lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 29 Feb 2016 19:41:33 +0800
From:	Jianyu Zhan <nasa4836@...il.com>
To:	linux-kernel@...r.kernel.org
Cc:	tglx@...utronix.de, dave@...olabs.net, peterz@...radead.org,
	akpm@...ux-foundation.org, mingo@...nel.org,
	dvhart@...ux.intel.com, bigeasy@...utronix.de, nasa4836@...il.com
Subject: [PATCH] futex:  replace bare barrier() with a READ_ONCE()

Commit e91467ecd1ef ("bug in futex unqueue_me") introduces a barrier()
in unqueue_me(), to address a pointer aliasing problem in s390x, between
q->lock_ptr and local variable lock_ptr.

Since there is a retry logic to reload q->lock_ptr into local variable lock_ptr,
s390x generates code that aliases q->lock_ptr with lock_ptr, while q->lock_ptr
might change between retries, which beats the alias and causes problem.

This patch replaces this bare barrier() with a READ_ONCE(), a weaker form of
barrier(), which could be more informative.

And furthermore, this retry logic is effectively the same with:

	while (lock_ptr = q->lock_ptr)
		do_something_with(lock_ptr);

and compiler is at its will to merge successive load of q->lock_ptr, which is also problematic
at this scenario. READ_ONCE() can avoid this problem.

Signed-off-by: Jianyu Zhan <nasa4836@...il.com>
---
 kernel/futex.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index 5d6ce64..20e8466 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1927,8 +1927,12 @@ static int unqueue_me(struct futex_q *q)
 
 	/* In the common case we don't take the spinlock, which is nice. */
 retry:
-	lock_ptr = q->lock_ptr;
-	barrier();
+	/*
+	 *  q->lock_ptr can change and a pointer aliasing(of lock_ptr) will cause problem, 
+	 *  and also to avoid potential compiler merging of successive load of q->lock_ptr under
+	 *  this retry logic, so we use READ_ONCE() here.
+	 */
+	lock_ptr = READ_ONCE(q->lock_ptr);
 	if (lock_ptr != NULL) {
 		spin_lock(lock_ptr);
 		/*
-- 
2.4.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ