lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20190128232236.GG4240@linux.ibm.com>
Date:   Mon, 28 Jan 2019 15:22:36 -0800
From:   "Paul E. McKenney" <paulmck@...ux.ibm.com>
To:     Jann Horn <jannh@...gle.com>
Cc:     Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        Ingo Molnar <mingo@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        kernel list <linux-kernel@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andrea Parri <parri.andrea@...il.com>,
        Andy Lutomirski <luto@...nel.org>,
        Avi Kivity <avi@...lladb.com>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Boqun Feng <boqun.feng@...il.com>,
        Dave Watson <davejwatson@...com>, David Sehr <sehr@...gle.com>,
        "H . Peter Anvin" <hpa@...or.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Maged Michael <maged.michael@...il.com>,
        Michael Ellerman <mpe@...erman.id.au>,
        Paul Mackerras <paulus@...ba.org>,
        Russell King <linux@...linux.org.uk>,
        Will Deacon <will.deacon@....com>, stable@...r.kernel.org
Subject: Re: [PATCH] Fix: membarrier: racy access to p->mm in
 membarrier_global_expedited()

On Mon, Jan 28, 2019 at 11:45:32PM +0100, Jann Horn wrote:
> On Mon, Jan 28, 2019 at 11:39 PM Paul E. McKenney <paulmck@...ux.ibm.com> wrote:
> > On Mon, Jan 28, 2019 at 05:07:07PM -0500, Mathieu Desnoyers wrote:
> > > Jann Horn identified a racy access to p->mm in the global expedited
> > > command of the membarrier system call.
> > >
> > > The suggested fix is to hold the task_lock() around the accesses to
> > > p->mm and to the mm_struct membarrier_state field to guarantee the
> > > existence of the mm_struct.
> > >
> > > Link: https://lore.kernel.org/lkml/CAG48ez2G8ctF8dHS42TF37pThfr3y0RNOOYTmxvACm4u8Yu3cw@mail.gmail.com
> > > Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
> [...]
> > > --- a/kernel/sched/membarrier.c
> > > +++ b/kernel/sched/membarrier.c
> > > @@ -81,12 +81,27 @@ static int membarrier_global_expedited(void)
> > >
> > >               rcu_read_lock();
> > >               p = task_rcu_dereference(&cpu_rq(cpu)->curr);
> > > -             if (p && p->mm && (atomic_read(&p->mm->membarrier_state) &
> > > -                                MEMBARRIER_STATE_GLOBAL_EXPEDITED)) {
> > > -                     if (!fallback)
> > > -                             __cpumask_set_cpu(cpu, tmpmask);
> > > -                     else
> > > -                             smp_call_function_single(cpu, ipi_mb, NULL, 1);
> > > +             /*
> > > +              * Skip this CPU if the runqueue's current task is NULL or if
> > > +              * it is a kernel thread.
> > > +              */
> > > +             if (p && READ_ONCE(p->mm)) {
> > > +                     bool mm_match;
> > > +
> > > +                     /*
> > > +                      * Read p->mm and access membarrier_state while holding
> > > +                      * the task lock to ensure existence of mm.
> > > +                      */
> > > +                     task_lock(p);
> > > +                     mm_match = p->mm && (atomic_read(&p->mm->membarrier_state) &
> >
> > Are we guaranteed that this p->mm will be the same as the one loaded via
> > READ_ONCE() above?
> 
> No; the way I read it, that's just an optimization and has no effect
> on correctness.
> 
> > Either way, wouldn't it be better to READ_ONCE() it a
> > single time and use the same value everywhere?
> 
> No; the first READ_ONCE() returns a pointer that you can't access
> because it wasn't read under a lock. You can only use it for a NULL
> check.

Ah, of course!  Thank you both!

							Thanx, Paul

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ