[PATCH v3 12/14] uprobes: fix the usage of install_special_mapping()

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Pratyush Anand <panand@redhat.com>,
	Srikar Dronamraju <srikar@linux.vnet.ibm.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v3 12/14] uprobes: fix the usage of install_special_mapping()
Date: Tue, 21 Jul 2015 15:40:31 +0200	[thread overview]
Message-ID: <20150721134031.GA4789@redhat.com> (raw)
In-Reply-To: <20150721133945.GA4718@redhat.com>

install_special_mapping(pages) expects that "pages" is the zero-
terminated array while xol_add_vma() passes &area->page, this means
that special_mapping_fault() can wrongly use the next member in
xol_area (vaddr) as "struct page *".

Fortunately, this area is not expandable so pgoff != 0 isn't possible
(modulo bugs in special_mapping_vmops), but still this does not look
good.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/events/uprobes.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 0f370ef..4b8ac5f 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -99,7 +99,7 @@ struct xol_area {
 	wait_queue_head_t 	wq;		/* if all slots are busy */
 	atomic_t 		slot_count;	/* number of in-use slots */
 	unsigned long 		*bitmap;	/* 0 = free slot */
-	struct page 		*page;
+	struct page 		*pages[2];
 
 	/*
 	 * We keep the vma's vm_start rather than a pointer to the vma
@@ -1142,7 +1142,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 	}
 
 	ret = install_special_mapping(mm, area->vaddr, PAGE_SIZE,
-				VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO, &area->page);
+				VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO, area->pages);
 	if (ret)
 		goto fail;
 
@@ -1168,21 +1168,22 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
 	if (!area->bitmap)
 		goto free_area;
 
-	area->page = alloc_page(GFP_HIGHUSER);
-	if (!area->page)
+	area->pages[0] = alloc_page(GFP_HIGHUSER);
+	if (!area->pages[0])
 		goto free_bitmap;
+	area->pages[1] = NULL;
 
 	area->vaddr = vaddr;
 	init_waitqueue_head(&area->wq);
 	/* Reserve the 1st slot for get_trampoline_vaddr() */
 	set_bit(0, area->bitmap);
 	atomic_set(&area->slot_count, 1);
-	copy_to_page(area->page, 0, &insn, UPROBE_SWBP_INSN_SIZE);
+	copy_to_page(area->pages[0], 0, &insn, UPROBE_SWBP_INSN_SIZE);
 
 	if (!xol_add_vma(mm, area))
 		return area;
 
-	__free_page(area->page);
+	__free_page(area->pages[0]);
  free_bitmap:
 	kfree(area->bitmap);
  free_area:
@@ -1220,7 +1221,7 @@ void uprobe_clear_state(struct mm_struct *mm)
 	if (!area)
 		return;
 
-	put_page(area->page);
+	put_page(area->pages[0]);
 	kfree(area->bitmap);
 	kfree(area);
 }
@@ -1289,7 +1290,7 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe)
 	if (unlikely(!xol_vaddr))
 		return 0;
 
-	arch_uprobe_copy_ixol(area->page, xol_vaddr,
+	arch_uprobe_copy_ixol(area->pages[0], xol_vaddr,
 			      &uprobe->arch.ixol, sizeof(uprobe->arch.ixol));
 
 	return xol_vaddr;
-- 
1.5.5.1

next prev parent reply	other threads:[~2015-07-21 13:43 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-21 13:39 [PATCH v3 00/14] uprobes: longjmp / special-mapping fixes Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 01/14] uprobes: Introduce get_uprobe() Oleg Nesterov
2015-07-31 13:57   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 02/14] uprobes: Introduce free_ret_instance() Oleg Nesterov
2015-07-31 13:58   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 03/14] uprobes: Send SIGILL if handle_trampoline() fails Oleg Nesterov
2015-07-31 13:58   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 04/14] uprobes: Change prepare_uretprobe() to use uprobe_warn() Oleg Nesterov
2015-07-31 13:58   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 05/14] uprobes: Change handle_trampoline() to find the next chain beforehand Oleg Nesterov
2015-07-31 13:59   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 06/14] uprobes: Export struct return_instance, introduce arch_uretprobe_is_alive() Oleg Nesterov
2015-07-31 13:59   ` [tip:perf/core] uprobes: Export 'struct return_instance', " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 07/14] uprobes/x86: Reimplement arch_uretprobe_is_alive() Oleg Nesterov
2015-07-31 13:59   ` [tip:perf/core] uprobes/x86: Reimplement arch_uretprobe_is_alive( ) tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 08/14] uprobes: Change handle_trampoline() to flush the frames invalidated by longjmp() Oleg Nesterov
2015-07-31 14:00   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 09/14] uprobes: Change prepare_uretprobe() to (try to) flush the dead frames Oleg Nesterov
2015-07-31 14:00   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 10/14] uprobes: Add the "enum rp_check ctx" arg to arch_uretprobe_is_alive() Oleg Nesterov
2015-07-31 14:00   ` [tip:perf/core] " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 11/14] uprobes/x86: Make arch_uretprobe_is_alive(RP_CHECK_CALL) more clever Oleg Nesterov
2015-07-31 14:01   ` [tip:perf/core] uprobes/x86: Make arch_uretprobe_is_alive( RP_CHECK_CALL) " tip-bot for Oleg Nesterov
2015-07-21 13:40 ` Oleg Nesterov [this message]
2015-07-31 14:01   ` [tip:perf/core] uprobes: Fix the usage of install_special_mapping () tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 13/14] uprobes: use vm_special_mapping to name the xol vma Oleg Nesterov
2015-07-31 14:01   ` [tip:perf/core] uprobes: Use vm_special_mapping to name the XOL vma tip-bot for Oleg Nesterov
2015-07-21 13:40 ` [PATCH v3 14/14] uprobes: fix the waitqueue_active() check in xol_free_insn_slot() Oleg Nesterov
2015-07-31 14:02   ` [tip:perf/core] uprobes: Fix " tip-bot for Oleg Nesterov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0f370ef dfblob:4b8ac5f )
 OR (
bs:"[PATCH v3 12/14] uprobes: fix the usage of install_special_mapping()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150721134031.GA4789@redhat.com \
    --to=oleg@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@kernel.org \
    --cc=panand@redhat.com \
    --cc=srikar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).