From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Rich Felker <dalias@libc.org>,
linux-c6x-dev@linux-c6x.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
linux-sh@vger.kernel.org, linux-kernel@vger.kernel.org,
Oleg Nesterov <oleg@redhat.com>,
linux-mm@kvack.org, Alexander Viro <viro@zeniv.linux.org.uk>,
Mark Salter <msalter@redhat.com>,
linux-fsdevel@vger.kernel.org,
Russell King <linux@armlinux.org.uk>,
Aurelien Jacquiot <jacquiot.aurelien@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
linux-arm-kernel@lists.infradead.org,
"Eric W . Biederman" <ebiederm@xmission.com>
Subject: [PATCH 5/5] mm/gup: Take mmap_sem in get_dump_page()
Date: Tue, 28 Apr 2020 03:27:45 +0000 [thread overview]
Message-ID: <20200428032745.133556-6-jannh@google.com> (raw)
In-Reply-To: <20200428032745.133556-1-jannh@google.com>
Properly take the mmap_sem before calling into the GUP code from
get_dump_page(); and play nice, allowing __get_user_pages_locked() to drop
the mmap_sem if it has to sleep.
This requires adjusting the check in __get_user_pages_locked() to be
slightly less strict: While `vmas != NULL` is normally incompatible with
the lock-dropping retry logic, it's fine if we only want a single page,
because then retries can only happen when we haven't grabbed any pages yet.
Signed-off-by: Jann Horn <jannh@google.com>
---
mm/gup.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 9a7e83772f1fe..4bb4149c0e259 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1261,7 +1261,8 @@ static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
if (locked) {
/* if VM_FAULT_RETRY can be returned, vmas become invalid */
- BUG_ON(vmas);
+ if (WARN_ON(vmas && nr_pages != 1))
+ return -EFAULT;
/* check caller initialized locked */
BUG_ON(*locked != 1);
}
@@ -1548,18 +1549,28 @@ static long __get_user_pages_locked(struct task_struct *tsk,
* NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
* allowing a hole to be left in the corefile to save diskspace.
*
- * Called without mmap_sem, but after all other threads have been killed.
+ * Called without mmap_sem (takes and releases the mmap_sem by itself).
*/
struct page *get_dump_page(unsigned long addr)
{
+ struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct page *page;
+ int locked = 1;
+ int ret;
- if (__get_user_pages(current, current->mm, addr, 1,
- FOLL_FORCE | FOLL_DUMP | FOLL_GET, &page, &vma,
- NULL) < 1)
+ if (down_read_killable(&mm->mmap_sem))
+ return NULL;
+ ret = __get_user_pages_locked(current, mm, addr, 1, &page, &vma,
+ &locked,
+ FOLL_FORCE | FOLL_DUMP | FOLL_GET);
+ if (ret != 1) {
+ if (locked)
+ up_read(&mm->mmap_sem);
return NULL;
+ }
flush_cache_page(vma, addr, page_to_pfn(page));
+ up_read(&mm->mmap_sem);
return page;
}
--
2.26.2.303.gf8c07b1a785-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-fsdevel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Oleg Nesterov <oleg@redhat.com>,
Russell King <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org,
Mark Salter <msalter@redhat.com>,
Aurelien Jacquiot <jacquiot.aurelien@gmail.com>,
linux-c6x-dev@linux-c6x.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Rich Felker <dalias@libc.org>,
linux-sh@vger.kernel.org
Subject: [PATCH 5/5] mm/gup: Take mmap_sem in get_dump_page()
Date: Tue, 28 Apr 2020 05:27:45 +0200 [thread overview]
Message-ID: <20200428032745.133556-6-jannh@google.com> (raw)
In-Reply-To: <20200428032745.133556-1-jannh@google.com>
Properly take the mmap_sem before calling into the GUP code from
get_dump_page(); and play nice, allowing __get_user_pages_locked() to drop
the mmap_sem if it has to sleep.
This requires adjusting the check in __get_user_pages_locked() to be
slightly less strict: While `vmas != NULL` is normally incompatible with
the lock-dropping retry logic, it's fine if we only want a single page,
because then retries can only happen when we haven't grabbed any pages yet.
Signed-off-by: Jann Horn <jannh@google.com>
---
mm/gup.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 9a7e83772f1fe..4bb4149c0e259 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1261,7 +1261,8 @@ static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
if (locked) {
/* if VM_FAULT_RETRY can be returned, vmas become invalid */
- BUG_ON(vmas);
+ if (WARN_ON(vmas && nr_pages != 1))
+ return -EFAULT;
/* check caller initialized locked */
BUG_ON(*locked != 1);
}
@@ -1548,18 +1549,28 @@ static long __get_user_pages_locked(struct task_struct *tsk,
* NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
* allowing a hole to be left in the corefile to save diskspace.
*
- * Called without mmap_sem, but after all other threads have been killed.
+ * Called without mmap_sem (takes and releases the mmap_sem by itself).
*/
struct page *get_dump_page(unsigned long addr)
{
+ struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct page *page;
+ int locked = 1;
+ int ret;
- if (__get_user_pages(current, current->mm, addr, 1,
- FOLL_FORCE | FOLL_DUMP | FOLL_GET, &page, &vma,
- NULL) < 1)
+ if (down_read_killable(&mm->mmap_sem))
+ return NULL;
+ ret = __get_user_pages_locked(current, mm, addr, 1, &page, &vma,
+ &locked,
+ FOLL_FORCE | FOLL_DUMP | FOLL_GET);
+ if (ret != 1) {
+ if (locked)
+ up_read(&mm->mmap_sem);
return NULL;
+ }
flush_cache_page(vma, addr, page_to_pfn(page));
+ up_read(&mm->mmap_sem);
return page;
}
--
2.26.2.303.gf8c07b1a785-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-fsdevel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Oleg Nesterov <oleg@redhat.com>,
Russell King <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org,
Mark Salter <msalter@redhat.com>,
Aurelien Jacquiot <jacquiot.aurelien@gmail.com>,
linux-c6x-dev@linux-c6x.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Rich Felker <dalias@libc.org>,
linux-sh@vger.kernel.org
Subject: [PATCH 5/5] mm/gup: Take mmap_sem in get_dump_page()
Date: Tue, 28 Apr 2020 05:27:45 +0200 [thread overview]
Message-ID: <20200428032745.133556-6-jannh@google.com> (raw)
In-Reply-To: <20200428032745.133556-1-jannh@google.com>
Properly take the mmap_sem before calling into the GUP code from
get_dump_page(); and play nice, allowing __get_user_pages_locked() to drop
the mmap_sem if it has to sleep.
This requires adjusting the check in __get_user_pages_locked() to be
slightly less strict: While `vmas != NULL` is normally incompatible with
the lock-dropping retry logic, it's fine if we only want a single page,
because then retries can only happen when we haven't grabbed any pages yet.
Signed-off-by: Jann Horn <jannh@google.com>
---
mm/gup.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 9a7e83772f1fe..4bb4149c0e259 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1261,7 +1261,8 @@ static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
if (locked) {
/* if VM_FAULT_RETRY can be returned, vmas become invalid */
- BUG_ON(vmas);
+ if (WARN_ON(vmas && nr_pages != 1))
+ return -EFAULT;
/* check caller initialized locked */
BUG_ON(*locked != 1);
}
@@ -1548,18 +1549,28 @@ static long __get_user_pages_locked(struct task_struct *tsk,
* NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
* allowing a hole to be left in the corefile to save diskspace.
*
- * Called without mmap_sem, but after all other threads have been killed.
+ * Called without mmap_sem (takes and releases the mmap_sem by itself).
*/
struct page *get_dump_page(unsigned long addr)
{
+ struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct page *page;
+ int locked = 1;
+ int ret;
- if (__get_user_pages(current, current->mm, addr, 1,
- FOLL_FORCE | FOLL_DUMP | FOLL_GET, &page, &vma,
- NULL) < 1)
+ if (down_read_killable(&mm->mmap_sem))
+ return NULL;
+ ret = __get_user_pages_locked(current, mm, addr, 1, &page, &vma,
+ &locked,
+ FOLL_FORCE | FOLL_DUMP | FOLL_GET);
+ if (ret != 1) {
+ if (locked)
+ up_read(&mm->mmap_sem);
return NULL;
+ }
flush_cache_page(vma, addr, page_to_pfn(page));
+ up_read(&mm->mmap_sem);
return page;
}
--
2.26.2.303.gf8c07b1a785-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Rich Felker <dalias@libc.org>,
linux-c6x-dev@linux-c6x.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
linux-sh@vger.kernel.org, linux-kernel@vger.kernel.org,
Oleg Nesterov <oleg@redhat.com>,
linux-mm@kvack.org, Alexander Viro <viro@zeniv.linux.org.uk>,
Mark Salter <msalter@redhat.com>,
linux-fsdevel@vger.kernel.org,
Russell King <linux@armlinux.org.uk>,
Aurelien Jacquiot <jacquiot.aurelien@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
linux-arm-kernel@lists.infradead.org,
"Eric W . Biederman" <ebiederm@xmission.com>
Subject: [PATCH 5/5] mm/gup: Take mmap_sem in get_dump_page()
Date: Tue, 28 Apr 2020 05:27:45 +0200 [thread overview]
Message-ID: <20200428032745.133556-6-jannh@google.com> (raw)
In-Reply-To: <20200428032745.133556-1-jannh@google.com>
Properly take the mmap_sem before calling into the GUP code from
get_dump_page(); and play nice, allowing __get_user_pages_locked() to drop
the mmap_sem if it has to sleep.
This requires adjusting the check in __get_user_pages_locked() to be
slightly less strict: While `vmas != NULL` is normally incompatible with
the lock-dropping retry logic, it's fine if we only want a single page,
because then retries can only happen when we haven't grabbed any pages yet.
Signed-off-by: Jann Horn <jannh@google.com>
---
mm/gup.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 9a7e83772f1fe..4bb4149c0e259 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1261,7 +1261,8 @@ static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
if (locked) {
/* if VM_FAULT_RETRY can be returned, vmas become invalid */
- BUG_ON(vmas);
+ if (WARN_ON(vmas && nr_pages != 1))
+ return -EFAULT;
/* check caller initialized locked */
BUG_ON(*locked != 1);
}
@@ -1548,18 +1549,28 @@ static long __get_user_pages_locked(struct task_struct *tsk,
* NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
* allowing a hole to be left in the corefile to save diskspace.
*
- * Called without mmap_sem, but after all other threads have been killed.
+ * Called without mmap_sem (takes and releases the mmap_sem by itself).
*/
struct page *get_dump_page(unsigned long addr)
{
+ struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct page *page;
+ int locked = 1;
+ int ret;
- if (__get_user_pages(current, current->mm, addr, 1,
- FOLL_FORCE | FOLL_DUMP | FOLL_GET, &page, &vma,
- NULL) < 1)
+ if (down_read_killable(&mm->mmap_sem))
+ return NULL;
+ ret = __get_user_pages_locked(current, mm, addr, 1, &page, &vma,
+ &locked,
+ FOLL_FORCE | FOLL_DUMP | FOLL_GET);
+ if (ret != 1) {
+ if (locked)
+ up_read(&mm->mmap_sem);
return NULL;
+ }
flush_cache_page(vma, addr, page_to_pfn(page));
+ up_read(&mm->mmap_sem);
return page;
}
--
2.26.2.303.gf8c07b1a785-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-04-28 3:27 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 3:27 [PATCH 0/5] Fix ELF / FDPIC ELF core dumping, and use mmap_sem properly in there Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` [PATCH 1/5] binfmt_elf_fdpic: Stop using dump_emit() on user pointers on !MMU Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` [PATCH 2/5] coredump: Fix handling of partial writes in dump_emit() Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:35 ` Linus Torvalds
2020-04-28 3:35 ` Linus Torvalds
2020-04-28 3:35 ` Linus Torvalds
2020-04-28 3:35 ` Linus Torvalds
2020-04-28 5:52 ` Jann Horn
2020-04-28 5:52 ` Jann Horn
2020-04-28 5:52 ` Jann Horn
2020-04-28 5:52 ` Jann Horn
2020-04-28 16:40 ` Rob Landley
2020-04-28 16:40 ` Rob Landley
2020-04-28 16:40 ` Rob Landley
2020-04-28 16:40 ` Linus Torvalds
2020-04-28 16:40 ` Linus Torvalds
2020-04-28 16:40 ` Linus Torvalds
2020-04-28 16:40 ` Linus Torvalds
2020-04-28 3:27 ` [PATCH 3/5] coredump: Refactor page range dumping into common helper Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` [PATCH 4/5] binfmt_elf, binfmt_elf_fdpic: Use a VMA list snapshot Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn [this message]
2020-04-28 3:27 ` [PATCH 5/5] mm/gup: Take mmap_sem in get_dump_page() Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:27 ` Jann Horn
2020-04-28 3:50 ` Linus Torvalds
2020-04-28 3:50 ` Linus Torvalds
2020-04-28 3:50 ` Linus Torvalds
2020-04-28 3:50 ` Linus Torvalds
2020-04-28 6:10 ` Jann Horn
2020-04-28 6:10 ` Jann Horn
2020-04-28 6:10 ` Jann Horn
2020-04-28 6:10 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200428032745.133556-6-jannh@google.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=dalias@libc.org \
--cc=ebiederm@xmission.com \
--cc=hch@lst.de \
--cc=jacquiot.aurelien@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-c6x-dev@linux-c6x.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=msalter@redhat.com \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.