lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 05 Aug 2009 15:02:20 -0700
From:	Darren Hart <dvhltc@...ibm.com>
To:	linux-rt-users@...r.kernel.org, linux-kernel@...r.kernel.org
CC:	tglx@...utronix.de, peterz@...radead.org, rostedt@...dmis.org,
	mingo@...e.hu, dino@...ibm.com, johnstul@...ibm.com,
	John Kacur <jkacur@...hat.com>
Subject: [PATCH 1/2] Update woken requeued futex_q lock_ptr

futex_requeue() can acquire the lock on behalf of a waiter during the requeue
loop in the event of a lock steal or owner died. futex_wait_requeue_pi() cleans
up the pi_state owner, using the lock_ptr to protect against concurrent access
to the pi_state.  The pi_state is found on the requeue target futex hash bucket
so the lock_ptr needs to be updated accordingly.  The problem manifested by
triggering the WARN_ON in lookup_pi_state() about the pid != pi_state->owner
pid. 

The astute reviewer will note that still exists a race between the time
futex_requeue() releases hb2->lock() and the time when futex_wait_requeue_pi()
acquires it.  During this time the pi_state and the futex uaddr are not in sync
with the rt_mutex ownership.  This patch closes the window to the point where
my tests now pass, but we still need to address it.

Note: Please apply to mainline and rt

Signed-off-by: Darren Hart <dvhltc@...ibm.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Steven Rostedt <rostedt@...dmis.org>
Cc: Ingo Molnar <mingo@...e.hu>
CC: Dinakar Guniguntala <dino@...ibm.com>
CC: John Stultz <johnstul@...ibm.com>
CC: John Kacur <jkacur@...hat.com>

Index: 2.6.31-rc4-rt1/kernel/futex.c
===================================================================
--- 2.6.31-rc4-rt1.orig/kernel/futex.c	2009-08-05 10:00:56.000000000 -0700
+++ 2.6.31-rc4-rt1/kernel/futex.c	2009-08-05 10:29:56.000000000 -0700
@@ -1059,19 +1059,24 @@ void requeue_futex(struct futex_q *q, st
  * requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue
  * q:	the futex_q
  * key:	the key of the requeue target futex
+ * hb:  the hash_bucket of the requeue target futex
  *
  * During futex_requeue, with requeue_pi=1, it is possible to acquire the
  * target futex if it is uncontended or via a lock steal.  Set the futex_q key
  * to the requeue target futex so the waiter can detect the wakeup on the right
  * futex, but remove it from the hb and NULL the rt_waiter so it can detect
- * atomic lock acquisition.  Must be called with the q->lock_ptr held.
+ * atomic lock acquisition.  Set the q->lock_ptr to the requeue target hb->lock
+ * to protect access to the pi_state to fixup the owner later.  Must be called
+ * with the q->lock_ptr held.
  */
 static inline
-void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key)
+void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+			   struct futex_hash_bucket *hb)
 {
 	drop_futex_key_refs(&q->key);
 	get_futex_key_refs(key);
 	q->key = *key;
+	q->lock_ptr = &hb->lock;
 
 	WARN_ON(plist_node_empty(&q->list));
 	plist_del(&q->list, &q->list.plist);
@@ -1137,7 +1142,7 @@ static int futex_proxy_trylock_atomic(u3
 	ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
 				   set_waiters);
 	if (ret == 1)
-		requeue_pi_wake_futex(top_waiter, key2);
+		requeue_pi_wake_futex(top_waiter, key2, hb2);
 
 	return ret;
 }
@@ -1323,7 +1328,7 @@ retry_private:
 							this->task, 1);
 			if (ret == 1) {
 				/* We got the lock. */
-				requeue_pi_wake_futex(this, &key2);
+				requeue_pi_wake_futex(this, &key2, hb2);
 				continue;
 			} else if (ret) {
 				/* -EDEADLK */

-- 
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ