ANDROID: reimplement vm_file protection during speculative page fault
Use vma->vm_file refcounting to protect the file during speculative page fault handling. Bug: 258731892 Change-Id: I222c23785391bea7d95c4506d70d6f68029ec45f Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
Suren Baghdasaryan
@@ -542,6 +542,7 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr,
|
||||
unsigned int mm_flags = FAULT_FLAG_DEFAULT;
|
||||
unsigned long addr = untagged_addr(far);
|
||||
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
||||
struct file *orig_file = NULL;
|
||||
struct vm_area_struct *vma;
|
||||
struct vm_area_struct pvma;
|
||||
unsigned long seq;
|
||||
@@ -629,17 +630,26 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr,
|
||||
count_vm_spf_event(SPF_ABORT_NO_SPECULATE);
|
||||
goto spf_abort;
|
||||
}
|
||||
if (vma->vm_file)
|
||||
orig_file = get_file(vma->vm_file);
|
||||
pvma = *vma;
|
||||
rcu_read_unlock();
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY))
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
goto spf_abort;
|
||||
}
|
||||
vma = &pvma;
|
||||
if (!(vma->vm_flags & vm_flags)) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
count_vm_spf_event(SPF_ABORT_ACCESS_ERROR);
|
||||
goto spf_abort;
|
||||
}
|
||||
fault = do_handle_mm_fault(vma, addr & PAGE_MASK,
|
||||
mm_flags | FAULT_FLAG_SPECULATIVE, seq, regs);
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
|
||||
/* Quick path to respond to signals */
|
||||
if (fault_signal_pending(fault, regs)) {
|
||||
|
||||
@@ -395,6 +395,7 @@ static int ___do_page_fault(struct pt_regs *regs, unsigned long address,
|
||||
vm_fault_t fault, major = 0;
|
||||
bool kprobe_fault = kprobe_page_fault(regs, 11);
|
||||
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
||||
struct file *orig_file = NULL;
|
||||
struct vm_area_struct pvma;
|
||||
unsigned long seq;
|
||||
#endif
|
||||
@@ -480,24 +481,35 @@ static int ___do_page_fault(struct pt_regs *regs, unsigned long address,
|
||||
count_vm_spf_event(SPF_ABORT_NO_SPECULATE);
|
||||
goto spf_abort;
|
||||
}
|
||||
if (vma->vm_file)
|
||||
orig_file = get_file(vma->vm_file);
|
||||
pvma = *vma;
|
||||
rcu_read_unlock();
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY))
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
goto spf_abort;
|
||||
}
|
||||
vma = &pvma;
|
||||
#ifdef CONFIG_PPC_MEM_KEYS
|
||||
if (unlikely(access_pkey_error(is_write, is_exec,
|
||||
(error_code & DSISR_KEYFAULT), vma))) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
count_vm_spf_event(SPF_ABORT_ACCESS_ERROR);
|
||||
goto spf_abort;
|
||||
}
|
||||
#endif /* CONFIG_PPC_MEM_KEYS */
|
||||
if (unlikely(access_error(is_write, is_exec, vma))) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
count_vm_spf_event(SPF_ABORT_ACCESS_ERROR);
|
||||
goto spf_abort;
|
||||
}
|
||||
fault = do_handle_mm_fault(vma, address,
|
||||
flags | FAULT_FLAG_SPECULATIVE, seq, regs);
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
major |= fault & VM_FAULT_MAJOR;
|
||||
|
||||
if (fault_signal_pending(fault, regs))
|
||||
|
||||
@@ -1227,6 +1227,7 @@ void do_user_addr_fault(struct pt_regs *regs,
|
||||
vm_fault_t fault;
|
||||
unsigned int flags = FAULT_FLAG_DEFAULT;
|
||||
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
||||
struct file *orig_file = NULL;
|
||||
struct vm_area_struct pvma;
|
||||
unsigned long seq;
|
||||
#endif
|
||||
@@ -1353,17 +1354,26 @@ void do_user_addr_fault(struct pt_regs *regs,
|
||||
count_vm_spf_event(SPF_ABORT_NO_SPECULATE);
|
||||
goto spf_abort;
|
||||
}
|
||||
if (vma->vm_file)
|
||||
orig_file = get_file(vma->vm_file);
|
||||
pvma = *vma;
|
||||
rcu_read_unlock();
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY))
|
||||
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
goto spf_abort;
|
||||
}
|
||||
vma = &pvma;
|
||||
if (unlikely(access_error(error_code, vma))) {
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
count_vm_spf_event(SPF_ABORT_ACCESS_ERROR);
|
||||
goto spf_abort;
|
||||
}
|
||||
fault = do_handle_mm_fault(vma, address,
|
||||
flags | FAULT_FLAG_SPECULATIVE, seq, regs);
|
||||
if (orig_file)
|
||||
fput(orig_file);
|
||||
|
||||
if (!(fault & VM_FAULT_RETRY))
|
||||
goto done;
|
||||
|
||||
@@ -383,8 +383,6 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
|
||||
|
||||
static inline void ____vm_area_free(struct vm_area_struct *vma)
|
||||
{
|
||||
if (vma->vm_file)
|
||||
fput(vma->vm_file);
|
||||
kmem_cache_free(vm_area_cachep, vma);
|
||||
}
|
||||
|
||||
@@ -400,6 +398,8 @@ static void __vm_area_free(struct rcu_head *head)
|
||||
void vm_area_free(struct vm_area_struct *vma)
|
||||
{
|
||||
free_anon_vma_name(vma);
|
||||
if (vma->vm_file)
|
||||
fput(vma->vm_file);
|
||||
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
||||
if (atomic_read(&vma->vm_mm->mm_users) > 1) {
|
||||
call_rcu(&vma->vm_rcu, __vm_area_free);
|
||||
|
||||
Reference in New Issue
Block a user