Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp8492766ybi; Thu, 6 Jun 2019 13:19:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxkjwPLe36nVgAUmi5L4VTof3sCxzLpXO6s9UpsIQjXBwIgFZRyuiE+ttNXvuSUWj3KV2m1 X-Received: by 2002:a17:902:3fa5:: with SMTP id a34mr50331069pld.317.1559852381193; Thu, 06 Jun 2019 13:19:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559852381; cv=none; d=google.com; s=arc-20160816; b=mmdObCbGDnZ2FfUYEZyAZknbLIUMHyT1kBOJ++h7U7b8qrL2mENtYjmgh+IJua4gkZ I83Nz/fVhRMSlmS9bNBrb3SuNLggMev5rMDuMpA9VzAzrLxT/o2pYQHXkSVvwr0Zd5Qn msnEjyCGt2crB9qU7UokOz+AYK62x6KmCqfiVpPJ4nb/qaXc7g1D7ykx8VckbeHdMXmW Iuw5j4CBVRPTQtwbeSkRxX5tM4XB1Ianou+Ku24KBBH//v5TkWrB+T56eaIQTYlMy9I3 kHP9IfXKrGjQ84QnZz5IpfjQIOTttxqGXKos39WLH409aOJR15t3ZxKe+5y5CapQGxoY x5Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=5CgWskb2VbYRiF6wwP1HFZ1ljOYTY784fqcWj3a/820=; b=nwsizK8ySGDXDZ89AP7FgqnI19q/qq9axAUUixhg3m6/86d+WlJYQ3w5fBZ0jW/WdK 5/vSKtBwVznZSJx7ZhjBuvhKqCR+asjHcogR6w+esRHSrzUvzv78hKajcwThs0/ecKmF qCawbFcrhGReFmpy6FxlYo8NpCxrrmPQJEUVG3dD862KQuXwnn/IX7RzU8IMIsy8mRyo vrRPVmq2L+b4bA/fUh2gsso3DvkAOLdIl9MIw9e6axukFbQtBQLmfPM8/bx21pn6Lw6q cbwaVWR0Jv3cAc3UEO2tjSIo6NVND7kbmzNC4lhiVzH4Nss8sLp9fQG/+hDVfPI+DQJs QZIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w5si743pjt.86.2019.06.06.13.19.24; Thu, 06 Jun 2019 13:19:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728083AbfFFTzN (ORCPT + 99 others); Thu, 6 Jun 2019 15:55:13 -0400 Received: from mx2.suse.de ([195.135.220.15]:56808 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727512AbfFFTzN (ORCPT ); Thu, 6 Jun 2019 15:55:13 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id DACD6AD8A; Thu, 6 Jun 2019 19:55:11 +0000 (UTC) Date: Thu, 6 Jun 2019 21:55:05 +0200 From: Michal Hocko To: Ajay Kaher Cc: Stable tree , Greg KH , "linux-mm@kvack.org" , LKML , Andrea Arcangeli , Jann Horn , Oleg Nesterov , Peter Xu , Mike Rapoport , Jason Gunthorpe , Andrew Morton , Linus Torvalds , Joel Fernandes , Srivatsa Bhat Subject: Re: [RFC PATCH stable-4.4] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Message-ID: <20190606195505.GA7047@dhcp22.suse.cz> References: <5756B041-C0A8-4178-9F5B-7CBF7A554E31@vmware.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5756B041-C0A8-4178-9F5B-7CBF7A554E31@vmware.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 06-06-19 19:42:20, Ajay Kaher wrote: > > > From: Andrea Arcangeli > > > > Upstream 04f5866e41fb70690e28397487d8bd8eea7d712a commit. > > > > > > Signed-off-by: Michal Hocko > > --- > > Hi, > > this is based on the backport I have done for out 4.4 based distribution > > kernel. Please double check that I haven't missed anything before > > applying to the stable tree. I have also CCed Joel for the binder part > > which is not in the current upstream anymore but I believe it needs the > > check as well. > > > > Review feedback welcome. > > > > drivers/android/binder.c | 6 ++++++ > > fs/proc/task_mmu.c | 18 ++++++++++++++++++ > > fs/userfaultfd.c | 10 ++++++++-- > > include/linux/mm.h | 21 +++++++++++++++++++++ > > mm/huge_memory.c | 2 +- > > mm/mmap.c | 7 ++++++- > > 6 files changed, 60 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > index 260ce0e60187..1fb1cddbd19a 100644 > > --- a/drivers/android/binder.c > > +++ b/drivers/android/binder.c > > @@ -570,6 +570,12 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate, > > > > if (mm) { > > down_write(&mm->mmap_sem); > > + if (!mmget_still_valid(mm)) { > > + if (allocate == 0) > > + goto free_range; > > Please cross check, free_range: should not end-up with modifications in vma. A review from a binder expert is definitely due but this function clearly modifies the vma. Maybe the mapping is not really that important because the coredump would simply not see the new mapping and therefore "only" generate an incomplete/corrupted dump rather than leak an information. I went with a "just to be sure" approach and add the check to all locations which might be operating on a remote mm and modify the address space. -- Michal Hocko SUSE Labs