| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez1+Vx7=ZqeLJ0waceSneCQhEcoS=bv9ggb3Dbveb+W6AQ@mail.gmail.com>
Date: Mon, 28 Jan 2019 23:45:32 +0100
From: Jann Horn <jannh@...gle.com>
To: "Paul E. McKenney" <paulmck@...ux.ibm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
kernel list <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andrea Parri <parri.andrea@...il.com>,
Andy Lutomirski <luto@...nel.org>,
Avi Kivity <avi@...lladb.com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Boqun Feng <boqun.feng@...il.com>,
Dave Watson <davejwatson@...com>, David Sehr <sehr@...gle.com>,
"H . Peter Anvin" <hpa@...or.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Maged Michael <maged.michael@...il.com>,
Michael Ellerman <mpe@...erman.id.au>,
Paul Mackerras <paulus@...ba.org>,
Russell King <linux@...linux.org.uk>,
Will Deacon <will.deacon@....com>, stable@...r.kernel.org
Subject: Re: [PATCH] Fix: membarrier: racy access to p->mm in membarrier_global_expedited()
On Mon, Jan 28, 2019 at 11:39 PM Paul E. McKenney <paulmck@...ux.ibm.com> wrote:
> On Mon, Jan 28, 2019 at 05:07:07PM -0500, Mathieu Desnoyers wrote:
> > Jann Horn identified a racy access to p->mm in the global expedited
> > command of the membarrier system call.
> >
> > The suggested fix is to hold the task_lock() around the accesses to
> > p->mm and to the mm_struct membarrier_state field to guarantee the
> > existence of the mm_struct.
> >
> > Link: https://lore.kernel.org/lkml/CAG48ez2G8ctF8dHS42TF37pThfr3y0RNOOYTmxvACm4u8Yu3cw@mail.gmail.com
> > Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
[...]
> > --- a/kernel/sched/membarrier.c
> > +++ b/kernel/sched/membarrier.c
> > @@ -81,12 +81,27 @@ static int membarrier_global_expedited(void)
> >
> > rcu_read_lock();
> > p = task_rcu_dereference(&cpu_rq(cpu)->curr);
> > - if (p && p->mm && (atomic_read(&p->mm->membarrier_state) &
> > - MEMBARRIER_STATE_GLOBAL_EXPEDITED)) {
> > - if (!fallback)
> > - __cpumask_set_cpu(cpu, tmpmask);
> > - else
> > - smp_call_function_single(cpu, ipi_mb, NULL, 1);
> > + /*
> > + * Skip this CPU if the runqueue's current task is NULL or if
> > + * it is a kernel thread.
> > + */
> > + if (p && READ_ONCE(p->mm)) {
> > + bool mm_match;
> > +
> > + /*
> > + * Read p->mm and access membarrier_state while holding
> > + * the task lock to ensure existence of mm.
> > + */
> > + task_lock(p);
> > + mm_match = p->mm && (atomic_read(&p->mm->membarrier_state) &
>
> Are we guaranteed that this p->mm will be the same as the one loaded via
> READ_ONCE() above?
No; the way I read it, that's just an optimization and has no effect
on correctness.
> Either way, wouldn't it be better to READ_ONCE() it a
> single time and use the same value everywhere?
No; the first READ_ONCE() returns a pointer that you can't access
because it wasn't read under a lock. You can only use it for a NULL
check.
Powered by blists - more mailing lists