_NONBLOCK)) make_pages_present(addr, addr + len); - if (file && uprobe_mmap(vma)) - /* matching probes but cannot insert */ - goto unmap_and_free_vma; + if (file) + uprobe_mmap(vma); return addr; -- 1.5.5.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails 2012-08-19 17:09 ` Oleg Nesterov @ 2012-08-19 17:13 ` Oleg Nesterov 0 siblings, 0 replies; 5+ messages in thread From: Oleg Nesterov @ 2012-08-19 17:13 UTC (permalink / raw) To: Linus Torvalds Cc: Anton Arapov, Ingo Molnar, Srikar Dronamraju, William Cohen, linux-kernel OOPS, sorry, wrong subject. Ignore this email, see the next one. On 08/19, Oleg Nesterov wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=843640 > > If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path > does unmap_region() but does not remove the soon-to-be-freed vma > from rb tree. Actually there are more problems but this is how > William noticed this bug. > > Perhaps we could do do_munmap() + return in this case, but in fact > it is simply wrong to abort if uprobe_mmap() fails. Until at least > we move the !UPROBE_COPY_INSN code from install_breakpoint() to > uprobe_register(). > > For example, uprobe_mmap()->install_breakpoint() can fail if the > probed insn is not supported (remember, uprobe_register() succeeds > if nobody mmaps inode/offset), mmap() should not fail in this case. > > dup_mmap()->uprobe_mmap() is wrong too by the same reason, fork() > can race with uprobe_register() and fail for no reason if it wins > the race and does install_breakpoint() first. > > And, if nothing else, both mmap_region() and dup_mmap() return > success if uprobe_mmap() fails. Change them to ignore the error > code from uprobe_mmap(). > > Reported-and-tested-by: William Cohen <wcohen@redhat.com> > Signed-off-by: Oleg Nesterov <oleg@redhat.com> > Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com> > Cc: <stable@vger.kernel.org> # v3.5 > --- > kernel/fork.c | 4 ++-- > mm/mmap.c | 5 ++--- > 2 files changed, 4 insertions(+), 5 deletions(-) > > diff --git a/kernel/fork.c b/kernel/fork.c > index ab5211b..54bb88a 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -454,8 +454,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) > if (retval) > goto out; > > - if (file && uprobe_mmap(tmp)) > - goto out; > + if (file) > + uprobe_mmap(tmp); > } > /* a new mm has just been created */ > arch_dup_mmap(oldmm, mm); > diff --git a/mm/mmap.c b/mm/mmap.c > index 4fe2697..f25fd3f 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -1355,9 +1355,8 @@ out: > } else if ((flags & MAP_POPULATE) && !(flags & MAP_NONBLOCK)) > make_pages_present(addr, addr + len); > > - if (file && uprobe_mmap(vma)) > - /* matching probes but cannot insert */ > - goto unmap_and_free_vma; > + if (file) > + uprobe_mmap(vma); > > return addr; > > -- > 1.5.5.1 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails 2012-08-19 17:09 [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails Oleg Nesterov 2012-08-19 17:09 ` Oleg Nesterov @ 2012-08-19 17:10 ` Oleg Nesterov 2012-08-21 16:37 ` [tip:perf/urgent] uprobes: Fix mmap_region()'s mm-> mm_rb corruption " tip-bot for Oleg Nesterov 1 sibling, 1 reply; 5+ messages in thread From: Oleg Nesterov @ 2012-08-19 17:10 UTC (permalink / raw) To: Linus Torvalds Cc: Anton Arapov, Ingo Molnar, Srikar Dronamraju, William Cohen, linux-kernel https://bugzilla.redhat.com/show_bug.cgi?id=843640 If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path does unmap_region() but does not remove the soon-to-be-freed vma from rb tree. Actually there are more problems but this is how William noticed this bug. Perhaps we could do do_munmap() + return in this case, but in fact it is simply wrong to abort if uprobe_mmap() fails. Until at least we move the !UPROBE_COPY_INSN code from install_breakpoint() to uprobe_register(). For example, uprobe_mmap()->install_breakpoint() can fail if the probed insn is not supported (remember, uprobe_register() succeeds if nobody mmaps inode/offset), mmap() should not fail in this case. dup_mmap()->uprobe_mmap() is wrong too by the same reason, fork() can race with uprobe_register() and fail for no reason if it wins the race and does install_breakpoint() first. And, if nothing else, both mmap_region() and dup_mmap() return success if uprobe_mmap() fails. Change them to ignore the error code from uprobe_mmap(). Reported-and-tested-by: William Cohen <wcohen@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> # v3.5 --- kernel/fork.c | 4 ++-- mm/mmap.c | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index ab5211b..54bb88a 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -454,8 +454,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; - if (file && uprobe_mmap(tmp)) - goto out; + if (file) + uprobe_mmap(tmp); } /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); diff --git a/mm/mmap.c b/mm/mmap.c index 4fe2697..f25fd3f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1355,9 +1355,8 @@ out: } else if ((flags & MAP_POPULATE) && !(flags & MAP_NONBLOCK)) make_pages_present(addr, addr + len); - if (file && uprobe_mmap(vma)) - /* matching probes but cannot insert */ - goto unmap_and_free_vma; + if (file) + uprobe_mmap(vma); return addr; -- 1.5.5.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:perf/urgent] uprobes: Fix mmap_region()'s mm-> mm_rb corruption if uprobe_mmap() fails 2012-08-19 17:10 ` [PATCH 1/1] " Oleg Nesterov @ 2012-08-21 16:37 ` tip-bot for Oleg Nesterov 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Oleg Nesterov @ 2012-08-21 16:37 UTC (permalink / raw) To: linux-tip-commits Cc: linux-kernel, hpa, mingo, torvalds, wcohen, anton, srikar, tglx, oleg Commit-ID: c7a3a88c938fbe3d70c2278e082b80eb830d1c58 Gitweb: http://git.kernel.org/tip/c7a3a88c938fbe3d70c2278e082b80eb830d1c58 Author: Oleg Nesterov <oleg@redhat.com> AuthorDate: Sun, 19 Aug 2012 19:10:42 +0200 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Tue, 21 Aug 2012 11:48:12 +0200 uprobes: Fix mmap_region()'s mm->mm_rb corruption if uprobe_mmap() fails This patch fixes: https://bugzilla.redhat.com/show_bug.cgi?id=843640 If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path does unmap_region() but does not remove the soon-to-be-freed vma from rb tree. Actually there are more problems but this is how William noticed this bug. Perhaps we could do do_munmap() + return in this case, but in fact it is simply wrong to abort if uprobe_mmap() fails. Until at least we move the !UPROBE_COPY_INSN code from install_breakpoint() to uprobe_register(). For example, uprobe_mmap()->install_breakpoint() can fail if the probed insn is not supported (remember, uprobe_register() succeeds if nobody mmaps inode/offset), mmap() should not fail in this case. dup_mmap()->uprobe_mmap() is wrong too by the same reason, fork() can race with uprobe_register() and fail for no reason if it wins the race and does install_breakpoint() first. And, if nothing else, both mmap_region() and dup_mmap() return success if uprobe_mmap() fails. Change them to ignore the error code from uprobe_mmap(). Reported-and-tested-by: William Cohen <wcohen@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> # v3.5 Cc: Anton Arapov <anton@redhat.com> Cc: William Cohen <wcohen@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/20120819171042.GB26957@redhat.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- kernel/fork.c | 4 ++-- mm/mmap.c | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 3bd2280..2c8857e 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -455,8 +455,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; - if (file && uprobe_mmap(tmp)) - goto out; + if (file) + uprobe_mmap(tmp); } /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); diff --git a/mm/mmap.c b/mm/mmap.c index e3e8691..52e08fc 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1356,9 +1356,8 @@ out: } else if ((flags & MAP_POPULATE) && !(flags & MAP_NONBLOCK)) make_pages_present(addr, addr + len); - if (file && uprobe_mmap(vma)) - /* matching probes but cannot insert */ - goto unmap_and_free_vma; + if (file) + uprobe_mmap(vma); return addr; ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-08-21 16:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-08-19 17:09 [PATCH 0/1] uprobes: mmap_region() corrupts mm->mm_rb if uprobe_mmap() fails Oleg Nesterov 2012-08-19 17:09 ` Oleg Nesterov 2012-08-19 17:13 ` Oleg Nesterov 2012-08-19 17:10 ` [PATCH 1/1] " Oleg Nesterov 2012-08-21 16:37 ` [tip:perf/urgent] uprobes: Fix mmap_region()'s mm-> mm_rb corruption " tip-bot for Oleg Nesterov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.