| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jan 2019 13:26:33 -0800
From: "Paul E. McKenney" <paulmck@...ux.ibm.com>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Jann Horn <jannh@...gle.com>, Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-api <linux-api@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andrea Parri <parri.andrea@...il.com>,
Andrew Hunter <ahh@...gle.com>,
Andy Lutomirski <luto@...nel.org>,
Avi Kivity <avi@...lladb.com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Boqun Feng <boqun.feng@...il.com>,
Dave Watson <davejwatson@...com>, David Sehr <sehr@...gle.com>,
Greg Hackmann <ghackmann@...gle.com>,
"H. Peter Anvin" <hpa@...or.com>,
maged michael <maged.michael@...il.com>,
Michael Ellerman <mpe@...erman.id.au>,
Paul Mackerras <paulus@...ba.org>,
"Russell King, ARM Linux" <linux@...linux.org.uk>,
Will Deacon <will.deacon@....com>,
stable <stable@...r.kernel.org>
Subject: Re: [RFC PATCH] Fix: membarrier: racy access to p->mm in
membarrier_global_expedited()
On Mon, Jan 28, 2019 at 04:07:26PM -0500, Mathieu Desnoyers wrote:
> ----- On Jan 28, 2019, at 3:46 PM, paulmck paulmck@...ux.ibm.com wrote:
>
> > On Mon, Jan 28, 2019 at 12:27:03PM -0800, Linus Torvalds wrote:
> >> On Mon, Jan 28, 2019 at 10:27 AM Mathieu Desnoyers
> >> <mathieu.desnoyers@...icios.com> wrote:
> >> >
> >> > Jann Horn identified a racy access to p->mm in the global expedited
> >> > command of the membarrier system call.
> >> >
> >> > The suggested fix is to hold the task_lock() around the accesses to
> >> > p->mm and to the mm_struct membarrier_state field to guarantee the
> >> > existence of the mm_struct.
> >>
> >> Hmm. I think this is right. You shouldn't access another threads mm
> >> pointer without proper locking.
> >>
> >> That said, we *could* make the mm_cachep be SLAB_TYPESAFE_BY_RCU,
> >> which would allow speculatively reading data off the mm pointer under
> >> RCU. It might not be the *right* mm if somebody just did an exit, but
> >> for things like this it shouldn't matter.
> >
> > That sounds much simpler and more effective than the contention-reduction
> > approach that I suggested. ;-)
>
> I'd be tempted to stick to the locking approach for a fix, and implement
> Linus' type-safe mm_cachep idea if anyone complains about the overhead
> of membarrier GLOBAL_EXPEDITED (and submit for a future merge window).
>
> I tested the KASAN splat reproducer from Jann locally, and confirmed that
> my patch fixes the issue it reproduces.
>
> Please let me know if the task_lock() approach is OK as a fix for now.
Agreed, no need for added complexity until there is a clear need.
> I'm also awaiting a Tested-by from Jann before submitting this for real.
Makes sense to me!
Thanx, Paul
> Thanks,
>
> Mathieu
>
> >
> > Thanx, Paul
> >
> >> But if this is the only case that might care, it sounds like just
> >> doing the proper locking is the right approach.
> >>
> >> Linus
>
> --
> Mathieu Desnoyers
> EfficiOS Inc.
> http://www.efficios.com
>
Powered by blists - more mailing lists