| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200114161225.309792-3-hch@lst.de>
Date: Tue, 14 Jan 2020 17:12:15 +0100
From: Christoph Hellwig <hch@....de>
To: linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Waiman Long <longman@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Will Deacon <will@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-ext4@...r.kernel.org, cluster-devel@...hat.com
Cc: linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: [PATCH 02/12] locking/rwsem: Exit early when held by an anonymous owner
The rwsem code overloads the owner field with either a task struct or
negative magic numbers. Add a quick hack to catch these negative
values early on. Without this spinning on a writer that replaced the
owner with RWSEM_OWNER_UNKNOWN, rwsem_spin_on_owner can crash while
deferencing the task_struct ->on_cpu field of a -8 value.
XXX: This might be a bit of a hack as the code otherwise doesn't use
the ERR_PTR family macros, better suggestions welcome.
Signed-off-by: Christoph Hellwig <hch@....de>
---
kernel/locking/rwsem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index 44e68761f432..6adc719a30a1 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -725,6 +725,8 @@ rwsem_spin_on_owner(struct rw_semaphore *sem, unsigned long nonspinnable)
state = rwsem_owner_state(owner, flags, nonspinnable);
if (state != OWNER_WRITER)
return state;
+ if (IS_ERR(owner))
+ return state;
rcu_read_lock();
for (;;) {
--
2.24.1
Powered by blists - more mailing lists