Received: by 10.213.65.68 with SMTP id h4csp722784imn;
        Fri, 6 Apr 2018 07:52:28 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49nQzVfqvPDl5/VpaCYx0NEjby2iBCdcdbvOVUiRJJ1nKaPdQCgWdsunUrQXkhXlDQVBFjE
X-Received: by 10.101.90.68 with SMTP id z4mr18116096pgs.184.1523026348723;
        Fri, 06 Apr 2018 07:52:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523026348; cv=none;
        d=google.com; s=arc-20160816;
        b=dLPQg8wHwU9cSYAFPndDUQeXb181St0RwvkRTOOLsBce8yV8CfqSFmSqIKlW+VXTY+
         ks3CNMnAvmwgWwXW68MjTahCzS70PRWOtySYewPOsFj4+TPcBCqBw51QchgDOTBOcpNH
         sBEMfVKubBW3BAeBGnS30tpjkuupDbO37qprZ8iH1WlgCm2zatixSPx/WC+gOxDIhsq4
         cg3X3craIdl88ASmyem78ooNLoaqAcJLP8noQJAWwGo24A1TEy4UZydKkAVXjAr53Ed9
         B6zoDD2NpkNCuZEVcm7S8EGeTmdlG9SnW0lL2PkFV4kr8tGyDYtfyb27zDIbhRcYs8sV
         Q/jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=iYQmafe4lMDyyC+VtKJ8jXKLTjLwk4Ezbl8KAU49PgQ=;
        b=RGUPL9O3W+dLBZ/fGihjNomI7nn/4svlRXWPqWMz1YLmv+h2S9W4j20a0VWycTdVOs
         YbDH2dAyND+OewA3da15tI3+inRIH2Jgalpmr5SikrdjaPcip4MW5gTa8qTMf1Hwv1sE
         4l/FKYpPHeqlUlwhFoJrqqJSN4kC4H8vTxTcE4+IlhcblQmDIG+bcp9X+Ab/gvkgZfWk
         hwc+Wa0c0ZvZv3t29b+v5+YSnLrA6RerQ56GUJ/tCVom+JLF+XInQTgDcC4PC5Fnuggc
         Ryn7JH6+wPJdL4dRLg0I1J+iC86wVYWCnetzNpJxnCmWW4XQ/x7A9Tn0YP0YrcqQ1XoK
         atrw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e127si7993037pfc.315.2018.04.06.07.52.14;
        Fri, 06 Apr 2018 07:52:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755450AbeDFNcw (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Fri, 6 Apr 2018 09:32:52 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:57666 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755363AbeDFNcu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 09:32:50 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C46DC8A5;
        Fri,  6 Apr 2018 13:32:49 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Masami Hiramatsu <mhiramat@kernel.org>,
        "Steven Rostedt (VMware)" <rostedt@goodmis.org>,
        Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.9 012/102] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
Date:   Fri,  6 Apr 2018 15:22:53 +0200
Message-Id: <20180406084333.316876044@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180406084331.507038179@linuxfoundation.org>
References: <20180406084331.507038179@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit c93f5cf571e7795f97d49ef51b766cf25e328545 upstream.

Fix kprobes to set(recover) RWX bits correctly on trampoline
buffer before releasing it. Releasing readonly page to
module_memfree() crash the kernel.

Without this fix, if kprobes user register a bunch of kprobes
in function body (since kprobes on function entry usually
use ftrace) and unregister it, kernel hits a BUG and crash.

Link: http://lkml.kernel.org/r/149570868652.3518.14120169373590420503.stgit@devbox

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/kprobes/core.c |    9 +++++++++
 kernel/kprobes.c               |    2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -51,6 +51,7 @@
 #include <linux/ftrace.h>
 #include <linux/frame.h>
 #include <linux/kasan.h>
+#include <linux/moduleloader.h>
 
 #include <asm/text-patching.h>
 #include <asm/cacheflush.h>
@@ -405,6 +406,14 @@ int __copy_instruction(u8 *dest, u8 *src
 	return length;
 }
 
+/* Recover page to RW mode before releasing it */
+void free_insn_page(void *page)
+{
+	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
+	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
+	module_memfree(page);
+}
+
 static int arch_copy_kprobe(struct kprobe *p)
 {
 	int ret;
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
 	return module_alloc(PAGE_SIZE);
 }
 
-static void free_insn_page(void *page)
+void __weak free_insn_page(void *page)
 {
 	module_memfree(page);
 }