| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250910104806.Jkzd5ya1@linutronix.de> Date: Wed, 10 Sep 2025 12:48:06 +0200 From: Sebastian Andrzej Siewior <bigeasy@...utronix.de> To: Thomas Gleixner <tglx@...utronix.de> Cc: Jens Axboe <axboe@...nel.dk>, Peter Zijlstra <peterz@...radead.org>, syzbot <syzbot+034246a838a10d181e78@...kaller.appspotmail.com>, andrealmeid@...lia.com, dave@...olabs.net, dvhart@...radead.org, linux-kernel@...r.kernel.org, mingo@...hat.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] futex: Prevent use-after-free during requeue-PI On 2025-09-10 12:42:45 [+0200], To Thomas Gleixner wrote: > --- a/kernel/futex/requeue.c > +++ b/kernel/futex/requeue.c > @@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, > futex_hash_get(hb); > q->drop_hb_ref = true; > q->lock_ptr = &hb->lock; > + task = READ_ONCE(q->task); > > /* Signal locked state to the waiter */ > futex_requeue_pi_complete(q, 1); once understood, adding an mdelay(500) here greatly improves the chances to trigger. futex_requeue_pi_complete() uses atomic_try_cmpxchg() which has full ordering. This means that the q->drop_hb_ref assignment earlier is visible to the other thread after that cmpxchg, correct? > - wake_up_state(q->task, TASK_NORMAL); > + wake_up_state(task, TASK_NORMAL); > } Sebastian
Powered by blists - more mailing lists