diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2012-09-30 14:31:41 -0400 |
|---|---|---|
| committer | Oleg Nesterov <oleg@redhat.com> | 2012-10-07 15:19:43 -0400 |
| commit | 4710f05fd146d4739e57a8832a3abc5bd3bf0997 (patch) | |
| tree | 459f64b5243d621c85b34abf90e3892cca69e502 | |
| parent | cb9a19fe4aa51afa34786bd383e6614fa0083d58 (diff) | |
uprobes: Fix prepare_uprobe() race with itself
install_breakpoint() is called under mm->mmap_sem, this protects
set_swbp() but not prepare_uprobe(). Two or more different tasks
can call install_breakpoint()->prepare_uprobe() at the same time,
this leads to numerous problems if UPROBE_COPY_INSN is not set.
Just for example, the second copy_insn() can corrupt the already
analyzed/fixuped uprobe->arch.insn and race with handle_swbp().
This patch simply adds uprobe->copy_mutex to serialize this code.
We could probably reuse ->consumer_rwsem, but this would mean that
consumer->handler() can not use mm->mmap_sem, not good.
Note: this is another temporary ugly hack until we move this logic
into uprobe_register().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
| -rw-r--r-- | kernel/events/uprobes.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 4f315fa94c52..7f62b30c4172 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c | |||
| @@ -89,6 +89,7 @@ struct uprobe { | |||
| 89 | struct rb_node rb_node; /* node in the rb tree */ | 89 | struct rb_node rb_node; /* node in the rb tree */ |
| 90 | atomic_t ref; | 90 | atomic_t ref; |
| 91 | struct rw_semaphore consumer_rwsem; | 91 | struct rw_semaphore consumer_rwsem; |
| 92 | struct mutex copy_mutex; /* TODO: kill me and UPROBE_COPY_INSN */ | ||
| 92 | struct list_head pending_list; | 93 | struct list_head pending_list; |
| 93 | struct uprobe_consumer *consumers; | 94 | struct uprobe_consumer *consumers; |
| 94 | struct inode *inode; /* Also hold a ref to inode */ | 95 | struct inode *inode; /* Also hold a ref to inode */ |
| @@ -444,6 +445,7 @@ static struct uprobe *alloc_uprobe(struct inode *inode, loff_t offset) | |||
| 444 | uprobe->inode = igrab(inode); | 445 | uprobe->inode = igrab(inode); |
| 445 | uprobe->offset = offset; | 446 | uprobe->offset = offset; |
| 446 | init_rwsem(&uprobe->consumer_rwsem); | 447 | init_rwsem(&uprobe->consumer_rwsem); |
| 448 | mutex_init(&uprobe->copy_mutex); | ||
| 447 | 449 | ||
| 448 | /* add to uprobes_tree, sorted on inode:offset */ | 450 | /* add to uprobes_tree, sorted on inode:offset */ |
| 449 | cur_uprobe = insert_uprobe(uprobe); | 451 | cur_uprobe = insert_uprobe(uprobe); |
| @@ -578,6 +580,10 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, | |||
| 578 | if (uprobe->flags & UPROBE_COPY_INSN) | 580 | if (uprobe->flags & UPROBE_COPY_INSN) |
| 579 | return ret; | 581 | return ret; |
| 580 | 582 | ||
| 583 | mutex_lock(&uprobe->copy_mutex); | ||
| 584 | if (uprobe->flags & UPROBE_COPY_INSN) | ||
| 585 | goto out; | ||
| 586 | |||
| 581 | ret = copy_insn(uprobe, file); | 587 | ret = copy_insn(uprobe, file); |
| 582 | if (ret) | 588 | if (ret) |
| 583 | goto out; | 589 | goto out; |
| @@ -598,6 +604,8 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, | |||
| 598 | uprobe->flags |= UPROBE_COPY_INSN; | 604 | uprobe->flags |= UPROBE_COPY_INSN; |
| 599 | 605 | ||
| 600 | out: | 606 | out: |
| 607 | mutex_unlock(&uprobe->copy_mutex); | ||
| 608 | |||
| 601 | return ret; | 609 | return ret; |
| 602 | } | 610 | } |
| 603 | 611 | ||