| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Apr 2016 09:09:46 +0200 From: Sebastian Andrzej Siewior <bigeasy@...utronix.de> To: Davidlohr Bueso <dave@...olabs.net> Cc: Thomas Gleixner <tglx@...utronix.de>, linux-kernel@...r.kernel.org Subject: Re: [PATCH] kernel/futex: handle the case where we got a "late" waiter On 04/20/2016 12:27 AM, Davidlohr Bueso wrote: > On Fri, 15 Apr 2016, Sebastian Andrzej Siewior wrote: > >> futex_unlock_pi() gets uval before taking the hb lock. Now imagine >> someone in futex_lock_pi() took the lock. While futex_unlock_pi() waits >> for the hb lock, the LOCK_PI sets FUTEX_WAITERS and drops the lock. >> Now, futex_unlock_pi() figures out that there is waiter and invokes >> wake_futex_pi() with the old uval which does not yet have FUTEX_WAITERS >> set. This flaw lets cmpxchg_futex_value_locked() fail and return -EINVAL. > > Hmm but if we're calling futex_unlock_pi() in the first place, doesn't that > indicate that the uval already has FUTEX_WAITERS and therefore failed the > TID->0 transition in userland? That or the thread is bogusly unlocking a > lock that it doesn't own. I hacked a testing tool which always did the syscall for LOCK_PI / UNLOCK_PI and this popped up. > > This is of course different than the requeue_pi case which can specify > set_waiters but also gets the value via get_futex_value_locked(). > > Is this a real issue or did you find it by code inspection? real issue. https://breakpoint.cc/mass-futex2-rl.c > Thanks, > Davidlohr Sebastian
Powered by blists - more mailing lists