On 07/24, Song Liu wrote: > > > > On Jul 24, 2019, at 4:37 AM, Oleg Nesterov <[email protected]> wrote: > > > > On 07/24, Song Liu wrote: > >> > >> lock_page(old_page); > >> @@ -177,15 +180,24 @@ static int __replace_page(struct vm_area_struct > >> *vma, unsigned long addr, > >> mmu_notifier_invalidate_range_start(&range); > >> err = -EAGAIN; > >> if (!page_vma_mapped_walk(&pvmw)) { > >> - mem_cgroup_cancel_charge(new_page, memcg, false); > >> + if (!orig) > >> + mem_cgroup_cancel_charge(new_page, memcg, false); > >> goto unlock; > >> } > >> VM_BUG_ON_PAGE(addr != pvmw.address, old_page); > >> > >> get_page(new_page); > >> - page_add_new_anon_rmap(new_page, vma, addr, false); > >> - mem_cgroup_commit_charge(new_page, memcg, false, false); > >> - lru_cache_add_active_or_unevictable(new_page, vma); > >> + if (orig) { > >> + lock_page(new_page); /* for page_add_file_rmap() */ > >> + page_add_file_rmap(new_page, false); > > > > > > Shouldn't we re-check new_page->mapping after lock_page() ? Or we can't > > race with truncate? > > We can't race with truncate, because the file is open as binary and > protected with DENYWRITE (ETXTBSY).
No. Yes, deny_write_access() protects mm->exe_file, but not the dynamic libraries or other files which can be mmaped. > > and I am worried this code can try to lock the same page twice... > > Say, the probed application does MADV_DONTNEED and then writes "int3" > > into vma->vm_file at the same address to fool verify_opcode(). > > > > Do you mean the case where old_page == new_page? Yes, > I think this won't > happen, because in uprobe_write_opcode() we only do orig_page for > !is_register case. See above. !is_register doesn't necessarily mean the original page was previously cow'ed. And even if it was cow'ed, MADV_DONTNEED can restore the original mapping. Oleg.
