Hi Geert, On Mon, 2014-04-21 at 09:52 +0200, Geert Uytterhoeven wrote: > Hi David, > > On Mon, Apr 21, 2014 at 12:28 AM, Davidlohr Bueso <davidlohr@xxxxxx> wrote: > > On Sun, 2014-04-20 at 10:04 +0200, Geert Uytterhoeven wrote: > >> On Sun, Apr 20, 2014 at 4:26 AM, Davidlohr Bueso <davidlohr@xxxxxx> wrote: > >> > Performing vma lookups without taking the mm->mmap_sem is asking > >> > for trouble. While doing the search, the vma in question can be > >> > modified or even removed before returning to the caller. Take the > >> > lock (shared) in order to avoid races while iterating through > >> > the vmacache and/or rbtree. > >> > >> Thanks for your patch! > >> > >> > This patch is completely *untested*. > >> > > >> > Signed-off-by: Davidlohr Bueso <davidlohr@xxxxxx> > >> > Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> > >> > Cc: linux-m68k@xxxxxxxxxxxxxxxxxxxx > >> > --- > >> > arch/m68k/kernel/sys_m68k.c | 18 ++++++++++++------ > >> > 1 file changed, 12 insertions(+), 6 deletions(-) > >> > > >> > diff --git a/arch/m68k/kernel/sys_m68k.c b/arch/m68k/kernel/sys_m68k.c > >> > index 3a480b3..d2263a0 100644 > >> > --- a/arch/m68k/kernel/sys_m68k.c > >> > +++ b/arch/m68k/kernel/sys_m68k.c > >> > @@ -376,7 +376,6 @@ cache_flush_060 (unsigned long addr, int scope, int cache, unsigned long len) > >> > asmlinkage int > >> > sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) > >> > { > >> > - struct vm_area_struct *vma; > >> > int ret = -EINVAL; > >> > > >> > if (scope < FLUSH_SCOPE_LINE || scope > FLUSH_SCOPE_ALL || > >> > @@ -389,16 +388,23 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) > >> > if (!capable(CAP_SYS_ADMIN)) > >> > goto out; > >> > } else { > >> > + struct vm_area_struct *vma; > >> > + bool invalid; > >> > + > >> > + /* Check for overflow. */ > >> > + if (addr + len < addr) > >> > + goto out; > >> > + > >> > /* > >> > * Verify that the specified address region actually belongs > >> > * to this process. > >> > */ > >> > - vma = find_vma (current->mm, addr); > >> > ret = -EINVAL; > >> > - /* Check for overflow. */ > >> > - if (addr + len < addr) > >> > - goto out; > >> > - if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) > >> > + down_read(¤t->mm->mmap_sem); > >> > + vma = find_vma(current->mm, addr); > >> > + invalid = !vma || addr < vma->vm_start || addr + len > vma->vm_end; > >> > + up_read(¤t->mm->mmap_sem); > >> > + if (invalid) > >> > goto out; > >> > } > >> > >> Shouldn't the up_read() be moved to the end of the function? > >> The vma may still be modified or destroyed between the call to find_vma(), > >> and the actual cache flush? > > > > I don't think so. afaict the vma is only searched to check upon validity > > for the address being passed. Once the sem is dropped, the call doesn't > > do absolutely anything else with the returned vma. > > The function indeed doesn't do anything anymore with the vma itself, but > it does do something with the addr/len pair, which may no longer match > with the vma if it changes after the up_read(). I.e. the address may no longer > be valid when the cache is actually flushed. Apologies for the delay, I completely forgot about this. So I wasn't sure if we *really* required to serialize the entire address space for this operation. However, looking at other archs, sh seems to do exactly that, so I guess, at least for safety, we should hold the lock until we exit the function. I guess taking it as a reader enables us to guarantee it won't be removed underneath us. So here's v2. Thanks, Davidlohr 8<------------------------------------------------------------------------- From: Davidlohr Bueso <davidlohr@xxxxxx> Subject: [PATCH v2] m68k: call find_vma with the mmap_sem held in sys_cacheflush() Performing vma lookups without taking the mm->mmap_sem is asking for trouble. While doing the search, the vma in question can be modified or even removed before returning to the caller. Take the lock (shared) in order to avoid races while iterating through the vmacache and/or rbtree. In addition, this guarantees that the address space will remain intact during the CPU flushing. Signed-off-by: Davidlohr Bueso <davidlohr@xxxxxx> --- Completely untested patch. arch/m68k/kernel/sys_m68k.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/arch/m68k/kernel/sys_m68k.c b/arch/m68k/kernel/sys_m68k.c index 3a480b3..9aa01ad 100644 --- a/arch/m68k/kernel/sys_m68k.c +++ b/arch/m68k/kernel/sys_m68k.c @@ -376,7 +376,6 @@ cache_flush_060 (unsigned long addr, int scope, int cache, unsigned long len) asmlinkage int sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) { - struct vm_area_struct *vma; int ret = -EINVAL; if (scope < FLUSH_SCOPE_LINE || scope > FLUSH_SCOPE_ALL || @@ -389,17 +388,21 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) if (!capable(CAP_SYS_ADMIN)) goto out; } else { + struct vm_area_struct *vma; + + /* Check for overflow. */ + if (addr + len < addr) + goto out; + /* * Verify that the specified address region actually belongs * to this process. */ - vma = find_vma (current->mm, addr); ret = -EINVAL; - /* Check for overflow. */ - if (addr + len < addr) - goto out; - if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) - goto out; + down_read(¤t->mm->mmap_sem); + vma = find_vma(current->mm, addr); + if (!vma || addr < vma->vm_start || addr + len > vma->vm_end) + goto out_unlock; } if (CPU_IS_020_OR_030) { @@ -429,7 +432,7 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) __asm__ __volatile__ ("movec %0, %%cacr" : : "r" (cacr)); } ret = 0; - goto out; + goto out_unlock; } else { /* * 040 or 060: don't blindly trust 'scope', someone could @@ -446,6 +449,8 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) ret = cache_flush_060 (addr, scope, cache, len); } } +out_unlock: + up_read(¤t->mm->mmap_sem); out: return ret; } -- 1.8.1.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>