lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4ADDD81B.3030208@us.ibm.com>
Date:	Tue, 20 Oct 2009 08:32:43 -0700
From:	Darren Hart <dvhltc@...ibm.com>
To:	John Kacur <jkacur@...hat.com>
CC:	linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
	linux-rt-users@...r.kernel.org
Subject: Re: [PATCH] futex: Detect mismatched requeue targets

John Kacur wrote:
> Hello Darren
> 
> I took your patch from commit 84bc4af59081ee974dd80210e694ab59ebe51ce8
> and I tried to git-cherry-pick it for v2.6.31.4-rt14
> 
> I had a little merge-commit to resolve. That wasn't too hard, but as the 
> code is a bit different between the two versions, I would appreciate it if 
> you could review the patch, and make sure that it still makes sense for 
> v2.6.31.r-rt14

Hi John,

It looks good to me.  Where did you have the conflicts?

--
Darren

> 
> Thanks!
> John
> 
> From 7135729cbbc5bf16c95abdca5366ec5de0a01909 Mon Sep 17 00:00:00 2001
> From: Darren Hart <dvhltc@...ibm.com>
> Date: Thu, 13 Aug 2009 17:36:53 -0700
> Subject: [PATCH] futex: Detect mismatched requeue targets
> 
> There is currently no check to ensure that userspace uses the same
> futex requeue target (uaddr2) in futex_requeue() that the waiter used
> in futex_wait_requeue_pi().  A mismatch here could very unexpected
> results as the waiter assumes it either wakes on uaddr1 or uaddr2. We
> could detect this on wakeup in the waiter, but the cleanup is more
> intense after the improper requeue has occured.
> 
> This patch stores the waiter's expected requeue target in a new
> requeue_pi_key pointer in the futex_q which futex_requeue() checks
> prior to attempting to do a proxy lock acquistion or a requeue when
> requeue_pi=1. If they don't match, return -EINVAL from futex_requeue,
> aborting the requeue of any remaining waiters.
> 
> Signed-off-by: Darren Hart <dvhltc@...ibm.com>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Eric Dumazet <eric.dumazet@...il.com>
> Cc: John Kacur <jkacur@...hat.com>
> Cc: Dinakar Guniguntala <dino@...ibm.com>
> Cc: John Stultz <johnstul@...ibm.com>
> LKML-Reference: <20090814003650.14634.63916.stgit@...n>
> Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
> Signed-off-by: John Kacur <jkacur@...hat.com>
> ---
>  kernel/futex.c |   24 ++++++++++++++++++++----
>  1 files changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index 7c4a6ac..5978a84 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -115,6 +115,9 @@ struct futex_q {
>  	/* rt_waiter storage for requeue_pi: */
>  	struct rt_mutex_waiter *rt_waiter;
> 
> +	/* The expected requeue pi target futex key: */
> +	union futex_key *requeue_pi_key;
> +
>  	/* Bitset for the optional bitmasked wakeup */
>  	u32 bitset;
>  };
> @@ -1089,6 +1092,10 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
>  	if (!top_waiter)
>  		return 0;
> 
> +	/* Ensure we requeue to the expected futex. */
> +	if (!match_futex(top_waiter->requeue_pi_key, key2))
> +		return -EINVAL;
> +
>  	/*
>  	 * Try to take the lock for top_waiter.  Set the FUTEX_WAITERS bit in
>  	 * the contended case or if set_waiters is 1.  The pi_state is returned
> @@ -1276,6 +1283,12 @@ retry_private:
>  			continue;
>  		}
> 
> +		/* Ensure we requeue to the expected futex for requeue_pi. */
> +		if (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) {
> +			ret = -EINVAL;
> +			break;
> +		}
> +
>  		/*
>  		 * Requeue nr_requeue waiters and possibly one more in the case
>  		 * of requeue_pi if we couldn't acquire the lock atomically.
> @@ -1742,6 +1755,7 @@ static int futex_wait(u32 __user *uaddr, int fshared,
>  	q.pi_state = NULL;
>  	q.bitset = bitset;
>  	q.rt_waiter = NULL;
> +	q.requeue_pi_key = NULL;
> 
>  	if (abs_time) {
>  		to = &timeout;
> @@ -1855,6 +1869,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
> 
>  	q.pi_state = NULL;
>  	q.rt_waiter = NULL;
> +	q.requeue_pi_key = NULL;
>  retry:
>  	q.key = FUTEX_KEY_INIT;
>  	ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);
> @@ -2167,16 +2182,17 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
>  	debug_rt_mutex_init_waiter(&rt_waiter);
>  	rt_waiter.task = NULL;
> 
> -	q.pi_state = NULL;
> -	q.bitset = bitset;
> -	q.rt_waiter = &rt_waiter;
> -
>  retry:
>  	key2 = FUTEX_KEY_INIT;
>  	ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
>  	if (unlikely(ret != 0))
>  		goto out;
> 
> +	q.pi_state = NULL;
> +	q.bitset = bitset;
> +	q.rt_waiter = &rt_waiter;
> +	q.requeue_pi_key = &key2;
> +
>  	/* Prepare to wait on uaddr. */
>  	ret = futex_wait_setup(uaddr, val, fshared, &q, &hb);
>  	if (ret)


-- 
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ