| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jan 2019 15:22:36 -0800
From: "Paul E. McKenney" <paulmck@...ux.ibm.com>
To: Jann Horn <jannh@...gle.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
kernel list <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andrea Parri <parri.andrea@...il.com>,
Andy Lutomirski <luto@...nel.org>,
Avi Kivity <avi@...lladb.com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Boqun Feng <boqun.feng@...il.com>,
Dave Watson <davejwatson@...com>, David Sehr <sehr@...gle.com>,
"H . Peter Anvin" <hpa@...or.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Maged Michael <maged.michael@...il.com>,
Michael Ellerman <mpe@...erman.id.au>,
Paul Mackerras <paulus@...ba.org>,
Russell King <linux@...linux.org.uk>,
Will Deacon <will.deacon@....com>, stable@...r.kernel.org
Subject: Re: [PATCH] Fix: membarrier: racy access to p->mm in
membarrier_global_expedited()
On Mon, Jan 28, 2019 at 11:45:32PM +0100, Jann Horn wrote:
> On Mon, Jan 28, 2019 at 11:39 PM Paul E. McKenney <paulmck@...ux.ibm.com> wrote:
> > On Mon, Jan 28, 2019 at 05:07:07PM -0500, Mathieu Desnoyers wrote:
> > > Jann Horn identified a racy access to p->mm in the global expedited
> > > command of the membarrier system call.
> > >
> > > The suggested fix is to hold the task_lock() around the accesses to
> > > p->mm and to the mm_struct membarrier_state field to guarantee the
> > > existence of the mm_struct.
> > >
> > > Link: https://lore.kernel.org/lkml/CAG48ez2G8ctF8dHS42TF37pThfr3y0RNOOYTmxvACm4u8Yu3cw@mail.gmail.com
> > > Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
> [...]
> > > --- a/kernel/sched/membarrier.c
> > > +++ b/kernel/sched/membarrier.c
> > > @@ -81,12 +81,27 @@ static int membarrier_global_expedited(void)
> > >
> > > rcu_read_lock();
> > > p = task_rcu_dereference(&cpu_rq(cpu)->curr);
> > > - if (p && p->mm && (atomic_read(&p->mm->membarrier_state) &
> > > - MEMBARRIER_STATE_GLOBAL_EXPEDITED)) {
> > > - if (!fallback)
> > > - __cpumask_set_cpu(cpu, tmpmask);
> > > - else
> > > - smp_call_function_single(cpu, ipi_mb, NULL, 1);
> > > + /*
> > > + * Skip this CPU if the runqueue's current task is NULL or if
> > > + * it is a kernel thread.
> > > + */
> > > + if (p && READ_ONCE(p->mm)) {
> > > + bool mm_match;
> > > +
> > > + /*
> > > + * Read p->mm and access membarrier_state while holding
> > > + * the task lock to ensure existence of mm.
> > > + */
> > > + task_lock(p);
> > > + mm_match = p->mm && (atomic_read(&p->mm->membarrier_state) &
> >
> > Are we guaranteed that this p->mm will be the same as the one loaded via
> > READ_ONCE() above?
>
> No; the way I read it, that's just an optimization and has no effect
> on correctness.
>
> > Either way, wouldn't it be better to READ_ONCE() it a
> > single time and use the same value everywhere?
>
> No; the first READ_ONCE() returns a pointer that you can't access
> because it wasn't read under a lock. You can only use it for a NULL
> check.
Ah, of course! Thank you both!
Thanx, Paul
Powered by blists - more mailing lists