[PATCH 2/7] uprobes: sanitiize xol_free_insn_slot()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Andrii Nakryiko <andrii@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>
Cc: Liao Chang <liaochang1@huawei.com>,
	linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
Subject: [PATCH 2/7] uprobes: sanitiize xol_free_insn_slot()
Date: Sun, 29 Sep 2024 16:42:35 +0200	[thread overview]
Message-ID: <20240929144235.GA9471@redhat.com> (raw)
In-Reply-To: <20240929144201.GA9429@redhat.com>

1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid,
   xol_free_insn_slot() should never return with utask->xol_vaddr != NULL.

2. Add a comment to explain why do we need to validate slot_addr.

3. Simplify the validation above. We can simply check offset < PAGE_SIZE,
   unsigned underflows are fine, it should work if slot_addr < area->vaddr.

4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must
   be valid if offset < PAGE_SIZE.

The next patches will cleanup this function even more.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/events/uprobes.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 2a9cdd5c82d7..3023714b83f2 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1683,8 +1683,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe)
 static void xol_free_insn_slot(struct task_struct *tsk)
 {
 	struct xol_area *area;
-	unsigned long vma_end;
 	unsigned long slot_addr;
+	unsigned long offset;
 
 	if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask)
 		return;
@@ -1693,24 +1693,21 @@ static void xol_free_insn_slot(struct task_struct *tsk)
 	if (unlikely(!slot_addr))
 		return;
 
+	tsk->utask->xol_vaddr = 0;
 	area = tsk->mm->uprobes_state.xol_area;
-	vma_end = area->vaddr + PAGE_SIZE;
-	if (area->vaddr <= slot_addr && slot_addr < vma_end) {
-		unsigned long offset;
-		int slot_nr;
-
-		offset = slot_addr - area->vaddr;
-		slot_nr = offset / UPROBE_XOL_SLOT_BYTES;
-		if (slot_nr >= UINSNS_PER_PAGE)
-			return;
+	offset = slot_addr - area->vaddr;
+	/*
+	 * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE).
+	 * This check can only fail if the "[uprobes]" vma was mremap'ed.
+	 */
+	if (offset < PAGE_SIZE) {
+		int slot_nr = offset / UPROBE_XOL_SLOT_BYTES;
 
 		clear_bit(slot_nr, area->bitmap);
 		atomic_dec(&area->slot_count);
 		smp_mb__after_atomic(); /* pairs with prepare_to_wait() */
 		if (waitqueue_active(&area->wq))
 			wake_up(&area->wq);
-
-		tsk->utask->xol_vaddr = 0;
 	}
 }
 
-- 
2.25.1.362.g51ebf55

next prev parent reply	other threads:[~2024-09-29 14:42 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-29 14:42 [PATCH 0/7] uprobes: deuglify xol_get_insn_slot/xol_free_insn_slot paths Oleg Nesterov
2024-09-29 14:42 ` [PATCH 1/7] uprobes: don't abuse get_utask() in pre_ssout() and prepare_uretprobe() Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` Oleg Nesterov [this message]
2024-10-08 11:05   ` [tip: perf/core] uprobes: sanitiize xol_free_insn_slot() tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 3/7] uprobes: kill the unnecessary put_uprobe/xol_free_insn_slot in uprobe_free_utask() Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 4/7] uprobes: simplify xol_take_insn_slot() and its caller Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 5/7] uprobes: move the initialization of utask->xol_vaddr from pre_ssout() to xol_get_insn_slot() Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 6/7] uprobes: pass utask to xol_get_insn_slot() and xol_free_insn_slot() Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 7/7] uprobes: deny mremap(xol_vma) Oleg Nesterov
2024-10-08 11:05   ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-30  8:10 ` [PATCH 0/7] uprobes: deuglify xol_get_insn_slot/xol_free_insn_slot paths Peter Zijlstra

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2a9cdd5c82d dfblob:3023714b83f )
 OR (
bs:"[PATCH 2/7] uprobes: sanitiize xol_free_insn_slot()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240929144235.GA9471@redhat.com \
    --to=oleg@redhat.com \
    --cc=andrii@kernel.org \
    --cc=jolsa@kernel.org \
    --cc=liaochang1@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.