Commit 4710f05f authored by Oleg Nesterov's avatar Oleg Nesterov
Browse files

uprobes: Fix prepare_uprobe() race with itself 



install_breakpoint() is called under mm->mmap_sem, this protects
set_swbp() but not prepare_uprobe(). Two or more different tasks
can call install_breakpoint()->prepare_uprobe() at the same time,
this leads to numerous problems if UPROBE_COPY_INSN is not set.

Just for example, the second copy_insn() can corrupt the already
analyzed/fixuped uprobe->arch.insn and race with handle_swbp().

This patch simply adds uprobe->copy_mutex to serialize this code.
We could probably reuse ->consumer_rwsem, but this would mean that
consumer->handler() can not use mm->mmap_sem, not good.

Note: this is another temporary ugly hack until we move this logic
into uprobe_register().

Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Acked-by: default avatarSrikar Dronamraju <srikar@linux.vnet.ibm.com>
parent cb9a19fe

kernel/events/uprobes.c

+8 −0
Original line number Diff line number Diff line
@@ -89,6 +89,7 @@ struct uprobe { 
	struct rb_node		rb_node;	/* node in the rb tree */

	atomic_t		ref;

	struct rw_semaphore	consumer_rwsem;

	struct mutex		copy_mutex;	/* TODO: kill me and UPROBE_COPY_INSN */

	struct list_head	pending_list;

	struct uprobe_consumer	*consumers;

	struct inode		*inode;		/* Also hold a ref to inode */
@@ -444,6 +445,7 @@ static struct uprobe *alloc_uprobe(struct inode *inode, loff_t offset) 
	uprobe->inode = igrab(inode);

	uprobe->offset = offset;

	init_rwsem(&uprobe->consumer_rwsem);

	mutex_init(&uprobe->copy_mutex);



	/* add to uprobes_tree, sorted on inode:offset */

	cur_uprobe = insert_uprobe(uprobe);
@@ -578,6 +580,10 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, 
	if (uprobe->flags & UPROBE_COPY_INSN)

		return ret;



	mutex_lock(&uprobe->copy_mutex);

	if (uprobe->flags & UPROBE_COPY_INSN)

		goto out;



	ret = copy_insn(uprobe, file);

	if (ret)

		goto out;
@@ -598,6 +604,8 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, 
	uprobe->flags |= UPROBE_COPY_INSN;



 out:

	mutex_unlock(&uprobe->copy_mutex);



	return ret;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE