Re: [PATCH 1/2] uprobes: document the usage of mm->mmap_lock

From: Google
Date: Wed Jul 10 2024 - 10:52:12 EST

Next message: Jonas Karlman: "Re: [PATCH v1] arm64: dts: rockchip: Add missing pinctrl for PCIe30x4 node"
Previous message: Chukun Pan: "Re: [PATCH v2 7/9] arm64: dts: rockchip: use generic Ethernet PHY reset bindings for Lunzn Fastrhino R68S"
In reply to: Oleg Nesterov: "[PATCH 1/2] uprobes: document the usage of mm->mmap_lock"
Next in thread: Oleg Nesterov: "Re: [PATCH 1/2] uprobes: document the usage of mm->mmap_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 10 Jul 2024 16:00:45 +0200
Oleg Nesterov <oleg@xxxxxxxxxx> wrote:

> The comment above uprobe_write_opcode() is wrong, unapply_uprobe() calls
> it under mmap_read_lock() and this is correct.
>
> And it is completely unclear why register_for_each_vma() takes mmap_lock
> for writing, add a comment to explain that mmap_write_lock() is needed to
> avoid the following race:
>
> - A task T hits the bp installed by uprobe and calls
> find_active_uprobe()
>
> - uprobe_unregister() removes this uprobe/bp
>
> - T calls find_uprobe() which returns NULL
>
> - another uprobe_register() installs the bp at the same address
>
> - T calls is_trap_at_addr() which returns true
>
> - T returns to handle_swbp() and gets SIGTRAP.
>
> Reported-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
> ---
> kernel/events/uprobes.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index 2c83ba776fc7..d52b624a50fa 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -453,7 +453,7 @@ static int update_ref_ctr(struct uprobe *uprobe, struct mm_struct *mm,
> * @vaddr: the virtual address to store the opcode.
> * @opcode: opcode to be written at @vaddr.
> *
> - * Called with mm->mmap_lock held for write.
> + * Called with mm->mmap_lock held for read or write.
> * Return 0 (success) or a negative errno.
> */
> int uprobe_write_opcode(struct arch_uprobe *auprobe, struct mm_struct *mm,
> @@ -1046,7 +1046,12 @@ register_for_each_vma(struct uprobe *uprobe, struct uprobe_consumer *new)
>
> if (err && is_register)
> goto free;
> -
> + /*
> + * We take mmap_lock for writing to avoid the race with
> + * find_active_uprobe(), install_breakpoint() must not
> + * make is_trap_at_addr() true right after find_uprobe()
> + * returns NULL.

Sorry, I couldn't catch the latter part. What is the relationship of
taking the mmap_lock and install_breakpoint() and is_trap_at_addr() here?

You meant that find_active_uprobe() is using find_uprobe() which searchs
uprobe form rbtree? But it seems uprobe is already inserted to the rbtree
in alloc_uprobe() so find_uprobe() will not return NULL here, right?

Thank you,

> + */
> mmap_write_lock(mm);
> vma = find_vma(mm, info->vaddr);
> if (!vma || !valid_vma(vma, is_register) ||
> --
> 2.25.1.362.g51ebf55
>
>

--
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>

Next message: Jonas Karlman: "Re: [PATCH v1] arm64: dts: rockchip: Add missing pinctrl for PCIe30x4 node"
Previous message: Chukun Pan: "Re: [PATCH v2 7/9] arm64: dts: rockchip: use generic Ethernet PHY reset bindings for Lunzn Fastrhino R68S"
In reply to: Oleg Nesterov: "[PATCH 1/2] uprobes: document the usage of mm->mmap_lock"
Next in thread: Oleg Nesterov: "Re: [PATCH 1/2] uprobes: document the usage of mm->mmap_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]