lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 26 Jan 2023 22:10:19 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Hernan Ponce de Leon' <hernan.poncedeleon@...weicloud.com>,
        "Peter Zijlstra" <peterz@...radead.org>
CC:     Waiman Long <longman@...hat.com>,
        "paulmck@...nel.org" <paulmck@...nel.org>,
        Arjan van de Ven <arjan@...ux.intel.com>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "will@...nel.org" <will@...nel.org>,
        "boqun.feng@...il.com" <boqun.feng@...il.com>,
        "akpm@...l.org" <akpm@...l.org>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "joel@...lfernandes.org" <joel@...lfernandes.org>,
        "stern@...land.harvard.edu" <stern@...land.harvard.edu>,
        "diogo.behrens@...wei.com" <diogo.behrens@...wei.com>,
        "jonas.oberhauser@...wei.com" <jonas.oberhauser@...wei.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Hernan Ponce de Leon" <hernanl.leon@...wei.com>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        Jonas Oberhauser <jonas.oberhauser@...weicloud.com>
Subject: RE: [PATCH] Fix data race in mark_rt_mutex_waiters

From: Hernan Ponce de Leon
> Sent: 26 January 2023 21:07
...
>   static __always_inline void rt_mutex_clear_owner(struct rt_mutex_base
> *lock)
> @@ -232,12 +232,7 @@ static __always_inline bool
> rt_mutex_cmpxchg_release(struct rt_mutex_base *lock,
>    */
>   static __always_inline void mark_rt_mutex_waiters(struct rt_mutex_base
> *lock)
>   {
> -	unsigned long owner, *p = (unsigned long *) &lock->owner;
> -
> -	do {
> -		owner = *p;
> -	} while (cmpxchg_relaxed(p, owner,
> -				 owner | RT_MUTEX_HAS_WAITERS) != owner);
> +	atomic_long_or(RT_MUTEX_HAS_WAITERS, (atomic_long_t *)&lock->owner);

These *(int_type *)&foo accesses (quite often just plain wrong)
made me look up the definitions.

All one big accident waiting to happen...
RT_MUTEX_HAS_WAITERS is defined in a different header to the structure.
The explanatory comment is in a 3rd file.

It would all be safer if lock->owner were atomic_long_t with a comment
that it was the waiting task_struct | RT_MUTEX_HAS_WAITERS.

Given the actual definition is rt_mutex_base_is_locked() even correct?

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ