lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 Apr 2023 13:19:33 +0200
From:   Sebastian Andrzej Siewior <bigeasy@...utronix.de>
To:     linux-kernel@...r.kernel.org
Cc:     Ben Segall <bsegall@...gle.com>, Boqun Feng <boqun.feng@...il.com>,
        Crystal Wood <swood@...hat.com>,
        Daniel Bristot de Oliveira <bristot@...hat.com>,
        Dietmar Eggemann <dietmar.eggemann@....com>,
        Ingo Molnar <mingo@...hat.com>,
        John Stultz <jstultz@...gle.com>,
        Juri Lelli <juri.lelli@...hat.com>,
        Mel Gorman <mgorman@...e.de>,
        Peter Zijlstra <peterz@...radead.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Valentin Schneider <vschneid@...hat.com>,
        Vincent Guittot <vincent.guittot@...aro.org>,
        Waiman Long <longman@...hat.com>, Will Deacon <will@...nel.org>
Subject: [PATCH v2 0/4] locking/rtmutex: Avoid overwriting pi_blocked_on while invoking blk_flush_plug().

Hi,

Crystal Wood reported that task_struct::pi_blocked_on can be overwritten
by mistake that is:
	rt_mutex_slowlock()
	  - task_blocks_on_rt_mutex()
	    - current->pi_blocked_on = waiter;
	  - rt_mutex_slowlock_block()
	    - schedule() 
	      - sched_submit_work()
	        - blk_flush_plug()
		  - *any* RT sleeping lock used by the plug
		     - rtlock_slowlock_locked()
	               - task_blocks_on_rt_mutex()
		         - current->pi_blocked_on = waiter; <-- XXX

The requirement is
- I/O queued
- lock contention on a sleeping lock (a mutex_t)
- lock contention while flushing queued I/O (in blk_flush_plug(), a
  spin_lock_t on PREEMPT_RT).

Later in review it was pointed out by tglx that any function within
sched_submit_work() is affected so it is not limited to
blk_flush_plug().

This series addresses the problem by
- export sched_submit_work()
- invoke sched_submit_work() if it is clear that the slow path is
  needed.
- invoke schedule_rtmutex() while blocking on lock which contains only
  the schedule loop (without sched_submit_work().

Original report by Crystal
	https://lore.kernel.org/all/4b4ab374d3e24e6ea8df5cadc4297619a6d945af.camel@redhat.com

v1: https://lore.kernel.org/all/20230322162719.wYG1N0hh@linutronix.de

v1…v2:
   - Avoid invoking blk_flush_plug() with DEBUG-enabled
   - Fix also the ww-mutex implementation based on RT-mutex.
   - Export sched_submit_work() and do the whole block before blocking
     not just blk_flush_plug().

Sebastian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ