From patchwork Thu Dec 22 18:12:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 13080208 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 422B7C001B2 for ; Thu, 22 Dec 2022 18:13:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B3B42940008; Thu, 22 Dec 2022 13:13:03 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A9CAA940007; Thu, 22 Dec 2022 13:13:03 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 98B56940008; Thu, 22 Dec 2022 13:13:03 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 89D15940007 for ; Thu, 22 Dec 2022 13:13:03 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 544141C5E06 for ; Thu, 22 Dec 2022 18:13:03 +0000 (UTC) X-FDA: 80270738646.10.A71282B Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf21.hostedemail.com (Postfix) with ESMTP id BE2711C000A for ; Thu, 22 Dec 2022 18:13:01 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf21.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671732781; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oRF0gO8hWc+cc+2ZsbpqFBIBmWfD6OaXx5DZ9BsBZDQ=; b=AP1o1U2kDbiy/GlhGCuMJn7XczfdktynNJRn1WAMbgH2wHRhzC/DKBtnwAFxEJcS/QX7O8 5Pf6DbfiqtNQuQ0csK8ZCUE2c5XbXiRLazXqtN+PSQljecJj19MO4izGmP5rHXTcZQ82NH 627NUE711lSUOwIwlgPeTmHWlnyL1xg= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf21.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671732781; a=rsa-sha256; cv=none; b=qgxtiWzZCV3AsjiTgjuhWAoV170jHcHeQTI0vGWmoGlSJD31AxXZ0ZUMtnXwwTEL6oNEKX oTVcNpV/3CQ9ml2cyIHnQI/6T7ogfxJcuD+JZiwztjkqjSpOr9QyeOuUwP2x6EMUBtxWiy siL80IFV9zE+WuKGPJwN1EsRSA/2xt0= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 14350B81F3A; Thu, 22 Dec 2022 18:12:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 320A0C433F0; Thu, 22 Dec 2022 18:12:56 +0000 (UTC) From: Catalin Marinas To: Will Deacon , Seth Jenkins Cc: Eric Biederman , Kees Cook , Greg Kroah-Hartman , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org Subject: [PATCH 1/3] arm64: mte: Fix double-freeing of the temporary tag storage during coredump Date: Thu, 22 Dec 2022 18:12:49 +0000 Message-Id: <20221222181251.1345752-2-catalin.marinas@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221222181251.1345752-1-catalin.marinas@arm.com> References: <20221222181251.1345752-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: BE2711C000A X-Stat-Signature: kpf18s8xepnqreorbzudsogm1wgw6k64 X-HE-Tag: 1671732781-637061 X-HE-Meta: U2FsdGVkX18QtrDTEmsVlXm0kJuD8zG3pKTwIx9DPITIqkAg1Vzz4lsSeOPNDtvNA6YfIjMGSnQ+q0SeBtLgLWQ77vebELQAyFG8BspEj/vT0zcz74B2vUH8OQj7VRC6lSnGe1cP0ZLNDSf67ZUn5V9tkLlZT6bAPCREVHprwX62iggcLN3AJH4w3pncsAiI8L1g/6DqJYIgJKury35tamK6u8R3MIMJDqqUScctb8+kLpIOABebdhanxz4CbBRLuAqzS9wmCBw0la5vx4B04dwkzEArIrBpuekJKKBm69zRRfmLd4AEZv27P5cp60ATibpfl1aXbX7IJu+RwxX90+oW0jyS0atQvJVunRHqAfwM9JJAsbj/+w35yVrmn95TcbhD51kZe88RW2qC/0TW+ZhN8PhSqjX/GL0YMd7ERUXH3WDgIT9kPO7uf8lA+tMJ7+E/HqpPYIc79sGzQ+MdKcmoAAuF765rAm0w56DVUzGB91SCw1KdEbMKsA29o41D+HX/eRgXGHscp39UcTUX+VQDsKzMUfQvCSjhHs/1CAewA1GfLdJSCtFkDxZ9frCWF4d8wBZHOVoD21ZJLTmRO0qeqL6v/nhtTeCtktOaC/SC3w5fu9iJs43OIGdT3o4g2bpd8picBEBiOIym4hMpnqe1/FKaICbXe9a6tvcFDAon+ZFf+73IKu1/p23BapzQ9bGV+j/4EYGNxMVaAps4gEbMPi71vNwXTRzmF5ZK1KQpgnRxNqJF/eGQ1FigftUNcZaFGBZRE9Im5IGSE1uvoan37AXV/nVr34dd0WOFwt0I6O2RO1Cem6kcHtDsOG5qSLxQUWW0prY+nTw8kcBypxwKQXhWaqPXfG3JRDjmVQdx13WXswn7pkYhj74HEZ9JIZCLvM9Wkr0GMTZVRcyPaRqwwUO8653eAq19yy5K6D1c7MDKoTBEl2+lffMaFUq43B78yJr8raFfYduxuy4 +Vz5z2Xy uFefs2zfwxlKuSKuMsWh4qVRfp6XkhM0hZ8kqlLJO6eZMUJpsCPY8aRHQD+QwT78GuhtDNkrizHTksxwJaaBhAtUab8BZuuijvhbr/Rug5FG99FDcmnLgl2IeWqtmjsOCGLsjtueEMIGC9CAtVF2163ynSUW+e87gaQ7gDLXeotdxV3hEVL9PGHPHMVgHdj9nADvG X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Commit 16decce22efa ("arm64: mte: Fix the stack frame size warning in mte_dump_tag_range()") moved the temporary tag storage array from the stack to slab but it also introduced an error in double freeing this object. Remove the in-loop freeing. Fixes: 16decce22efa ("arm64: mte: Fix the stack frame size warning in mte_dump_tag_range()") Cc: # 5.18.x Signed-off-by: Catalin Marinas Reported-by: Seth Jenkins Cc: Will Deacon --- arch/arm64/kernel/elfcore.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/arm64/kernel/elfcore.c b/arch/arm64/kernel/elfcore.c index 27ef7ad3ffd2..4e3f84799669 100644 --- a/arch/arm64/kernel/elfcore.c +++ b/arch/arm64/kernel/elfcore.c @@ -65,7 +65,6 @@ static int mte_dump_tag_range(struct coredump_params *cprm, mte_save_page_tags(page_address(page), tags); put_page(page); if (!dump_emit(cprm, tags, MTE_PAGE_TAG_STORAGE)) { - mte_free_tag_storage(tags); ret = 0; break; } From patchwork Thu Dec 22 18:12:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 13080207 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF267C4332F for ; Thu, 22 Dec 2022 18:13:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EBD07900002; Thu, 22 Dec 2022 13:13:02 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E6DC5940007; Thu, 22 Dec 2022 13:13:02 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D354B900004; Thu, 22 Dec 2022 13:13:02 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id C6D69900002 for ; Thu, 22 Dec 2022 13:13:02 -0500 (EST) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7D0FA160A42 for ; Thu, 22 Dec 2022 18:13:02 +0000 (UTC) X-FDA: 80270738604.19.04A6A21 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf04.hostedemail.com (Postfix) with ESMTP id 015624000B for ; Thu, 22 Dec 2022 18:13:00 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf04.hostedemail.com: domain of cmarinas@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=cmarinas@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671732781; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rLTMox62yK021JaPGYOnWD8ApyDRY7ao1ae8UjcZizA=; b=aMQcSdLNGhH7IZOh9Y6I1Q7jeBLUcTjcVVqI4xr2gjgl1qlWdSgBSQjD06Q0jaYTvH3lZS 1iu/VwsRwySGCGW8jHpBDC3C++c0ZS/9Ce/yAUnzDSO+q3H34gpRQtBFtTpM6QN2qXliGo aeQj3OdHV3XQLAW4CZ8hPbzLx3uWams= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf04.hostedemail.com: domain of cmarinas@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=cmarinas@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671732781; a=rsa-sha256; cv=none; b=KdcxxG+Ojsuv7/Cew1/XXUm4dS4c5zaxbL2ImbkkgUCiLlhjSBatSZ2faUnWQnn/mhvfeV tcOKSkPOXJAHp4o6dOEQpHDUurLIfx+SLbNj022jyoZYeyWu0KDVJKqEsIO7SXjiVnp6wJ Jtr2RQP6wznl7WgHXlc4CYNpTMubJhk= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1657A61D0C; Thu, 22 Dec 2022 18:13:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10DECC433EF; Thu, 22 Dec 2022 18:12:57 +0000 (UTC) From: Catalin Marinas To: Will Deacon , Seth Jenkins Cc: Eric Biederman , Kees Cook , Greg Kroah-Hartman , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org Subject: [PATCH 2/3] elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} Date: Thu, 22 Dec 2022 18:12:50 +0000 Message-Id: <20221222181251.1345752-3-catalin.marinas@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221222181251.1345752-1-catalin.marinas@arm.com> References: <20221222181251.1345752-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 015624000B X-Stat-Signature: p5p3xhacz4kuuwiudtg3uszffext4oz4 X-Rspam-User: X-HE-Tag: 1671732780-975268 X-HE-Meta: U2FsdGVkX19Q22of0T1qhICO1sDO7xmVFqTtXYRTx1dnIwxYOaIFH8m6TYocah1WjZpL+rGn7GSPXVvEeADZ5bJUfzY+Q1NAMeOULi6GE0DmVXQ5rZJnBrO+NVOudafNgNODcLZ+zmQ5xaPmmpOwhw9HEUi6IwKan+APlpLuTx5bTuRhqyN0ZMa8CEqQX/wgUtxG54h47rzxhrMuKregd/MTQVH3jHWdcU/xQQKUISk5GiJv0GBWiX8GkaQmuYZqWeDS0J4gvsrINytdlZjBTxkW9imXKzBzQDfFeNwiACCu3mcG2Q0xyQM7JGq+arkm/wvJ3V4xL8SFDXi1G8CX5foyRXEOJAn5iy8Y62kNsSsP/vlZyjJjOVPXcFsZx+ViFVh7kuE8G9F/KIhI3meNtGsYR+xjyfHTabGXDwfn7kR+Kse6Y41fpBa+F0utYfJw0TAc5OwD1uKbQvrLrDRfgtW5n7j41lIcrZm1JT/tDYdN1iaorxN60I/+V8DfSkcpT0fZqdjuSe5ousCJ2RdkcTzcx+cyP2omEzUT4IMxOYOvAyUlNt6r9pp4p5i13Xb2SuTS9fOlYf5+BJ7FLg3PVme/lRb4FXl8Kewu1sAzG0bgkSRJrST3UeYLmEiEd63LiKn/HVl/Q2Us8QuPLtG793GEendyCS5HnRenYv8+TajRk2UvB+2JSItEG+fzapZTgqplSOYvakxCo0ICLDn/r5/b8IPxXBVKHTBGaEx2MgX8rYMjAHiUiP99XGdYZvuFNskb+kqHSMfJscRD4mVWQ4Ztoe47BDMGRvx6wIlr4nmwzy+ApT3ZXTms0AYlPPE/XnNxi82FVz8BkYVQT7NWFIzCwnlC/JIkotCLHV6O28Vi3A9Uj1d8Z7p0RTn0Tdt5wwwSpdLwZuRg0YgtTSHmbFJWGCKSrWHFowUVYq6wCzz73nqPlT5ufmXKTJll/M2/426fde45BUK4g/8pTMW Jfbvat4y Qp+5cRp5w9EVkjePv7bP9SvNtWLn2UC0KJwW+11fd/r88uuy0Z8WtxWAnL4NgKEStQ97SKzpAIXJF2px8cWH64zgAtIkcykfh0D8Jlk+LduDGErtSLaZy0L43AFj161rGSnAFumxMecK1IOMMV44oFeGNIuuUWj1ow/JMj4jLygBHZpOuEjJX7yldobRCXLBrSWPyIitYPhWv80hUE3X6nju6XbFpERDTzyOBUkmxeQa6kFIb+HDPMQ56UA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: A subsequent fix for arm64 will use this parameter to parse the vma information from the snapshot created by dump_vma_snapshot() rather than traversing the vma list without the mmap_lock. Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file") Cc: # 5.18.x Signed-off-by: Catalin Marinas Reported-by: Seth Jenkins Suggested-by: Seth Jenkins Cc: Will Deacon Cc: Eric Biederman Cc: Kees Cook Acked-by: Kees Cook --- arch/arm64/kernel/elfcore.c | 4 ++-- arch/ia64/kernel/elfcore.c | 4 ++-- arch/x86/um/elfcore.c | 4 ++-- fs/binfmt_elf.c | 4 ++-- fs/binfmt_elf_fdpic.c | 4 ++-- include/linux/elfcore.h | 8 ++++---- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/arch/arm64/kernel/elfcore.c b/arch/arm64/kernel/elfcore.c index 4e3f84799669..b2388f15223e 100644 --- a/arch/arm64/kernel/elfcore.c +++ b/arch/arm64/kernel/elfcore.c @@ -76,7 +76,7 @@ static int mte_dump_tag_range(struct coredump_params *cprm, return ret; } -Elf_Half elf_core_extra_phdrs(void) +Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) { struct vm_area_struct *vma; int vma_count = 0; @@ -113,7 +113,7 @@ int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset) return 1; } -size_t elf_core_extra_data_size(void) +size_t elf_core_extra_data_size(struct coredump_params *cprm) { struct vm_area_struct *vma; size_t data_size = 0; diff --git a/arch/ia64/kernel/elfcore.c b/arch/ia64/kernel/elfcore.c index 94680521fbf9..8895df121540 100644 --- a/arch/ia64/kernel/elfcore.c +++ b/arch/ia64/kernel/elfcore.c @@ -7,7 +7,7 @@ #include -Elf64_Half elf_core_extra_phdrs(void) +Elf64_Half elf_core_extra_phdrs(struct coredump_params *cprm) { return GATE_EHDR->e_phnum; } @@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct coredump_params *cprm) return 1; } -size_t elf_core_extra_data_size(void) +size_t elf_core_extra_data_size(struct coredump_params *cprm) { const struct elf_phdr *const gate_phdrs = (const struct elf_phdr *) (GATE_ADDR + GATE_EHDR->e_phoff); diff --git a/arch/x86/um/elfcore.c b/arch/x86/um/elfcore.c index 48a3eb09d951..650cdbbdaf45 100644 --- a/arch/x86/um/elfcore.c +++ b/arch/x86/um/elfcore.c @@ -7,7 +7,7 @@ #include -Elf32_Half elf_core_extra_phdrs(void) +Elf32_Half elf_core_extra_phdrs(struct coredump_params *cprm) { return vsyscall_ehdr ? (((struct elfhdr *)vsyscall_ehdr)->e_phnum) : 0; } @@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct coredump_params *cprm) return 1; } -size_t elf_core_extra_data_size(void) +size_t elf_core_extra_data_size(struct coredump_params *cprm) { if ( vsyscall_ehdr ) { const struct elfhdr *const ehdrp = diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 6a11025e5850..444302afc673 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -2209,7 +2209,7 @@ static int elf_core_dump(struct coredump_params *cprm) * The number of segs are recored into ELF header as 16bit value. * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here. */ - segs = cprm->vma_count + elf_core_extra_phdrs(); + segs = cprm->vma_count + elf_core_extra_phdrs(cprm); /* for notes section */ segs++; @@ -2249,7 +2249,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); offset += cprm->vma_data_size; - offset += elf_core_extra_data_size(); + offset += elf_core_extra_data_size(cprm); e_shoff = offset; if (e_phnum == PN_XNUM) { diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index 08d0c8797828..2855f19ae3af 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -1508,7 +1508,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm) tmp->next = thread_list; thread_list = tmp; - segs = cprm->vma_count + elf_core_extra_phdrs(); + segs = cprm->vma_count + elf_core_extra_phdrs(cprm); /* for notes section */ segs++; @@ -1554,7 +1554,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); offset += cprm->vma_data_size; - offset += elf_core_extra_data_size(); + offset += elf_core_extra_data_size(cprm); e_shoff = offset; if (e_phnum == PN_XNUM) { diff --git a/include/linux/elfcore.h b/include/linux/elfcore.h index 346a8b56cdc8..79e26b18bf0e 100644 --- a/include/linux/elfcore.h +++ b/include/linux/elfcore.h @@ -114,14 +114,14 @@ static inline int elf_core_copy_task_fpregs(struct task_struct *t, struct pt_reg * Dumping its extra ELF program headers includes all the other information * a debugger needs to easily find how the gate DSO was being used. */ -extern Elf_Half elf_core_extra_phdrs(void); +extern Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm); extern int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset); extern int elf_core_write_extra_data(struct coredump_params *cprm); -extern size_t elf_core_extra_data_size(void); +extern size_t elf_core_extra_data_size(struct coredump_params *cprm); #else -static inline Elf_Half elf_core_extra_phdrs(void) +static inline Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) { return 0; } @@ -136,7 +136,7 @@ static inline int elf_core_write_extra_data(struct coredump_params *cprm) return 1; } -static inline size_t elf_core_extra_data_size(void) +static inline size_t elf_core_extra_data_size(struct coredump_params *cprm) { return 0; } From patchwork Thu Dec 22 18:12:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 13080209 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C653C4167B for ; Thu, 22 Dec 2022 18:13:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1C584940009; Thu, 22 Dec 2022 13:13:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 176A0940007; Thu, 22 Dec 2022 13:13:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0190B940009; Thu, 22 Dec 2022 13:13:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id E6A8F940007 for ; Thu, 22 Dec 2022 13:13:05 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id ADE041C5B72 for ; Thu, 22 Dec 2022 18:13:05 +0000 (UTC) X-FDA: 80270738730.17.E196999 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf27.hostedemail.com (Postfix) with ESMTP id 0F61240005 for ; Thu, 22 Dec 2022 18:13:03 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none) ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671732784; a=rsa-sha256; cv=none; b=uJtyP5TmcmdICVG54vXpjdcfc93PH3fpydFxYGYHNpXqmKYw6OEzobYGJnq6bjMLLIiIBo sdbo+nRnmPqh9u3PyVNTiadD4ykjM1CJP7XIk95mwP0j4YDtzd8pA+vPwFns8yn2HnjA72 nVNr5/VOdPUcuSGhss/jOXB2whjRpMs= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671732784; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QW4JdNpEbbZJWqNEVosRJ7HV3MsVnvtur3nFXaW4hUg=; b=jEFb2Lnw4/SR9gxsGjgS7sVCLyYwQ4gWoGQVSMu+MBQUfo+pvB2zSqo3smIPh3Od/WxCbK cBp4y5LR7vRI+088JLiIDcLhF39D5FntHG3cVbXYiDxqi5n/wqEM2YwY7wVAGhayT1IA4b ZfzgDNL+ButHGtL1eNyV1MmrBRj4IYs= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A7738B81F31; Thu, 22 Dec 2022 18:13:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE896C433F1; Thu, 22 Dec 2022 18:12:59 +0000 (UTC) From: Catalin Marinas To: Will Deacon , Seth Jenkins Cc: Eric Biederman , Kees Cook , Greg Kroah-Hartman , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org Subject: [PATCH 3/3] arm64: mte: Avoid the racy walk of the vma list during core dump Date: Thu, 22 Dec 2022 18:12:51 +0000 Message-Id: <20221222181251.1345752-4-catalin.marinas@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221222181251.1345752-1-catalin.marinas@arm.com> References: <20221222181251.1345752-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Queue-Id: 0F61240005 X-Rspamd-Server: rspam01 X-Stat-Signature: ekgzwif3egu6yirti5a6sqthpgdq7f6f X-HE-Tag: 1671732783-871726 X-HE-Meta: U2FsdGVkX1+8akkmtAysrZw2yfSlNh1aYVQpYgAY2St8DY+WIvvj2YheVZKKk7Ed6BXJwOkb5JhH8iJZ9+vK6YbbfydGz4dP2d6wfAb3m79BO2GOBTn5vAOHMBa3jR7WKUh63sta3x4SKOp/Sxj/WI8j/PhwmR8dhV++dlsE/WF71x7ZzPjsEAx84zFH5FDL9ztYMF2v9WzQpPaHLFUMZF0CrX6BEFyJwsvkusB1gCwpndHitKEhuPCC/Q9nxZrIQ6Pi68ZRM82Lc+EVdROF9i087BvcfFeGk5BLCC/zpnEITsT3X/Yh5UeYrVWoFUjHYya+dpNYC1P3rl+TVYFEeJMmTGqISOOnGFmuN43jsMoMMirr0RhlXYr7gFdG3oGz+Xg2U4AkUxFuGUL/Rf8K3R/aUEuoXpc/keIgunEqJDdj77Whzg8mVK5Y7EuICWej5WGelqdAMT462LV6GTuCcDxWxBSKTuMdWs41udFYRpptL5PD9cIEqDX3Ay89iHTCRT+8VlRgSSjNJageO++2Pm5EoUpPtHlBR3Rhxzn80PiZ028bLaGiniYpyLNAfmmCK2LSRNgaOY5pilWEnAeEnbnmlt5h8Wk+lLwyCs2PyAY2KGNjh1a9Kh2oD4K//rIA8fgOgc3f0/Ye5Xdza0THdbsik3PsJpFY8QGv1XV0C+JBBT728IjdYpp3JjSb2WVpa3xqxZxfJ0trxs4k2r8wy+cZqfs2+MGV61P9Syg2F7LKPBSztxERoEJIeLTVAkqPDExD1GFAeTLUPSgScBJGs5gUvOgieLDw3uVc31wP3izho5h74t9evOXURezZyAOVXvu0Xd5LzSvwccLHbkM9esV9YhZzddwPO2yZb9Ls8uc/kkfseVoAPjWvz50SmPC8pNasZef3M1hfSRi7uC8xHnpMXCK698sbr3Tc6OdXvItJVMzZ2Lc91/WVxgfiRxM8rNl6stoJopBa0crdEXh PVEsUnWU aaQuYxQ6ZnSgvf++MT4heXZGlUVqeaAsV4RbGtL7I7OXxXX3dy/twfE8JLn/Vs4Bu1BpHRzA9Tqo1zh+lybZEp44H81BjXYfgjtg/R9omp8R+aOEgXOTAnDjJ3zXCJ6EvkNJFEovGNa7WOs+JRJpni3uoHIe6gpx7JNoXF54XvtC1VXCck/1deuh/aL6FBW+zezm2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The MTE coredump code in arch/arm64/kernel/elfcore.c iterates over the vma list without the mmap_lock held. This can race with another process or userfaultfd concurrently modifying the vma list. Change the for_each_mte_vma macro and its callers to instead use the vma snapshot taken by dump_vma_snapshot() and stored in the cprm object. Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file") Cc: # 5.18.x Signed-off-by: Catalin Marinas Reported-by: Seth Jenkins Suggested-by: Seth Jenkins Cc: Will Deacon --- arch/arm64/kernel/elfcore.c | 56 +++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/arch/arm64/kernel/elfcore.c b/arch/arm64/kernel/elfcore.c index b2388f15223e..662a61e5e75e 100644 --- a/arch/arm64/kernel/elfcore.c +++ b/arch/arm64/kernel/elfcore.c @@ -8,28 +8,27 @@ #include #include -#define for_each_mte_vma(vmi, vma) \ +#define for_each_mte_vma(cprm, i, m) \ if (system_supports_mte()) \ - for_each_vma(vmi, vma) \ - if (vma->vm_flags & VM_MTE) + for (i = 0, m = cprm->vma_meta; \ + i < cprm->vma_count; \ + i++, m = cprm->vma_meta + i) \ + if (m->flags & VM_MTE) -static unsigned long mte_vma_tag_dump_size(struct vm_area_struct *vma) +static unsigned long mte_vma_tag_dump_size(struct core_vma_metadata *m) { - if (vma->vm_flags & VM_DONTDUMP) - return 0; - - return vma_pages(vma) * MTE_PAGE_TAG_STORAGE; + return (m->dump_size >> PAGE_SHIFT) * MTE_PAGE_TAG_STORAGE; } /* Derived from dump_user_range(); start/end must be page-aligned */ static int mte_dump_tag_range(struct coredump_params *cprm, - unsigned long start, unsigned long end) + unsigned long start, unsigned long len) { int ret = 1; unsigned long addr; void *tags = NULL; - for (addr = start; addr < end; addr += PAGE_SIZE) { + for (addr = start; addr < start + len; addr += PAGE_SIZE) { struct page *page = get_dump_page(addr); /* @@ -78,11 +77,11 @@ static int mte_dump_tag_range(struct coredump_params *cprm, Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) { - struct vm_area_struct *vma; + int i; + struct core_vma_metadata *m; int vma_count = 0; - VMA_ITERATOR(vmi, current->mm, 0); - for_each_mte_vma(vmi, vma) + for_each_mte_vma(cprm, i, m) vma_count++; return vma_count; @@ -90,18 +89,18 @@ Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset) { - struct vm_area_struct *vma; - VMA_ITERATOR(vmi, current->mm, 0); + int i; + struct core_vma_metadata *m; - for_each_mte_vma(vmi, vma) { + for_each_mte_vma(cprm, i, m) { struct elf_phdr phdr; phdr.p_type = PT_AARCH64_MEMTAG_MTE; phdr.p_offset = offset; - phdr.p_vaddr = vma->vm_start; + phdr.p_vaddr = m->start; phdr.p_paddr = 0; - phdr.p_filesz = mte_vma_tag_dump_size(vma); - phdr.p_memsz = vma->vm_end - vma->vm_start; + phdr.p_filesz = mte_vma_tag_dump_size(m); + phdr.p_memsz = m->end - m->start; offset += phdr.p_filesz; phdr.p_flags = 0; phdr.p_align = 0; @@ -115,26 +114,23 @@ int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset) size_t elf_core_extra_data_size(struct coredump_params *cprm) { - struct vm_area_struct *vma; + int i; + struct core_vma_metadata *m; size_t data_size = 0; - VMA_ITERATOR(vmi, current->mm, 0); - for_each_mte_vma(vmi, vma) - data_size += mte_vma_tag_dump_size(vma); + for_each_mte_vma(cprm, i, m) + data_size += mte_vma_tag_dump_size(m); return data_size; } int elf_core_write_extra_data(struct coredump_params *cprm) { - struct vm_area_struct *vma; - VMA_ITERATOR(vmi, current->mm, 0); - - for_each_mte_vma(vmi, vma) { - if (vma->vm_flags & VM_DONTDUMP) - continue; + int i; + struct core_vma_metadata *m; - if (!mte_dump_tag_range(cprm, vma->vm_start, vma->vm_end)) + for_each_mte_vma(cprm, i, m) { + if (!mte_dump_tag_range(cprm, m->start, m->dump_size)) return 0; }