Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1561917pxk; Thu, 10 Sep 2020 20:09:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUXW0DndNdvZrw9sgkBO3Xuz3GearOSeBpYZ5CtWqE6Bi57NX8R0ZftP2QkQsn5os6t3Iu X-Received: by 2002:a50:d802:: with SMTP id o2mr12903265edj.152.1599793752387; Thu, 10 Sep 2020 20:09:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599793752; cv=none; d=google.com; s=arc-20160816; b=SW5hDQTogatNYswxNvHZfFjR3tIdjdo4CfmE1Awxw21Wq8ynCbRXrjwDx4ef2EZmk5 EMi2DJwNqZi867MwQTTgvxCQWAUmN57lAMjD+1dWkgRy02BpnkjGnAk6mdUaLRJY+NvK eoeLObptiHRz90/QviStlBHOivFbse8m7b60QvfrPY4L14TrXf2Plf0Q1lOa9n6jFlqh opES9Oh2muLbKuyd+nyCWZBhEV5BAJiSevbbI6YHZUxg9+Xk3/24ehtxV/2M3snwOKJF kEW/zChL0G/MIdyQFYw3n+D0ETYm8fWYIins+tAWITWF2+t6+0UNyn3/O49qTXgHsCRl QtlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=LRvgh7xT8c341pFXvQMf59Y/vyKAqow7gzK3SkaD0gA=; b=hNnMueM1QR0781Xdms5cHx4NF/9mMaAa5P09M5sDvc6OJEouAo87pm3U9MoRWYWWzi hKRKwqrlYlLVr1u4cY1M4L7zP1pSWWd8L9dlL22XjNlqRRrLby9ZYqm8yvF3OVPrqIqR zS8hYwoxCywC12IOJMeyK7LumoOZ/L0bQtvKPSWXDfx2ZuiCuOmvoyWwuJJ+V+ELLXwl tEy6EzdLNbGoo9yzfQk0JCBeD0abGelPq/BtDhTGFG5r/xksNL2gbyvu1BgbXlYI5h2Y PrfClMa3JwXBrupaVkr+Gih8jImLP1OYvfxqbjgi77szVEfLD5Nl+KuPg/dNimeTKpUK PTRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b20si413372ejk.275.2020.09.10.20.08.47; Thu, 10 Sep 2020 20:09:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725497AbgIKDFY (ORCPT + 99 others); Thu, 10 Sep 2020 23:05:24 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:52823 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725300AbgIKDFX (ORCPT ); Thu, 10 Sep 2020 23:05:23 -0400 Received: by mail-wm1-f66.google.com with SMTP id q9so3053023wmj.2 for ; Thu, 10 Sep 2020 20:05:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LRvgh7xT8c341pFXvQMf59Y/vyKAqow7gzK3SkaD0gA=; b=o79YzdfLur5u+sxsKsXZRs2ChTE21mrR347nnRY8b25tSQjUQ7xmB7i3yRzv2oPa/C +oSyw3v8x1lo0zU2wCaYmfhPEc6R5BJ+76o5rM7EIdNFF06nI9CUhB4NfEq26BZJBVoS FbieYILSJyq9Wf22+cMUTB6m4KEmdfLitRPvHvy1jSkfczPVfMQz0TO4PYyWxYgPeR/q nvC9yC6IfBkKLAEhXbJrJnFIv3Ct3m7nDzBMBArKT4KlMOZ7r7MhzzegoPpFFpTQf0e1 0DRE0ZKamHgY29yWDWz9JsFwUD0d0zSQPfiRVlFYu47zy2oy1XeqT+D7ahnZz5a9gmeJ IkPg== X-Gm-Message-State: AOAM5334MGSwRQBUEl9Ei77MgC+3/NjAljRerPv5w2HihcbIkdk9nQKi rgkz26rirO0I3tpaMQqkw3Hj69Oz7roSfCDTqwE= X-Received: by 2002:a7b:c404:: with SMTP id k4mr2922917wmi.168.1599793521756; Thu, 10 Sep 2020 20:05:21 -0700 (PDT) MIME-Version: 1.0 References: <20200910104153.1672460-1-jolsa@kernel.org> <20200910144744.GA1663813@krava> In-Reply-To: <20200910144744.GA1663813@krava> From: Namhyung Kim Date: Fri, 11 Sep 2020 12:05:10 +0900 Message-ID: Subject: Re: [PATCH] perf: Fix race in perf_mmap_close function To: Jiri Olsa Cc: Jiri Olsa , Peter Zijlstra , Arnaldo Carvalho de Melo , lkml , Ingo Molnar , Alexander Shishkin , Michael Petlan , Wade Mealing Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jiri, On Thu, Sep 10, 2020 at 11:50 PM Jiri Olsa wrote: > > On Thu, Sep 10, 2020 at 10:48:02PM +0900, Namhyung Kim wrote: > > SNIP > > > > _do_fork+0x83/0x3a0 > > > __do_sys_wait4+0x83/0x90 > > > __do_sys_clone+0x85/0xa0 > > > do_syscall_64+0x5b/0x1e0 > > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > Using atomic decrease and check instead of separated calls. > > > This fixes CVE-2020-14351. > > > > > > Signed-off-by: Jiri Olsa > > > --- > > > kernel/events/core.c | 4 +--- > > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > > > diff --git a/kernel/events/core.c b/kernel/events/core.c > > > index 7ed5248f0445..29313cc54d9e 100644 > > > --- a/kernel/events/core.c > > > +++ b/kernel/events/core.c > > > @@ -5903,8 +5903,6 @@ static void perf_mmap_close(struct vm_area_struct *vma) > > > mutex_unlock(&event->mmap_mutex); > > > } > > > > > > - atomic_dec(&rb->mmap_count); > > > - > > > if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex)) > > > goto out_put; > > > > But when it takes the goto, rb->mmap_count won't decrement anymore.. > > event->mmap_count is per event, so if we have have race in here, > 2 threads can go through with each event->mmap_count reaching zero Maybe I'm missing something. But as far as I can see, perf_mmap_close() always decremented both rb->mmap_count and event->mmap_count. But with this change, it seems not decrement rb->mmap_count when event->mmap_count doesn't go to zero, right? Thanks Namhyung