lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Oct 2009 08:32:43 -0700 From: Darren Hart <dvhltc@...ibm.com> To: John Kacur <jkacur@...hat.com> CC: linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>, linux-rt-users@...r.kernel.org Subject: Re: [PATCH] futex: Detect mismatched requeue targets John Kacur wrote: > Hello Darren > > I took your patch from commit 84bc4af59081ee974dd80210e694ab59ebe51ce8 > and I tried to git-cherry-pick it for v2.6.31.4-rt14 > > I had a little merge-commit to resolve. That wasn't too hard, but as the > code is a bit different between the two versions, I would appreciate it if > you could review the patch, and make sure that it still makes sense for > v2.6.31.r-rt14 Hi John, It looks good to me. Where did you have the conflicts? -- Darren > > Thanks! > John > > From 7135729cbbc5bf16c95abdca5366ec5de0a01909 Mon Sep 17 00:00:00 2001 > From: Darren Hart <dvhltc@...ibm.com> > Date: Thu, 13 Aug 2009 17:36:53 -0700 > Subject: [PATCH] futex: Detect mismatched requeue targets > > There is currently no check to ensure that userspace uses the same > futex requeue target (uaddr2) in futex_requeue() that the waiter used > in futex_wait_requeue_pi(). A mismatch here could very unexpected > results as the waiter assumes it either wakes on uaddr1 or uaddr2. We > could detect this on wakeup in the waiter, but the cleanup is more > intense after the improper requeue has occured. > > This patch stores the waiter's expected requeue target in a new > requeue_pi_key pointer in the futex_q which futex_requeue() checks > prior to attempting to do a proxy lock acquistion or a requeue when > requeue_pi=1. If they don't match, return -EINVAL from futex_requeue, > aborting the requeue of any remaining waiters. > > Signed-off-by: Darren Hart <dvhltc@...ibm.com> > Cc: Peter Zijlstra <peterz@...radead.org> > Cc: Eric Dumazet <eric.dumazet@...il.com> > Cc: John Kacur <jkacur@...hat.com> > Cc: Dinakar Guniguntala <dino@...ibm.com> > Cc: John Stultz <johnstul@...ibm.com> > LKML-Reference: <20090814003650.14634.63916.stgit@...n> > Signed-off-by: Thomas Gleixner <tglx@...utronix.de> > Signed-off-by: John Kacur <jkacur@...hat.com> > --- > kernel/futex.c | 24 ++++++++++++++++++++---- > 1 files changed, 20 insertions(+), 4 deletions(-) > > diff --git a/kernel/futex.c b/kernel/futex.c > index 7c4a6ac..5978a84 100644 > --- a/kernel/futex.c > +++ b/kernel/futex.c > @@ -115,6 +115,9 @@ struct futex_q { > /* rt_waiter storage for requeue_pi: */ > struct rt_mutex_waiter *rt_waiter; > > + /* The expected requeue pi target futex key: */ > + union futex_key *requeue_pi_key; > + > /* Bitset for the optional bitmasked wakeup */ > u32 bitset; > }; > @@ -1089,6 +1092,10 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, > if (!top_waiter) > return 0; > > + /* Ensure we requeue to the expected futex. */ > + if (!match_futex(top_waiter->requeue_pi_key, key2)) > + return -EINVAL; > + > /* > * Try to take the lock for top_waiter. Set the FUTEX_WAITERS bit in > * the contended case or if set_waiters is 1. The pi_state is returned > @@ -1276,6 +1283,12 @@ retry_private: > continue; > } > > + /* Ensure we requeue to the expected futex for requeue_pi. */ > + if (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) { > + ret = -EINVAL; > + break; > + } > + > /* > * Requeue nr_requeue waiters and possibly one more in the case > * of requeue_pi if we couldn't acquire the lock atomically. > @@ -1742,6 +1755,7 @@ static int futex_wait(u32 __user *uaddr, int fshared, > q.pi_state = NULL; > q.bitset = bitset; > q.rt_waiter = NULL; > + q.requeue_pi_key = NULL; > > if (abs_time) { > to = &timeout; > @@ -1855,6 +1869,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared, > > q.pi_state = NULL; > q.rt_waiter = NULL; > + q.requeue_pi_key = NULL; > retry: > q.key = FUTEX_KEY_INIT; > ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE); > @@ -2167,16 +2182,17 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared, > debug_rt_mutex_init_waiter(&rt_waiter); > rt_waiter.task = NULL; > > - q.pi_state = NULL; > - q.bitset = bitset; > - q.rt_waiter = &rt_waiter; > - > retry: > key2 = FUTEX_KEY_INIT; > ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE); > if (unlikely(ret != 0)) > goto out; > > + q.pi_state = NULL; > + q.bitset = bitset; > + q.rt_waiter = &rt_waiter; > + q.requeue_pi_key = &key2; > + > /* Prepare to wait on uaddr. */ > ret = futex_wait_setup(uaddr, val, fshared, &q, &hb); > if (ret) -- Darren Hart IBM Linux Technology Center Real-Time Linux Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists