| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Oct 2014 11:35:39 +0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Catalin Marinas <catalin.marinas@....com>, Matteo Franchin <Matteo.Franchin@....com>, Davidlohr Bueso <dave@...olabs.net>, Mike Galbraith <umgwanakikbuti@...il.com>, Darren Hart <dvhart@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...nel.org>, "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: [PATCH 3.14 054/100] futex: Ensure get_futex_key_refs() always implies a barrier 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Catalin Marinas <catalin.marinas@....com> commit 76835b0ebf8a7fe85beb03c75121419a7dec52f0 upstream. Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) changes the futex code to avoid taking a lock when there are no waiters. This code has been subsequently fixed in commit 11d4616bd07f (futex: revert back to the explicit waiter counting code). Both the original commit and the fix-up rely on get_futex_key_refs() to always imply a barrier. However, for private futexes, none of the cases in the switch statement of get_futex_key_refs() would be hit and the function completes without a memory barrier as required before checking the "waiters" in futex_wake() -> hb_waiters_pending(). The consequence is a race with a thread waiting on a futex on another CPU, allowing the waker thread to read "waiters == 0" while the waiter thread to have read "futex_val == locked" (in kernel). Without this fix, the problem (user space deadlocks) can be seen with Android bionic's mutex implementation on an arm64 multi-cluster system. Signed-off-by: Catalin Marinas <catalin.marinas@....com> Reported-by: Matteo Franchin <Matteo.Franchin@....com> Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) Acked-by: Davidlohr Bueso <dave@...olabs.net> Tested-by: Mike Galbraith <umgwanakikbuti@...il.com> Cc: Darren Hart <dvhart@...ux.intel.com> Cc: Thomas Gleixner <tglx@...utronix.de> Cc: Peter Zijlstra <peterz@...radead.org> Cc: Ingo Molnar <mingo@...nel.org> Cc: Paul E. McKenney <paulmck@...ux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- kernel/futex.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/futex.c +++ b/kernel/futex.c @@ -329,6 +329,8 @@ static void get_futex_key_refs(union fut case FUT_OFF_MMSHARED: futex_get_mm(key); /* implies MB (B) */ break; + default: + smp_mb(); /* explicit MB (B) */ } } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists