Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks.

From: Peter Zijlstra
Date: Thu Jun 16 2011 - 14:24:17 EST

Next message: Raúl Benencia: "Re: Graphic corruption with i915 (2.6.39.1)"
Previous message: Greg KH: "Re: [PATCH/RFC 5/5] usb: Add support for streams alloc/dealloc todevio.c"
In reply to: Srikar Dronamraju: "Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks."
Next in thread: Peter Zijlstra: "Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2011-06-16 at 18:30 +0530, Srikar Dronamraju wrote:

> Now since a register and mmap operations can run in parallel, we could
> have subtle race conditions like this:
>
> 1. register_uprobe inserts the uprobe in RB tree.
> 2. register_uprobe loops thro vmas and inserts breakpoints.
>
> 3. mmap is called for same inode, mmap_uprobe() takes reference;
> 4. mmap completes insertion and releases reference.
>
> 5. register uprobe tries to install breakpoint on one vma fails and not
> due to -ESRCH or -EEXIST.
> 6. register_uprobe rolls back all install breakpoints except the one
> inserted by mmap.
>
> We end up with breakpoints that we have inserted by havent cleared.
>
> Similarly unregister_uprobe might be looping to remove the breakpoints
> when mmap comes in installs the breakpoint and returns.
> unregister_uprobe might erase the uprobe from rbtree after mmap is done.

Well yes, but that's mostly because of how you use those lists.

int __register_uprobe(...)
{
uprobe = alloc_uprobe(...); // find or insert in tree

vma_prio_tree_foreach(..) {
// get mm ref, add to list blah blah
}

list_for_each_entry_safe() {
// del from list etc..
down_read(mm->mmap_sem);
ret = install_breakpoint();
if (ret && (ret != -ESRCH || ret != -EEXIST)) {
up_read(..);
goto fail;
}

return 0;

fail:
list_for_each_entry_safe() {
// del from list, put mm
}

return ret;
}

void __unregister_uprobe(...)
{
uprobe = find_uprobe(); // ref++
if (delete_consumer(...)); // includes tree removal on last consumer
// implies we own the last ref
return; // consumers

vma_prio_tree_foreach() {
// create list
}

list_for_each_entry_safe() {
// remove from list
remove_breakpoint(); // unconditional, if it wasn't there
// its a nop anyway, can't get any new
// new probes on account of holding
// uprobes_mutex and mmap() doesn't see
// it due to tree removal.
}
}

int register_uprobe(...)
{
int ret;

mutex_lock(&uprobes_mutex);
ret = __register_uprobe(...);
if (!ret)
__unregister_uprobe(...);
mutex_unlock(&uprobes_mutex);

ret;
}

int mmap_uprobe(...)
{
spin_lock(&uprobes_treelock);
for_each_probe_in_inode() {
// create list;
}
spin_unlock(..);

list_for_each_entry_safe() {
// remove from list
ret = install_breakpoint();
if (ret)
goto fail;
if (!uprobe_still_there()) // takes treelock
remove_breakpoint();
}

return 0;

fail:
list_for_each_entry_safe() {
// destroy list
}
return ret;
}

Should work I think, no?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Raúl Benencia: "Re: Graphic corruption with i915 (2.6.39.1)"
Previous message: Greg KH: "Re: [PATCH/RFC 5/5] usb: Add support for streams alloc/dealloc todevio.c"
In reply to: Srikar Dronamraju: "Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks."
Next in thread: Peter Zijlstra: "Re: [PATCH v4 3.0-rc2-tip 7/22] 7: uprobes: mmap and fork hooks."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]