From: Oleg Nesterov <oleg@redhat.com>
To: Ingo Molnar <mingo@elte.hu>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Peter Zijlstra <peterz@infradead.org>,
Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>,
Anton Arapov <anton@redhat.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] uprobes: Use brw_mutex to fix register/unregister vs dup_mmap() race
Date: Mon, 15 Oct 2012 21:10:22 +0200 [thread overview]
Message-ID: <20121015191022.GA4823@redhat.com> (raw)
In-Reply-To: <20121015190958.GA4799@redhat.com>
This was always racy, but 268720903f87e0b84b161626c4447b81671b5d18
"uprobes: Rework register_for_each_vma() to make it O(n)" should be
blamed anyway, it made everything worse and I didn't notice.
register/unregister call build_map_info() and then do install/remove
breakpoint for every mm which mmaps inode/offset. This can obviously
race with fork()->dup_mmap() in between and we can miss the child.
uprobe_register() could be easily fixed but unregister is much worse,
the new mm inherits "int3" from parent and there is no way to detect
this if uprobe goes away.
So this patch simply adds brw_start/end_read() around dup_mmap(), and
brw_start/end_write() into register_for_each_vma().
This adds 2 new hooks into dup_mmap() but we can kill uprobe_dup_mmap()
and fold it into uprobe_end_dup_mmap().
Reported-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
include/linux/uprobes.h | 8 ++++++++
kernel/events/uprobes.c | 26 +++++++++++++++++++++++---
kernel/fork.c | 2 ++
3 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index 2459457..80913e3 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -97,6 +97,8 @@ extern int uprobe_register(struct inode *inode, loff_t offset, struct uprobe_con
extern void uprobe_unregister(struct inode *inode, loff_t offset, struct uprobe_consumer *uc);
extern int uprobe_mmap(struct vm_area_struct *vma);
extern void uprobe_munmap(struct vm_area_struct *vma, unsigned long start, unsigned long end);
+extern void uprobe_start_dup_mmap(void);
+extern void uprobe_end_dup_mmap(void);
extern void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm);
extern void uprobe_free_utask(struct task_struct *t);
extern void uprobe_copy_process(struct task_struct *t);
@@ -129,6 +131,12 @@ static inline void
uprobe_munmap(struct vm_area_struct *vma, unsigned long start, unsigned long end)
{
}
+static inline void uprobe_start_dup_mmap(void)
+{
+}
+static inline void uprobe_end_dup_mmap(void)
+{
+}
static inline void
uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm)
{
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 6a5b5a4..7aeb096 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -33,6 +33,7 @@
#include <linux/ptrace.h> /* user_enable_single_step */
#include <linux/kdebug.h> /* notifier mechanism */
#include "../../mm/internal.h" /* munlock_vma_page */
+#include <linux/brw_mutex.h>
#include <linux/uprobes.h>
@@ -71,6 +72,8 @@ static struct mutex uprobes_mutex[UPROBES_HASH_SZ];
static struct mutex uprobes_mmap_mutex[UPROBES_HASH_SZ];
#define uprobes_mmap_hash(v) (&uprobes_mmap_mutex[((unsigned long)(v)) % UPROBES_HASH_SZ])
+static struct brw_mutex dup_mmap_mutex;
+
/*
* uprobe_events allows us to skip the uprobe_mmap if there are no uprobe
* events active at this time. Probably a fine grained per inode count is
@@ -766,10 +769,13 @@ static int register_for_each_vma(struct uprobe *uprobe, bool is_register)
struct map_info *info;
int err = 0;
+ brw_start_write(&dup_mmap_mutex);
info = build_map_info(uprobe->inode->i_mapping,
uprobe->offset, is_register);
- if (IS_ERR(info))
- return PTR_ERR(info);
+ if (IS_ERR(info)) {
+ err = PTR_ERR(info);
+ goto out;
+ }
while (info) {
struct mm_struct *mm = info->mm;
@@ -799,7 +805,8 @@ static int register_for_each_vma(struct uprobe *uprobe, bool is_register)
mmput(mm);
info = free_map_info(info);
}
-
+ out:
+ brw_end_write(&dup_mmap_mutex);
return err;
}
@@ -1131,6 +1138,16 @@ void uprobe_clear_state(struct mm_struct *mm)
kfree(area);
}
+void uprobe_start_dup_mmap(void)
+{
+ brw_start_read(&dup_mmap_mutex);
+}
+
+void uprobe_end_dup_mmap(void)
+{
+ brw_end_read(&dup_mmap_mutex);
+}
+
void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm)
{
newmm->uprobes_state.xol_area = NULL;
@@ -1605,6 +1622,9 @@ static int __init init_uprobes(void)
mutex_init(&uprobes_mmap_mutex[i]);
}
+ if (brw_mutex_init(&dup_mmap_mutex))
+ return -ENOMEM;
+
return register_die_notifier(&uprobe_exception_nb);
}
module_init(init_uprobes);
diff --git a/kernel/fork.c b/kernel/fork.c
index 8b20ab7..c497e57 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -352,6 +352,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
unsigned long charge;
struct mempolicy *pol;
+ uprobe_start_dup_mmap();
down_write(&oldmm->mmap_sem);
flush_cache_dup_mm(oldmm);
uprobe_dup_mmap(oldmm, mm);
@@ -469,6 +470,7 @@ out:
up_write(&mm->mmap_sem);
flush_tlb_mm(oldmm);
up_write(&oldmm->mmap_sem);
+ uprobe_end_dup_mmap();
return retval;
fail_nomem_anon_vma_fork:
mpol_put(pol);
--
1.5.5.1
next prev parent reply other threads:[~2012-10-15 19:09 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-15 19:09 [RFC PATCH 0/2] uprobes: register/unregister can race with fork Oleg Nesterov
2012-10-15 19:10 ` [PATCH 1/2] brw_mutex: big read-write mutex Oleg Nesterov
2012-10-15 23:28 ` Paul E. McKenney
2012-10-16 15:56 ` Oleg Nesterov
2012-10-16 18:58 ` Paul E. McKenney
2012-10-17 16:37 ` Oleg Nesterov
2012-10-17 22:28 ` Paul E. McKenney
2012-10-16 19:56 ` Linus Torvalds
2012-10-17 16:59 ` Oleg Nesterov
2012-10-17 22:44 ` Paul E. McKenney
2012-10-18 16:24 ` Oleg Nesterov
2012-10-18 16:38 ` Paul E. McKenney
2012-10-18 17:57 ` Oleg Nesterov
2012-10-18 19:28 ` Mikulas Patocka
2012-10-19 12:38 ` Peter Zijlstra
2012-10-19 15:32 ` Mikulas Patocka
2012-10-19 17:40 ` Peter Zijlstra
2012-10-19 17:57 ` Oleg Nesterov
2012-10-19 22:54 ` Mikulas Patocka
2012-10-24 3:08 ` Dave Chinner
2012-10-25 14:09 ` Mikulas Patocka
2012-10-25 23:40 ` Dave Chinner
2012-10-26 12:06 ` Oleg Nesterov
2012-10-26 13:22 ` Mikulas Patocka
2012-10-26 14:12 ` Oleg Nesterov
2012-10-26 15:23 ` mark_files_ro && sb_end_write Oleg Nesterov
2012-10-26 16:09 ` [PATCH 1/2] brw_mutex: big read-write mutex Mikulas Patocka
2012-10-19 17:49 ` Oleg Nesterov
2012-10-22 23:09 ` Mikulas Patocka
2012-10-23 15:12 ` Oleg Nesterov
2012-10-19 19:28 ` Paul E. McKenney
2012-10-22 23:36 ` [PATCH 0/2] fix and improvements for percpu-rw-semaphores (was: brw_mutex: big read-write mutex) Mikulas Patocka
2012-10-22 23:37 ` [PATCH 1/2] percpu-rw-semaphores: use light/heavy barriers Mikulas Patocka
2012-10-22 23:39 ` [PATCH 2/2] percpu-rw-semaphores: use rcu_read_lock_sched Mikulas Patocka
2012-10-24 16:16 ` Paul E. McKenney
2012-10-24 17:18 ` Oleg Nesterov
2012-10-24 18:20 ` Paul E. McKenney
2012-10-24 18:43 ` Oleg Nesterov
2012-10-24 19:43 ` Paul E. McKenney
2012-10-25 14:54 ` Mikulas Patocka
2012-10-25 15:07 ` Paul E. McKenney
2012-10-25 16:15 ` Mikulas Patocka
2012-10-23 16:59 ` [PATCH 1/2] percpu-rw-semaphores: use light/heavy barriers Oleg Nesterov
2012-10-23 18:05 ` Paul E. McKenney
2012-10-23 18:27 ` Oleg Nesterov
2012-10-23 18:41 ` Oleg Nesterov
2012-10-23 20:29 ` Paul E. McKenney
2012-10-23 20:32 ` Paul E. McKenney
2012-10-23 21:39 ` Mikulas Patocka
2012-10-24 16:23 ` Paul E. McKenney
2012-10-24 20:22 ` Mikulas Patocka
2012-10-24 20:36 ` Paul E. McKenney
2012-10-24 20:44 ` Mikulas Patocka
2012-10-24 23:57 ` Paul E. McKenney
2012-10-25 12:39 ` Paul E. McKenney
2012-10-25 13:48 ` Mikulas Patocka
2012-10-23 19:23 ` Oleg Nesterov
2012-10-23 20:45 ` Peter Zijlstra
2012-10-23 20:57 ` Peter Zijlstra
2012-10-24 15:11 ` Oleg Nesterov
2012-10-23 21:26 ` Mikulas Patocka
2012-10-23 20:32 ` Peter Zijlstra
2012-10-30 18:48 ` [PATCH 0/2] fix and improvements for percpu-rw-semaphores (was: brw_mutex: big read-write mutex) Oleg Nesterov
2012-10-31 19:41 ` [PATCH 0/1] percpu_rw_semaphore: reimplement to not block the readers unnecessarily Oleg Nesterov
2012-10-31 19:41 ` [PATCH 1/1] " Oleg Nesterov
2012-11-01 15:10 ` Linus Torvalds
2012-11-01 15:34 ` Oleg Nesterov
2012-11-02 18:06 ` [PATCH v2 0/1] " Oleg Nesterov
2012-11-02 18:06 ` [PATCH v2 1/1] " Oleg Nesterov
2012-11-07 17:04 ` [PATCH v3 " Mikulas Patocka
2012-11-07 17:47 ` Oleg Nesterov
2012-11-07 19:17 ` Mikulas Patocka
2012-11-08 13:42 ` Oleg Nesterov
2012-11-08 1:23 ` Paul E. McKenney
2012-11-08 1:16 ` [PATCH v2 " Paul E. McKenney
2012-11-08 13:33 ` Oleg Nesterov
2012-11-08 16:27 ` Paul E. McKenney
2012-11-08 13:48 ` [PATCH RESEND v2 0/1] " Oleg Nesterov
2012-11-08 13:48 ` [PATCH RESEND v2 1/1] " Oleg Nesterov
2012-11-08 20:07 ` Andrew Morton
2012-11-08 21:08 ` Paul E. McKenney
2012-11-08 23:41 ` Mikulas Patocka
2012-11-09 0:41 ` Paul E. McKenney
2012-11-09 3:23 ` Paul E. McKenney
2012-11-09 16:35 ` Oleg Nesterov
2012-11-09 16:59 ` Paul E. McKenney
2012-11-09 12:47 ` Mikulas Patocka
2012-11-09 15:46 ` Oleg Nesterov
2012-11-09 17:01 ` Paul E. McKenney
2012-11-09 18:10 ` Oleg Nesterov
2012-11-09 18:19 ` Oleg Nesterov
2012-11-10 0:55 ` Paul E. McKenney
2012-11-11 15:45 ` Oleg Nesterov
2012-11-12 18:38 ` Paul E. McKenney
2012-11-11 18:27 ` [PATCH -mm] percpu_rw_semaphore-reimplement-to-not-block-the-readers-unnecessari ly.fix Oleg Nesterov
2012-11-12 18:31 ` Paul E. McKenney
2012-11-16 23:22 ` Andrew Morton
2012-11-18 19:32 ` Oleg Nesterov
2012-11-01 15:43 ` [PATCH 1/1] percpu_rw_semaphore: reimplement to not block the readers unnecessarily Paul E. McKenney
2012-11-01 18:33 ` Oleg Nesterov
2012-11-02 16:18 ` Oleg Nesterov
2012-10-15 19:10 ` Oleg Nesterov [this message]
2012-10-18 7:03 ` [PATCH 2/2] uprobes: Use brw_mutex to fix register/unregister vs dup_mmap() race Srikar Dronamraju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121015191022.GA4823@redhat.com \
--to=oleg@redhat.com \
--cc=ananth@in.ibm.com \
--cc=anton@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=srikar@linux.vnet.ibm.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).