lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20191106215534.241796846@linutronix.de>
Date:   Wed, 06 Nov 2019 22:55:34 +0100
From:   Thomas Gleixner <tglx@...utronix.de>
To:     LKML <linux-kernel@...r.kernel.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>,
        Darren Hart <darren@...art.com>,
        Yi Wang <wang.yi59@....com.cn>,
        Yang Tao <yang.tao172@....com.cn>,
        Oleg Nesterov <oleg@...hat.com>,
        Florian Weimer <fweimer@...hat.com>,
        Carlos O'Donell <carlos@...hat.com>,
        Alexander Viro <viro@...iv.linux.org.uk>
Subject: [patch 00/12] futex: Cure robust/PI futex exit races

This series addresses a couple of robust/PI futex exit races:

 1) The unlock races debugged and fixed by Yi and Yang

    These races are really subtle and I'm still puzzled how to trigger them
    reliably enough to decode them.

    The basic issue is that:

    A) An unlocking task can be killed between clearing the user space
       futex value and calling futex(FUTEX_WAKE).

    B) A woken up waiter can be killed before it can acquire the futex
       after returning to user space.

    In both cases the futex value is 0 and due to that the robust list exit
    code refuses to wake up waiters as the futex is not owned by the
    exiting task. As a consequence all other waiters might be blocked
    forever.

 2) Oleg provided a test case which causes an infinite loop in the
    futex_lock_pi() code.

    The problem there is that an exiting task might be preempted by a
    waiter in a state which makes the waiter busy wait for the exiting task
    to complete the robust/PI exit cleanup code.

    That's obviously impossible when the waiter has higher priority than
    the exiting task and both are pinned on the same CPU resulting in a
    live lock.

#1 is a straight forward and simple fix 

    The solution Yi and Yang provided looks solid and in the worst case
    causes a spurious wakeup of a waiter which is nothing to worry about
    as all waiter code has to be prepared for that anyway.

#2 is more complex

   In the current implementation there is no way to block until the exiting
   task has finished the cleanup.

   To fix this there is quite some code reshuffling required which at the
   same time is a valuable cleanup.

   The final solution is to guard the futex exit handling with a per task
   mutex and make the waiter block on that mutex until the exiting task has
   the cleanup completed.

   Details why a simpler solution is not feasible can be found here:

   https://lore.kernel.org/r/20191105152728.GA5666@redhat.com

   Ignore my confusion of fork vs. vfork at the beginning of the thread.
   Futexes do that to human brains. :)

The following series addresses both issues.

Patch 1 is a slightly polished version of the original Yi and Yang
submission. It is included for completeness sake and because it
creates conflicts with the larger surgery which fixes issue #2. 

Aside of that a few eyeballs more on that subtlety are definitely not
a bad thing especially as this has a user space component in it.

The rest of the series addresses issue #2 which is more or less a kernel
only problem, but extra eyeballs are appreciated.

I'm certainly not proud about the solution for #2 but it's the best I could
come up with without violating the user/kernel state consistency
constraints.

Rusty Russell was definitely right when he said that futexes are cursed,
but as Peter Zijlstra pointed out he should have named them SNAFUtex
right away.

The series is also available from git:

  git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git WIP.locking/futex

Thanks,

	tglx

8<-------------

 fs/exec.c                |    2 
 include/linux/compat.h   |    2 
 include/linux/futex.h    |   38 +++--
 include/linux/sched.h    |    3 
 include/linux/sched/mm.h |    6 
 kernel/exit.c            |   30 ----
 kernel/fork.c            |   40 ++---
 kernel/futex.c           |  324 ++++++++++++++++++++++++++++++++++++++++-------
 8 files changed, 330 insertions(+), 115 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ