From patchwork Wed Dec 1 14:30:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Liam R. Howlett" X-Patchwork-Id: 12650163 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38A79C433FE for ; Wed, 1 Dec 2021 15:13:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DDAD06B009E; Wed, 1 Dec 2021 10:13:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D8A486B009F; Wed, 1 Dec 2021 10:13:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BDBE16B00A0; Wed, 1 Dec 2021 10:13:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0119.hostedemail.com [216.40.44.119]) by kanga.kvack.org (Postfix) with ESMTP id ADE516B009E for ; Wed, 1 Dec 2021 10:13:00 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 7CBBF8A3E7 for ; Wed, 1 Dec 2021 15:12:50 +0000 (UTC) X-FDA: 78869567700.27.90A128C Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by imf30.hostedemail.com (Postfix) with ESMTP id BE5EBE008BE6 for ; Wed, 1 Dec 2021 15:11:11 +0000 (UTC) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B1DDP4Y010062; Wed, 1 Dec 2021 14:30:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=corp-2021-07-09; bh=Q4b6QvIyY/MkFIABagamn+H2rp/KDrDlE7Vj0WkxI5s=; b=AlnmNQUgiBq8HRVIosv17MJxGMfEbHGYXrs7V+U+RF7uYILBzyjHjZ9l1H+zgmBfxDYm 77lHhAiLR2WH6RqfW8yukbcBti8A5aqSIRL2PBxerqox04BVJeKSkF7Xx8jTErtGYAAP AqdKacIL1dcM+r1ebEuN1neum7FB0YatA4ockC3m8SWUC4gDVdNmmzLKo4ZfVVmp36Gr CfuTFvi6cqL7icPTS879gao7TDkYm1nBXvXqeaLMpP7xm3oRDKSBr8U+vQW6WFVptJpY 2M0m6FIO2bDEszEK6a9Q/kYYoMgqfBHu/dCTccS+NnMezTthP0chykYvwYjyY4L4NwAN xg== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3cp9r50e49-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 01 Dec 2021 14:30:44 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 1B1EUNPU108922; Wed, 1 Dec 2021 14:30:43 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by userp3020.oracle.com with ESMTP id 3cke4rv5ew-7 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 01 Dec 2021 14:30:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XtPBtXO6s58o7LsjnegQBxkI/iqqEcY7Nxa2HqcmFk3vfWyCU5RzIDofnkcvIvJKjDcJnwxrbQYzoRsILaL2gwUh3UPJ+lJsmU6GssDMcMhm088PV0AkUUYWmJXlvvY4AEED7WJS9Je87PFozv/IZo9VlH/hYFi66nTNtMB9qzrY5X1Th7VtThMEJirf1/bKBMY3G0wicukYMKa1Jz9mlgBC/jd3VUm+P5jPzd3ocioNtxW0XfrvOIAMOprWxvdz0NyRmD8m2IFeJdYhqM1LMwTaMITHKqcmTRDRIP3h8MxBNbpQYZt88TKAFvni6lC56HeaMaNTK8/VKR8Gv1OHFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Q4b6QvIyY/MkFIABagamn+H2rp/KDrDlE7Vj0WkxI5s=; b=XcEdmQmq+X9ndNjJVeYVa/BcEgaJmcIu19oTZ2/sISCz5cvFcD5vETaErD/AYaGDK/cuHoZxQjZ1t6elZlbEeKKKLCIx+gbObdegmA01sbMxGdAryEkIkAg9DnupdNqM0kJXGKZimE+JDN5CaEsWQcXB24ePK+0HiBKhyEuSh9u1+cBcXpOJ+E8Z7UiqvnbJ8xbfcZCCVQpYhU+E4JfaZ9I2jh+dwAxDE1Qo7qQlh/LJRth8dOkvFrBF1fv9DbbdWGP4qnwDVSjGMBTRujC9yYFVgjB5bbUDRPIIbZoZuqmUp3ybN8GHlHH93zQWm1c801zhMQDX2rgC9XQcKvog0Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q4b6QvIyY/MkFIABagamn+H2rp/KDrDlE7Vj0WkxI5s=; b=lJiXfTZ5Tr6EJ9Rykd6lbBh+BZC4pnyzgtbfFWKMfjwNoVvKj1mInU5dgInq/GXkqHw7WeYeyUBh8nnxuVgtyvwPTVmvuV1P/HQo0krmcRJnat84vhFitbAwu87O2Bfa4fB5RPDyFQwJseQpZdj70HlS96iv/ig6XwUjy+r8n6M= Received: from SN6PR10MB3022.namprd10.prod.outlook.com (2603:10b6:805:d8::25) by SA2PR10MB4508.namprd10.prod.outlook.com (2603:10b6:806:11d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.23; Wed, 1 Dec 2021 14:30:37 +0000 Received: from SN6PR10MB3022.namprd10.prod.outlook.com ([fe80::c4d0:8291:84d:ac66]) by SN6PR10MB3022.namprd10.prod.outlook.com ([fe80::c4d0:8291:84d:ac66%7]) with mapi id 15.20.4734.027; Wed, 1 Dec 2021 14:30:37 +0000 From: Liam Howlett To: "maple-tree@lists.infradead.org" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , Andrew Morton CC: Song Liu , Davidlohr Bueso , "Paul E . McKenney" , Matthew Wilcox , Laurent Dufour , David Rientjes , Axel Rasmussen , Suren Baghdasaryan , Vlastimil Babka , Rik van Riel , Peter Zijlstra , Michel Lespinasse , Jerome Glisse , Minchan Kim , Joel Fernandes , Rom Lemarchand , Liam Howlett Subject: [PATCH v4 39/66] binfmt_elf: Take the mmap lock when walking the VMA list Thread-Topic: [PATCH v4 39/66] binfmt_elf: Take the mmap lock when walking the VMA list Thread-Index: AQHX5r/wBRw8/eAyxEKQw67sBbOung== Date: Wed, 1 Dec 2021 14:30:08 +0000 Message-ID: <20211201142918.921493-40-Liam.Howlett@oracle.com> References: <20211201142918.921493-1-Liam.Howlett@oracle.com> In-Reply-To: <20211201142918.921493-1-Liam.Howlett@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.30.2 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5c7eaea6-5e0d-44b7-f5fc-08d9b4d724ca x-ms-traffictypediagnostic: SA2PR10MB4508: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: yNUMmE+Q1MCjgpCeRBLCUSWFo08DOm5YPMLkLbWTzldG6m7oaVXWcj3t11Ex4z21q8IriFCKioRCzlaAhT+gPSa0drlD9rC/PFpNgpbfehRZOUuvzSlXjnF2CPWt5te0vNhAORv1yjkqYuJRvmvfxnISEejJdAnxiIwntp7+G+Gc5aoNOkb/BLWLe3g0e9wjdCqCQYdKmCRhhHyIriAQpPu9LQXjBanJyFrYxVh7OdJXLFZAyeLIcdiPeK5EPySr3o3WQAOBNo/zy9Y385/14mcZnzwhe2XW+8f6Okyb2DrY3oOKSP2fOCkUHvH2i8q8vRYV/AMqSDdhgLkL36/viU7TpqDiFPzdzGpxYh/4CgKFT5laKZLwTErJo8360YgjeWy1OI4er2RxEiByr4/28fuBgIhOM5LPKPglWSj+7dNVjYX3zar+IHtOkr/ZtdvHBDBqu32uaS07Um3yForRV13vO543Qrn9wtBVx6jBCjsBT+nFJqr3cuPl2TcXDsw+YNVrokbXXxkYBm5bgHEEWU6UwS/e1id9myVT5stkA/DSqnfSo7vULgg8knXQoiGrGZg26YaIrpnX9RDUoPZGKKIHGeTGd566py5EViscO+YwSODR1IHEviWMLsd4i1cjNmKmJEeDXsZniXDOPsP7v7aAu1cClKgHck/X/WgHU5hqrWpysllgTCaE56iB+71rxIXoYi2t1IJr/R/3cnqIEA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR10MB3022.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(186003)(26005)(7416002)(1076003)(2906002)(8936002)(54906003)(83380400001)(2616005)(38100700002)(71200400001)(66946007)(86362001)(66446008)(8676002)(6506007)(38070700005)(6512007)(6666004)(122000001)(508600001)(110136005)(6486002)(64756008)(66556008)(76116006)(91956017)(107886003)(316002)(5660300002)(44832011)(36756003)(4326008)(66476007);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?F/gWjr3Fgi41jfDDubAaA7M?= =?iso-8859-1?q?WbqVi9EHILmHEkseVqgA21Yj/XnsVVuxTQiLkhfECAVDqDMMvUCg7YN/SaBH?= =?iso-8859-1?q?BBNBMnUy/PbWCB0wqz/shuf3KXzq9M3sw4oyoDTRm7rGQnnadMhwT5GDzDLW?= =?iso-8859-1?q?Ct3FgvskJxSsM6RI7veMUSCmUGFZa7Rf3i/E8nwAneiGdId4cY3SdMfmjCEb?= =?iso-8859-1?q?0/WM7Blr/92pxij/foEJLUtr/C3e+wOs6z8b7UVPlvu3AidIBSJeEiRZ3hpx?= =?iso-8859-1?q?XiNGW3nnmtUVTOaurTiJ+Ie8OQ3IqHxJouAROrEYonDzPKBbZwt9J9oLncq9?= =?iso-8859-1?q?4xB+5yaDzoNIoECedUD0NDMVfEAfcMaVIGk9lpQKFBg488mAR4jDUyRybXE+?= =?iso-8859-1?q?ENf6hQXDNyzvAdNQpJNb7FSohf/VcNm9dFHHx7R3q+Ob20CAIuNtJr3Rg/Ft?= =?iso-8859-1?q?DQYiCfIJxlAWVfK2XAbEMBViCteqq8I1rduNKTRC2G+2272b1egJH66f9bzV?= =?iso-8859-1?q?EKRIhRmiCNIJXVUL17i2YVKsNTs7kuxIuHuZyzT2uHsv63SG1baMSwv79dgV?= =?iso-8859-1?q?6e8R3Jll0K4Gd4ttyXHm3kU4eyuVICIIJRLpDdgCFJQwSBy0bwC5jCLORhYu?= =?iso-8859-1?q?4znnV96PMDq1H/n+TZg/JWtxCPYAPDBMDYamMIJr4UvuX/mAF3tWsn9CyjlQ?= =?iso-8859-1?q?vVM7x1GKWSEHXYbk0xa7RACzugKMC2RbA2/ovw7kbYh7wBYju4/lImAYJCfV?= =?iso-8859-1?q?2m2uHDAwYy4k37f0eRqwd3x1Ly3eYO/znqCaNzPGi2WDxo3mE14BVeUr4/20?= =?iso-8859-1?q?nUefsxR3IMUbH4eo82fDJU7+nlNzEhdQuGkAN6yh0Wmbclkvd0Lv+HccTabP?= =?iso-8859-1?q?JaqKEyeY1KSiwCEG9JcTCHSqymBJRqcubZTUoEbHIRpMJ0vDgbUK/UzPwUAj?= =?iso-8859-1?q?C8Q4ReoX1YSBr5JIHRK0YK5zX8E1ABidOkqFnk9ba9idsVW8Zv2keTjLUxYG?= =?iso-8859-1?q?6nvc7MvpqQhKbBvN9XT+B03hL7eXiDODBodgRwbiw5pjoc8WuK47aZD7UPAW?= =?iso-8859-1?q?C4Ctdd3XzmT1gR626RprTKA7tIqMAOgan+q6cCpIRmMKDFfx9wFJw87ZGW8E?= =?iso-8859-1?q?mQUZSBVDMp89zWRdRF9ghOprG9usFKP4mGSaT4idz3c0kKdoLbZDMvh/iRjN?= =?iso-8859-1?q?GXc7xL/Ae82GF1zaOMgTyr/OIHoxSXepT3EQ+60Jut5VcT87ZwLsBQLOHYEj?= =?iso-8859-1?q?kQTAIP7g1CO2v9g7A5E/wcUyN7UUhG4epTkK0GpOUI7wc5mgVm8BVsk6E4s7?= =?iso-8859-1?q?XUs/CGxU4eI5mWEDBmRIs9vOdh/P0lfAuF2DNy59TF5KKU/oUtWWfw1ZHArW?= =?iso-8859-1?q?kc/t5eHKmk1jjVQsyyHaCykD2GwZLwZjKjybYkD01HnVo+2VXTHwvSUbrp/H?= =?iso-8859-1?q?gy0nF4nvgH/yaTcnwIfR8pC4tVsYjTd1941K/46rkFiHs0iPbzEtIzBneBD0?= =?iso-8859-1?q?P6JSG1H8ucmWqcC1/ZAo1sMUKTgp8nqjariW0g0iHdPjkIRyQ9USHKccfum2?= =?iso-8859-1?q?Z3ftn9cdeX+q+Ewh2cS2hQ6vaxgFJeJ4hmWvhyjOeAKY0MM+GMXDZ4mjGydq?= =?iso-8859-1?q?EBZ0z3AtiSwUWBJO3kSAXc2P3eSgPv6IaJoue454QtY2S+fEcMOY51Rl/yzc?= =?iso-8859-1?q?=3D?= MIME-Version: 1.0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR10MB3022.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5c7eaea6-5e0d-44b7-f5fc-08d9b4d724ca X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2021 14:30:08.7001 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /92kTXRVZ0HyzfRwxoO2NwMGAYn8I19mwOkZPPWDftbk7IbXKBxiJCJd91kNcD46Zh2HSo3r8BapVUg2mxDN4w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4508 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10184 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxlogscore=999 phishscore=0 suspectscore=0 spamscore=0 adultscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112010082 X-Proofpoint-ORIG-GUID: LgCvU59Q29ruCOtUPqSdgZjuFK2FD1-r X-Proofpoint-GUID: LgCvU59Q29ruCOtUPqSdgZjuFK2FD1-r X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: BE5EBE008BE6 X-Stat-Signature: xaesdsjip4qg77qretzc5k9f5m1ebway Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2021-07-09 header.b=AlnmNQUg; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=lJiXfTZ5; spf=none (imf30.hostedemail.com: domain of liam.howlett@oracle.com has no SPF policy when checking 205.220.177.32) smtp.mailfrom=liam.howlett@oracle.com; dmarc=pass (policy=none) header.from=oracle.com X-HE-Tag: 1638371471-663346 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: "Matthew Wilcox (Oracle)" I'm not sure if the VMA list can change under us, but dump_vma_snapshot() is very careful to take the mmap_lock in write mode. We only need to take it in read mode here as we do not care if the size of the stack VMA changes underneath us. If it can be changed underneath us, this is a potential use-after-free for a multithreaded process which is dumping core. Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files") Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Liam R. Howlett --- fs/binfmt_elf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index d41cca755ff9..5915518c8a1d 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1652,6 +1652,7 @@ static int fill_files_note(struct memelfnote *note) name_base = name_curpos = ((char *)data) + names_ofs; remaining = size - names_ofs; count = 0; + mmap_read_lock(mm); for_each_vma(vmi, vma) { struct file *file; const char *filename; @@ -1662,6 +1663,7 @@ static int fill_files_note(struct memelfnote *note) filename = file_path(file, name_curpos, remaining); if (IS_ERR(filename)) { if (PTR_ERR(filename) == -ENAMETOOLONG) { + mmap_read_unlock(mm); kvfree(data); size = size * 5 / 4; goto alloc; @@ -1681,6 +1683,7 @@ static int fill_files_note(struct memelfnote *note) *start_end_ofs++ = vma->vm_pgoff; count++; } + mmap_read_unlock(mm); /* Now we know exact count of files, can store it */ data[0] = count;