Re: [PATCH] uprobes: use vm_special_mapping close() functionality
From: Oleg Nesterov <oleg@redhat.com>
Date: 2024-09-03 09:09:12
Also in:
linux-perf-users, lkml
Possibly related (same subject, not in this thread)
- 2024-09-04 · Re: [PATCH] uprobes: use vm_special_mapping close() functionality · Andrew Morton <akpm@linux-foundation.org>
- 2024-09-04 · Re: [PATCH] uprobes: use vm_special_mapping close() functionality · Michael Ellerman <mpe@ellerman.id.au>
- 2024-09-03 · Re: [PATCH] uprobes: use vm_special_mapping close() functionality · Linus Torvalds <torvalds@linux-foundation.org>
- 2024-09-03 · Re: [PATCH] uprobes: use vm_special_mapping close() functionality · Sven Schnelle <svens@linux.ibm.com>
- 2024-09-03 · Re: [PATCH] uprobes: use vm_special_mapping close() functionality · Sven Schnelle <svens@linux.ibm.com>
On 09/03, Sven Schnelle wrote:
[ 44.505448] ================================================================== 20:37:27 [3421/145075] [ 44.505455] BUG: KASAN: slab-use-after-free in special_mapping_close+0x9c/0xc8 [ 44.505471] Read of size 8 at addr 00000000868dac48 by task sh/1384 [ 44.505479] [ 44.505486] CPU: 51 UID: 0 PID: 1384 Comm: sh Not tainted 6.11.0-rc6-next-20240902-dirty #1496 [ 44.505503] Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) [ 44.505508] Call Trace: [ 44.505511] [<000b0324d2f78080>] dump_stack_lvl+0xd0/0x108 [ 44.505521] [<000b0324d2f5435c>] print_address_description.constprop.0+0x34/0x2e0 [ 44.505529] [<000b0324d2f5464c>] print_report+0x44/0x138 [ 44.505536] [<000b0324d1383192>] kasan_report+0xc2/0x140 [ 44.505543] [<000b0324d2f52904>] special_mapping_close+0x9c/0xc8
^^^^^^^^^^^^^^^^^^^^^ Caused by [PATCH v2 1/4] mm: Add optional close() to struct vm_special_mapping https://lore.kernel.org/all/20240812082605.743814-1-mpe@ellerman.id.au/ (local) ?
quoted hunk ↗ jump to hunk
+static void uprobe_clear_state(const struct vm_special_mapping *sm, struct vm_area_struct *vma) +{ + struct xol_area *area = container_of(vma->vm_private_data, struct xol_area, xol_mapping); + + mutex_lock(&delayed_uprobe_lock); + delayed_uprobe_remove(NULL, vma->vm_mm); + mutex_unlock(&delayed_uprobe_lock); + + if (!area) + return; + + put_page(area->pages[0]); + kfree(area->bitmap); + kfree(area); +} + static struct xol_area *__create_xol_area(unsigned long vaddr) { struct mm_struct *mm = current->mm;@@ -1481,6 +1500,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr) area->xol_mapping.name = "[uprobes]"; area->xol_mapping.fault = NULL; + area->xol_mapping.close = uprobe_clear_state;
LGTM. but with or without this fix __create_xol_area() also needs area->xol_mapping.mremap = NULL; ? And in the longer term I think we should probably add a single instance of "struct vm_special_mapping uprobe_special_mapping with ->fault != NULL but this is another issue. Oleg.