mm-commits Archive on lore.kernel.org
 help / color / Atom feed
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, ebiederm@xmission.com,
	jannh@google.com, jgg@nvidia.com, jhubbard@nvidia.com,
	linux-mm@kvack.org, mchehab@kernel.org,
	mm-commits@vger.kernel.org, sakari.ailus@linux.intel.com,
	torvalds@linux-foundation.org, walken@google.com
Subject: [patch 13/40] binfmt_elf: take the mmap lock around find_extend_vma()
Date: Sat, 17 Oct 2020 16:14:15 -0700
Message-ID: <20201017231415.XtZWgOT7Q%akpm@linux-foundation.org> (raw)
In-Reply-To: <20201017161314.88890b87fae7446ccc13c902@linux-foundation.org>

From: Jann Horn <jannh@google.com>
Subject: binfmt_elf: take the mmap lock around find_extend_vma()

create_elf_tables() runs after setup_new_exec(), so other tasks can
already access our new mm and do things like process_madvise() on it.  (At
the time I'm writing this commit, process_madvise() is not in mainline
yet, but has been in akpm's tree for some time.)

While I believe that there are currently no APIs that would actually allow
another process to mess up our VMA tree (process_madvise() is limited to
MADV_COLD and MADV_PAGEOUT, and uring and userfaultfd cannot reach an mm
under which no syscalls have been executed yet), this seems like an
accident waiting to happen.

Let's make sure that we always take the mmap lock around GUP paths as long
as another process might be able to see the mm.

(Yes, this diff looks suspicious because we drop the lock before doing
anything with `vma`, but that's because we actually don't do anything with
it apart from the NULL check.)

Link: https://lkml.kernel.org/r/CAG48ez1-PBCdv3y8pn-Ty-b+FmBSLwDuVKFSt8h7wARLy0dF-Q@mail.gmail.com
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Michel Lespinasse <walken@google.com>
Cc: "Eric W . Biederman" <ebiederm@xmission.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/binfmt_elf.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/binfmt_elf.c~binfmt_elf-take-the-mmap-lock-around-find_extend_vma
+++ a/fs/binfmt_elf.c
@@ -310,7 +310,10 @@ create_elf_tables(struct linux_binprm *b
 	 * Grow the stack manually; some architectures have a limit on how
 	 * far ahead a user-space access may be in order to grow the stack.
 	 */
+	if (mmap_read_lock_killable(mm))
+		return -EINTR;
 	vma = find_extend_vma(mm, bprm->p);
+	mmap_read_unlock(mm);
 	if (!vma)
 		return -EFAULT;
 
_

  parent reply index

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-17 23:13 incoming Andrew Morton
2020-10-17 23:13 ` [patch 01/40] ia64: fix build error with !COREDUMP Andrew Morton
2020-10-17 23:13 ` [patch 02/40] mm, memcg: rework remote charging API to support nesting Andrew Morton
2020-10-17 23:13 ` [patch 03/40] mm: kmem: move memcg_kmem_bypass() calls to get_mem/obj_cgroup_from_current() Andrew Morton
2020-10-17 23:13 ` [patch 04/40] mm: kmem: remove redundant checks from get_obj_cgroup_from_current() Andrew Morton
2020-10-17 23:13 ` [patch 05/40] mm: kmem: prepare remote memcg charging infra for interrupt contexts Andrew Morton
2020-10-17 23:13 ` [patch 06/40] mm: kmem: enable kernel memcg accounting from " Andrew Morton
2020-10-17 23:13 ` [patch 07/40] mm/memory-failure: remove a wrapper for alloc_migration_target() Andrew Morton
2020-10-17 23:14 ` [patch 08/40] mm/memory_hotplug: " Andrew Morton
2020-10-17 23:14 ` [patch 09/40] mm/migrate: avoid possible unnecessary process right check in kernel_move_pages() Andrew Morton
2020-10-17 23:14 ` [patch 10/40] mm/mmap: add inline vma_next() for readability of mmap code Andrew Morton
2020-10-17 23:14 ` [patch 11/40] mm/mmap: add inline munmap_vma_range() for code readability Andrew Morton
2020-10-17 23:14 ` [patch 12/40] mm/gup_benchmark: take the mmap lock around GUP Andrew Morton
2020-10-17 23:14 ` Andrew Morton [this message]
2020-10-17 23:14 ` [patch 14/40] mm/gup: assert that the mmap lock is held in __get_user_pages() Andrew Morton
2020-10-17 23:14 ` [patch 15/40] mm/gup_benchmark: rename to mm/gup_test Andrew Morton
2020-10-17 23:14 ` [patch 16/40] selftests/vm: use a common gup_test.h Andrew Morton
2020-10-17 23:14 ` [patch 17/40] selftests/vm: rename run_vmtests --> run_vmtests.sh Andrew Morton
2020-10-17 23:14 ` [patch 18/40] selftests/vm: minor cleanup: Makefile and gup_test.c Andrew Morton
2020-10-17 23:14 ` [patch 19/40] selftests/vm: only some gup_test items are really benchmarks Andrew Morton
2020-10-17 23:14 ` [patch 20/40] selftests/vm: gup_test: introduce the dump_pages() sub-test Andrew Morton
2020-10-17 23:14 ` [patch 21/40] selftests/vm: run_vmtests.sh: update and clean up gup_test invocation Andrew Morton
2020-10-17 23:14 ` [patch 22/40] selftests/vm: hmm-tests: remove the libhugetlbfs dependency Andrew Morton
2020-10-17 23:14 ` [patch 23/40] selftests/vm: 10x speedup for hmm-tests Andrew Morton
2020-10-17 23:14 ` [patch 24/40] mm/madvise: pass mm to do_madvise Andrew Morton
2020-10-17 23:14 ` [patch 25/40] pid: move pidfd_get_pid() to pid.c Andrew Morton
2020-10-17 23:14 ` [patch 26/40] mm/madvise: introduce process_madvise() syscall: an external memory hinting API Andrew Morton
2020-10-17 23:15 ` [patch 27/40] mm: update the documentation for vfree Andrew Morton
2020-10-17 23:15 ` [patch 28/40] mm: add a VM_MAP_PUT_PAGES flag for vmap Andrew Morton
2020-10-17 23:15 ` [patch 29/40] mm: add a vmap_pfn function Andrew Morton
2020-10-17 23:15 ` [patch 30/40] mm: allow a NULL fn callback in apply_to_page_range Andrew Morton
2020-10-17 23:15 ` [patch 31/40] zsmalloc: switch from alloc_vm_area to get_vm_area Andrew Morton
2020-10-17 23:15 ` [patch 32/40] drm/i915: use vmap in shmem_pin_map Andrew Morton
2020-10-17 23:15 ` [patch 33/40] drm/i915: stop using kmap in i915_gem_object_map Andrew Morton
2020-10-17 23:15 ` [patch 34/40] drm/i915: use vmap " Andrew Morton
2020-10-17 23:15 ` [patch 35/40] xen/xenbus: use apply_to_page_range directly in xenbus_map_ring_pv Andrew Morton
2020-10-17 23:15 ` [patch 36/40] x86/xen: open code alloc_vm_area in arch_gnttab_valloc Andrew Morton
2020-10-17 23:15 ` [patch 37/40] mm: remove alloc_vm_area Andrew Morton
2020-10-17 23:15 ` [patch 38/40] mm: cleanup the gfp_mask handling in __vmalloc_area_node Andrew Morton
2020-10-17 23:15 ` [patch 39/40] mm: remove the filename in the top of file comment in vmalloc.c Andrew Morton
2020-10-17 23:15 ` [patch 40/40] mm: remove duplicate include statement in mmu.c Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201017231415.XtZWgOT7Q%akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=jannh@google.com \
    --cc=jgg@nvidia.com \
    --cc=jhubbard@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mchehab@kernel.org \
    --cc=mm-commits@vger.kernel.org \
    --cc=sakari.ailus@linux.intel.com \
    --cc=torvalds@linux-foundation.org \
    --cc=walken@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

mm-commits Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/mm-commits/0 mm-commits/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 mm-commits mm-commits/ https://lore.kernel.org/mm-commits \
		mm-commits@vger.kernel.org
	public-inbox-index mm-commits

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.mm-commits


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git