lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20170414140819.20210-1-tony@atomide.com>
Date:   Fri, 14 Apr 2017 07:08:19 -0700
From:   Tony Lindgren <tony@...mide.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Peter Zijlstra <peterz@...radead.org>
Cc:     linux-kernel@...r.kernel.org, juri.lelli@....com,
        bigeasy@...utronix.de, xlpang@...hat.com, rostedt@...dmis.org,
        mathieu.desnoyers@...icios.com, jdesfossez@...icios.com,
        dvhart@...radead.org, bristot@...hat.com
Subject: [PATCH] futex: Fix hrtimer oops in futex_lock_pi()

Commit cfafcd117da0 ("futex: Rework futex_lock_pi() to use
rt_mutex_*_proxy_lock()") caused a regression where things would
occasionally randomly oops when restarting X:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
Internal error: Oops: 80000005 [#1] SMP ARM
...
PC is at 0x0
LR is at __hrtimer_run_queues+0x138/0x58c
pc : [<00000000>]    lr : [<c01c7884>]    psr: 20000193
...
[<c01c7884>] (__hrtimer_run_queues) from [<c01c7f4c>]
(hrtimer_interrupt+0xbc/0x210)
[<c01c7f4c>] (hrtimer_interrupt) from [<c010fcfc>]
...

When this happens, the hrtimer is not properly initialized and it's
function is NULL. This happens because we now call hrtimer_start_expires()
in futex_lock_pi() for the timer initialized with hrtimer_init_on_stack().

To fix it, let's pair the hrtimer_start_expires() with hrtimer_cancel()
in the same function.

Fixes: cfafcd117da0 ("futex: Rework futex_lock_pi() to use
rt_mutex_*_proxy_lock()")
Cc: juri.lelli@....com
Cc: bigeasy@...utronix.de
Cc: xlpang@...hat.com
Cc: rostedt@...dmis.org
Cc: mathieu.desnoyers@...icios.com
Cc: jdesfossez@...icios.com
Cc: dvhart@...radead.org
Cc: bristot@...hat.com
Signed-off-by: Tony Lindgren <tony@...mide.com>
---
 kernel/futex.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/futex.c b/kernel/futex.c
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2736,8 +2736,10 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
 out_put_key:
 	put_futex_key(&q.key);
 out:
-	if (to)
+	if (to) {
+		hrtimer_cancel(&to->timer);
 		destroy_hrtimer_on_stack(&to->timer);
+	}
 	return ret != -EINTR ? ret : -ERESTARTNOINTR;
 
 uaddr_faulted:
-- 
2.12.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ