From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
Michel Lespinasse <walken@google.com>,
Hugh Dickins <hughd@google.com>, J??rn Engel <joern@logfs.org>
Subject: Re: [PATCH] mm: Downgrade mmap_sem before locking or populating on mmap
Date: Sun, 16 Dec 2012 19:53:56 +0000 [thread overview]
Message-ID: <20121216195355.GE4939@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20121216170403.GC4939@ZenIV.linux.org.uk>
On Sun, Dec 16, 2012 at 05:04:03PM +0000, Al Viro wrote:
> FWIW, I've done some checking of ->mmap_sem uses yesterday. Got further than
> the last time; catch so far, just from find_vma() audit:
> * arm swp_emulate.c - missing ->mmap_sem around find_vma(). Fix sent to
> rmk.
> * blackfin ptrace - find_vma() without any protection, definitely broken
> * m68k sys_cacheflush() - ditto
> * mips process_fpemu_return() - ditto
> * mips octeon_flush_cache_sigtramp() - ditto
> * omap_vout_uservirt_to_phys() - ditto, patch sent
> * vb2_get_contig_userptr() - probaly a bug, unless I've misread the (very
> twisty maze of) v4l2 code leading to it
> * vb2_get_contig_userptr() - ditto
> * gntdev_ioctl_get_offset_for_vaddr() - definitely broken
> and there's a couple of dubious places in arch/* I hadn't finished with,
> plus a lot in mm/* proper.
>
> That's just from a couple of days of RTFS. The locking in there is far too
> convoluted as it is; worse, it's not localized code-wise, so rechecking
> correctness is going to remain a big time-sink ;-/
>
> Making it *more* complex doesn't look like a good idea, TBH...
While we are at it: fs/proc/task_nommu.c:m_stop() is fucked. It assumes
that the process in question hadn't done execve() since m_start(). And
it doesn't hold anywhere near enough locks to guarantee that. task_mmu.c
counterpart avoids that fun by using ->vm_mm to get to mm_struct in question.
Completely untested patch follows; if it works, that's -stable fodder.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index 1ccfa53..dc26605 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -211,6 +211,14 @@ static int show_tid_map(struct seq_file *m, void *_p)
return show_map(m, _p, 0);
}
+static void stop_it(void *_p)
+{
+ struct vm_area_struct *vma = rb_entry(_p, struct vm_area_struct, vm_rb);
+ struct mm_struct *mm = vma->vm_mm;
+ up_read(&mm->mmap_sem);
+ mmput(mm);
+}
+
static void *m_start(struct seq_file *m, loff_t *pos)
{
struct proc_maps_private *priv = m->private;
@@ -235,6 +243,8 @@ static void *m_start(struct seq_file *m, loff_t *pos)
for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))
if (n-- == 0)
return p;
+ up_read(&mm->mmap_sem);
+ mmput(mm);
return NULL;
}
@@ -243,9 +253,8 @@ static void m_stop(struct seq_file *m, void *_vml)
struct proc_maps_private *priv = m->private;
if (priv->task) {
- struct mm_struct *mm = priv->task->mm;
- up_read(&mm->mmap_sem);
- mmput(mm);
+ if (_vml)
+ stop_it(_vml);
put_task_struct(priv->task);
}
}
@@ -255,7 +264,12 @@ static void *m_next(struct seq_file *m, void *_p, loff_t *pos)
struct rb_node *p = _p;
(*pos)++;
- return p ? rb_next(p) : NULL;
+ if (!p)
+ return NULL;
+ p = rb_next(p);
+ if (!p)
+ stop_it(_p);
+ return p;
}
static const struct seq_operations proc_pid_maps_ops = {
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-12-16 19:53 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-14 5:49 [PATCH] mm: Downgrade mmap_sem before locking or populating on mmap Andy Lutomirski
2012-12-14 7:27 ` Al Viro
2012-12-14 11:14 ` Andy Lutomirski
2012-12-14 14:49 ` Al Viro
2012-12-14 16:12 ` Andy Lutomirski
2012-12-16 8:41 ` Ingo Molnar
2012-12-16 17:04 ` Al Viro
2012-12-16 17:48 ` Al Viro
2012-12-16 18:49 ` Johannes Weiner
2012-12-16 19:53 ` Al Viro [this message]
2012-12-16 20:16 ` Al Viro
2012-12-15 2:17 ` [PATCH v2] " Andy Lutomirski
2012-12-16 9:00 ` Ingo Molnar
2012-12-16 17:52 ` Andy Lutomirski
2012-12-17 9:52 ` Ingo Molnar
2012-12-18 0:54 ` [PATCH v3] " Andy Lutomirski
2012-12-20 2:22 ` Simon Jeons
2012-12-16 12:39 ` [PATCH v2] " Michel Lespinasse
2012-12-16 18:05 ` Andy Lutomirski
2012-12-17 3:29 ` Michel Lespinasse
2012-12-17 22:01 ` Andy Lutomirski
2012-12-16 19:58 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121216195355.GE4939@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=joern@logfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=walken@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).