lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 8 Aug 2009 15:27:49 GMT
From:	tip-bot for Darren Hart <dvhltc@...ibm.com>
To:	linux-tip-commits@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org, dvhltc@...ibm.com, hpa@...or.com,
	mingo@...hat.com, jkacur@...hat.com, johnstul@...ibm.com,
	peterz@...radead.org, dino@...ibm.com, rostedt@...dmis.org,
	stable@...nel.org, tglx@...utronix.de, mingo@...e.hu
Subject: [tip:core/urgent] futex: Update woken requeued futex_q lock_ptr

Commit-ID:  00235fe25eba6d3a13f3349b2e3a2d94b699a414
Gitweb:     http://git.kernel.org/tip/00235fe25eba6d3a13f3349b2e3a2d94b699a414
Author:     Darren Hart <dvhltc@...ibm.com>
AuthorDate: Wed, 5 Aug 2009 15:02:20 -0700
Committer:  Ingo Molnar <mingo@...e.hu>
CommitDate: Sat, 8 Aug 2009 17:21:49 +0200

futex: Update woken requeued futex_q lock_ptr

futex_requeue() can acquire the lock on behalf of a waiter
during the requeue loop in the event of a lock steal or owner
died. futex_wait_requeue_pi() cleans up the pi_state owner,
using the lock_ptr to protect against concurrent access to the
pi_state.  The pi_state is found on the requeue target futex
hash bucket so the lock_ptr needs to be updated accordingly.

The problem manifested by triggering the WARN_ON in
lookup_pi_state() about the pid != pi_state->owner pid.

The astute reviewer will note that still exists a race between
the time futex_requeue() releases hb2->lock() and the time when
futex_wait_requeue_pi() acquires it.  During this time the
pi_state and the futex uaddr are not in sync with the rt_mutex
ownership.  This patch closes the window to the point where my
tests now pass, but we still need to address it.

Signed-off-by: Darren Hart <dvhltc@...ibm.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Steven Rostedt <rostedt@...dmis.org>
Cc: Dinakar Guniguntala <dino@...ibm.com>
Cc: John Stultz <johnstul@...ibm.com>
Cc: John Kacur <jkacur@...hat.com>
Cc: <stable@...nel.org>
LKML-Reference: <4A7A016C.1090002@...ibm.com>
Signed-off-by: Ingo Molnar <mingo@...e.hu>


---
 kernel/futex.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index 0672ff8..57f5a80 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1010,19 +1010,24 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
  * requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue
  * q:	the futex_q
  * key:	the key of the requeue target futex
+ * hb:  the hash_bucket of the requeue target futex
  *
  * During futex_requeue, with requeue_pi=1, it is possible to acquire the
  * target futex if it is uncontended or via a lock steal.  Set the futex_q key
  * to the requeue target futex so the waiter can detect the wakeup on the right
  * futex, but remove it from the hb and NULL the rt_waiter so it can detect
- * atomic lock acquisition.  Must be called with the q->lock_ptr held.
+ * atomic lock acquisition.  Set the q->lock_ptr to the requeue target hb->lock
+ * to protect access to the pi_state to fixup the owner later.  Must be called
+ * with the q->lock_ptr held.
  */
 static inline
-void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key)
+void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+			   struct futex_hash_bucket *hb)
 {
 	drop_futex_key_refs(&q->key);
 	get_futex_key_refs(key);
 	q->key = *key;
+	q->lock_ptr = &hb->lock;
 
 	WARN_ON(plist_node_empty(&q->list));
 	plist_del(&q->list, &q->list.plist);
@@ -1088,7 +1093,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
 	ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
 				   set_waiters);
 	if (ret == 1)
-		requeue_pi_wake_futex(top_waiter, key2);
+		requeue_pi_wake_futex(top_waiter, key2, hb2);
 
 	return ret;
 }
@@ -1273,7 +1278,7 @@ retry_private:
 							this->task, 1);
 			if (ret == 1) {
 				/* We got the lock. */
-				requeue_pi_wake_futex(this, &key2);
+				requeue_pi_wake_futex(this, &key2, hb2);
 				continue;
 			} else if (ret) {
 				/* -EDEADLK */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ