From: Oleg Nesterov <oleg@redhat.com>
To: Ingo Molnar <mingo@kernel.org>,
Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/3] uprobes: fix the usage of install_special_mapping()
Date: Thu, 9 Jul 2015 23:44:46 +0200 [thread overview]
Message-ID: <20150709214446.GA15011@redhat.com> (raw)
In-Reply-To: <20150709214431.GA14997@redhat.com>
install_special_mapping(pages) expects that "pages" is the zero-
terminated array while xol_add_vma() passes &area->page, this means
that special_mapping_fault() can wrongly use the next member in
xol_area (vaddr) as "struct page *".
Fortunately, this area is not expandable so pgoff != 0 isn't possible
(modulo bugs in special_mapping_vmops), but still this does not look
good.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
kernel/events/uprobes.c | 16 ++++++++--------
1 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 0f370ef..bd35bee 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -99,7 +99,7 @@ struct xol_area {
wait_queue_head_t wq; /* if all slots are busy */
atomic_t slot_count; /* number of in-use slots */
unsigned long *bitmap; /* 0 = free slot */
- struct page *page;
+ struct page *pages[2];
/*
* We keep the vma's vm_start rather than a pointer to the vma
@@ -1142,7 +1142,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
}
ret = install_special_mapping(mm, area->vaddr, PAGE_SIZE,
- VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO, &area->page);
+ VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO, area->pages);
if (ret)
goto fail;
@@ -1168,8 +1168,8 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
if (!area->bitmap)
goto free_area;
- area->page = alloc_page(GFP_HIGHUSER);
- if (!area->page)
+ area->pages[0] = alloc_page(GFP_HIGHUSER);
+ if (!area->pages[0])
goto free_bitmap;
area->vaddr = vaddr;
@@ -1177,12 +1177,12 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
/* Reserve the 1st slot for get_trampoline_vaddr() */
set_bit(0, area->bitmap);
atomic_set(&area->slot_count, 1);
- copy_to_page(area->page, 0, &insn, UPROBE_SWBP_INSN_SIZE);
+ copy_to_page(area->pages[0], 0, &insn, UPROBE_SWBP_INSN_SIZE);
if (!xol_add_vma(mm, area))
return area;
- __free_page(area->page);
+ __free_page(area->pages[0]);
free_bitmap:
kfree(area->bitmap);
free_area:
@@ -1220,7 +1220,7 @@ void uprobe_clear_state(struct mm_struct *mm)
if (!area)
return;
- put_page(area->page);
+ put_page(area->pages[0]);
kfree(area->bitmap);
kfree(area);
}
@@ -1289,7 +1289,7 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe)
if (unlikely(!xol_vaddr))
return 0;
- arch_uprobe_copy_ixol(area->page, xol_vaddr,
+ arch_uprobe_copy_ixol(area->pages[0], xol_vaddr,
&uprobe->arch.ixol, sizeof(uprobe->arch.ixol));
return xol_vaddr;
--
1.5.5.1
next prev parent reply other threads:[~2015-07-09 21:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-09 21:44 uprobes: minor fixes + name the xol vma Oleg Nesterov
2015-07-09 21:44 ` Oleg Nesterov [this message]
2015-07-09 21:49 ` [PATCH 1/3] uprobes: fix the usage of install_special_mapping() Andy Lutomirski
2015-07-09 22:02 ` Oleg Nesterov
2015-07-09 22:12 ` Andy Lutomirski
2015-07-09 21:44 ` [PATCH 2/3] uprobes: use vm_special_mapping to name the xol vma Oleg Nesterov
2015-07-09 21:50 ` Andy Lutomirski
2015-07-09 22:03 ` Oleg Nesterov
2015-07-09 21:44 ` [PATCH 3/3] uprobes: fix the waitqueue_active() check in xol_free_insn_slot() Oleg Nesterov
2015-07-09 22:25 ` [PATCH v2 0/3] uprobes: minor fixes + name the xol vma Oleg Nesterov
2015-07-09 22:25 ` [PATCH v2 1/3] uprobes: fix the usage of install_special_mapping() Oleg Nesterov
2015-07-09 22:25 ` [PATCH v2 2/3] uprobes: use vm_special_mapping to name the xol vma Oleg Nesterov
2015-07-09 22:25 ` [PATCH v2 3/3] uprobes: fix the waitqueue_active() check in xol_free_insn_slot() Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150709214446.GA15011@redhat.com \
--to=oleg@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=srikar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.