From: Michal Hocko <mhocko@kernel.org>
To: Ajay Kaher <akaher@vmware.com>
Cc: Stable tree <stable@vger.kernel.org>,
Greg KH <gregkh@linuxfoundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Jann Horn <jannh@google.com>, Oleg Nesterov <oleg@redhat.com>,
Peter Xu <peterx@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>,
Jason Gunthorpe <jgg@mellanox.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joel Fernandes <joel@joelfernandes.org>,
Srivatsa Bhat <srivatsab@vmware.com>
Subject: Re: [RFC PATCH stable-4.4] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
Date: Thu, 6 Jun 2019 21:55:05 +0200 [thread overview]
Message-ID: <20190606195505.GA7047@dhcp22.suse.cz> (raw)
In-Reply-To: <5756B041-C0A8-4178-9F5B-7CBF7A554E31@vmware.com>
On Thu 06-06-19 19:42:20, Ajay Kaher wrote:
>
> > From: Andrea Arcangeli <aarcange@redhat.com>
> >
> > Upstream 04f5866e41fb70690e28397487d8bd8eea7d712a commit.
> >
> >
> > Signed-off-by: Michal Hocko <mhocko@suse.com>
> > ---
> > Hi,
> > this is based on the backport I have done for out 4.4 based distribution
> > kernel. Please double check that I haven't missed anything before
> > applying to the stable tree. I have also CCed Joel for the binder part
> > which is not in the current upstream anymore but I believe it needs the
> > check as well.
> >
> > Review feedback welcome.
> >
> > drivers/android/binder.c | 6 ++++++
> > fs/proc/task_mmu.c | 18 ++++++++++++++++++
> > fs/userfaultfd.c | 10 ++++++++--
> > include/linux/mm.h | 21 +++++++++++++++++++++
> > mm/huge_memory.c | 2 +-
> > mm/mmap.c | 7 ++++++-
> > 6 files changed, 60 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > index 260ce0e60187..1fb1cddbd19a 100644
> > --- a/drivers/android/binder.c
> > +++ b/drivers/android/binder.c
> > @@ -570,6 +570,12 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
> >
> > if (mm) {
> > down_write(&mm->mmap_sem);
> > + if (!mmget_still_valid(mm)) {
> > + if (allocate == 0)
> > + goto free_range;
>
> Please cross check, free_range: should not end-up with modifications in vma.
A review from a binder expert is definitely due but this function
clearly modifies the vma. Maybe the mapping is not really that important
because the coredump would simply not see the new mapping and therefore
"only" generate an incomplete/corrupted dump rather than leak an
information. I went with a "just to be sure" approach and add the check
to all locations which might be operating on a remote mm and modify the
address space.
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2019-06-06 19:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-06 19:42 Ajay Kaher
2019-06-06 19:55 ` Michal Hocko [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-06-04 9:49 Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190606195505.GA7047@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=aarcange@redhat.com \
--cc=akaher@vmware.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jgg@mellanox.com \
--cc=joel@joelfernandes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=oleg@redhat.com \
--cc=peterx@redhat.com \
--cc=rppt@linux.ibm.com \
--cc=srivatsab@vmware.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox