From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S942970AbdEYRYb (ORCPT <rfc822;w@1wt.eu>);
        Thu, 25 May 2017 13:24:31 -0400
Received: from mx2.suse.de ([195.135.220.15]:46702 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S936582AbdEYRY2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 May 2017 13:24:28 -0400
Date: Thu, 25 May 2017 19:24:26 +0200
From: "Luis R. Rodriguez" <mcgrof@kernel.org>
To: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>, Thomas Gleixner <tglx@linutronix.de>,
        Steven Rostedt <rostedt@goodmis.org>,
        Kees Cook <keescook@chromium.org>, LKML <linux-kernel@vger.kernel.org>,
        x86@kernel.org, "Luis R . Rodriguez" <mcgrof@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>
Subject: Re: [BUGFIX PATCH] kprobes/x86: Fix to set RWX bits correctly before
 releasing trampoline
Message-ID: <20170525172426.GW8951@wotan.suse.de>
References: <149570868652.3518.14120169373590420503.stgit@devbox>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <149570868652.3518.14120169373590420503.stgit@devbox>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, May 25, 2017 at 07:38:17PM +0900, Masami Hiramatsu wrote:
> Fix kprobes to set(recover) RWX bits correctly on trampoline
> buffer before releasing it. Releasing readonly page to
> module_memfree() crash the kernel.
> 
> Without this fix, if kprobes user register a bunch of kprobes
> in function body (since kprobes on function entry usually
> use ftrace) and unregister it, kernel hits a BUG and crash.
> 
> Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
> Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
> ---
>  arch/x86/kernel/kprobes/core.c |    9 +++++++++
>  kernel/kprobes.c               |    2 +-
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> index 5b2bbfb..6b87780 100644
> --- a/arch/x86/kernel/kprobes/core.c
> +++ b/arch/x86/kernel/kprobes/core.c
> @@ -52,6 +52,7 @@
>  #include <linux/ftrace.h>
>  #include <linux/frame.h>
>  #include <linux/kasan.h>
> +#include <linux/moduleloader.h>
>  
>  #include <asm/text-patching.h>
>  #include <asm/cacheflush.h>
> @@ -417,6 +418,14 @@ static void prepare_boost(struct kprobe *p, struct insn *insn)
>  	}
>  }
>  
> +/* Recover page to RW mode before releasing it */
> +void free_insn_page(void *page)
> +{
> +	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
> +	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
> +	module_memfree(page);
> +}

Is this needed for all module_memfree() ? If so should / could it just do it
for alloc users ?

  Luis