All of lore.kernel.org
 help / color / mirror / Atom feed
From: Al Viro <viro@ZenIV.linux.org.uk>
To: linux-kernel@vger.kernel.org
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: oopsable race in xen-gntdev (unsafe vma access)
Date: Sat, 15 Dec 2012 18:12:11 +0000	[thread overview]
Message-ID: <20121215181211.GV4939@ZenIV.linux.org.uk> (raw)

	1) find_vma() is *not* safe without ->mmap_sem and its result may
very well be freed just as it's returned to caller.  IOW,
gntdev_ioctl_get_offset_for_vaddr() is racy and may end up with
dereferencing freed memory.

	2) gntdev_vma_close() is putting NULL into map->vma with only
->mmap_sem held by caller.  Things like
                if (!map->vma)
                        continue;
                if (map->vma->vm_start >= end)
                        continue;
                if (map->vma->vm_end <= start)
done with just priv->lock held are racy.

	I'm not familiar with the code, but it looks like we need to
protect gntdev_vma_close() guts with the same spinlock and probably
hold ->mmap_sem shared around the "find_vma()+get to map->{index,count}"
in the ioctl.  Or replace the logics in ioctl with search through the
list of grant_map under the same spinlock...

	Comments?

             reply	other threads:[~2012-12-15 18:12 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-15 18:12 Al Viro [this message]
2012-12-21 20:18 ` oopsable race in xen-gntdev (unsafe vma access) Konrad Rzeszutek Wilk
2013-01-02 22:57   ` oopsable race in xen-gntdev [PATCH 0/3] Daniel De Graaf
2013-01-02 22:57     ` [PATCH 1/3] xen/gntdev: fix unsafe vma access Daniel De Graaf
2013-01-02 22:57     ` [PATCH 2/3] xen/gntdev: correctly unmap unlinked maps in mmu notifier Daniel De Graaf
2013-01-02 22:57     ` [PATCH 3/3] xen/gntdev: remove erronous use of copy_to_user Daniel De Graaf
2013-01-11 17:40     ` oopsable race in xen-gntdev [PATCH 0/3] Konrad Rzeszutek Wilk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121215181211.GV4939@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.