lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Mon, 25 Jan 2010 09:33:59 -0800
From:	Darren Hart <dvhltc@...ibm.com>
To:	Mikael Pettersson <mikpe@...uu.se>
CC:	linux-kernel@...r.kernel.org,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: Re: [PATCH 2.6.33-rc5] futex_lock_pi() key refcnt fix

Mikael Pettersson wrote:
> This fixes a futex key reference count bug in futex_lock_pi(),
> where a key's reference count is incremented twice but decremented
> only once, causing the backing object to not be released.
> 
> If the futex is created in a temporary file in an ext3 file system,
> this bug causes the file's inode to become an "undead" orphan,
> which causes an oops from a BUG_ON() in ext3_put_super() when the
> file system is unmounted. glibc's test suite is known to trigger this,
> see <http://bugzilla.kernel.org/show_bug.cgi?id=14256>.
> 
> The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's
> 38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on
> get_user_pages() for shared futexes". That commit made get_futex_key()
> also increment the reference count of the futex key, and updated its
> callers to decrement the key's reference count before returning.
> Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
> the reference count is incremented by get_futex_key() and queue_lock(),
> but the normal exit path only decrements once, via unqueue_me_pi().
> The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31
> this is easily done by 'goto out_put_key' rather than 'goto out'.
> 
> Signed-off-by: Mikael Pettersson <mikpe@...uu.se>

Nice catch. I think we need to do something to make the reference 
counting more explicit in futex.c. For now, this is the right fix.

Acked-by: Darren Hart <dvhltc@...ibm.com>

> Cc: <stable@...nel.org>
> ---
> This patch also works for backports to 2.6.32 and 2.6.31,
> but 2.6.30 and 2.6.29 need a "put_futex_key(fshared, &q.key);"
> after "unqueue_me_pi(&q);" instead. I can supply patches
> for these older kernels if necessary.
> 
>  kernel/futex.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff -rupN linux-2.6.33-rc5/kernel/futex.c linux-2.6.33-rc5.futex_lock_pi-key-refcnt-fix/kernel/futex.c
> --- linux-2.6.33-rc5/kernel/futex.c	2010-01-22 01:21:57.000000000 +0100
> +++ linux-2.6.33-rc5.futex_lock_pi-key-refcnt-fix/kernel/futex.c	2010-01-23 21:00:14.000000000 +0100
> @@ -1971,7 +1971,7 @@ retry_private:
>  	/* Unqueue and drop the lock */
>  	unqueue_me_pi(&q);
> 
> -	goto out;
> +	goto out_put_key;
> 
>  out_unlock_put_key:
>  	queue_unlock(&q, hb);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 


-- 
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists