From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Darren Hart <dvhart@linux.intel.com>,
juri.lelli@arm.com, bigeasy@linutronix.de, xlpang@redhat.com,
rostedt@goodmis.org, mathieu.desnoyers@efficios.com,
jdesfossez@efficios.com, dvhart@infradead.org,
bristot@redhat.com, Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH 4.4 27/28] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
Date: Mon, 20 Mar 2017 18:49:22 +0100 [thread overview]
Message-ID: <20170320174720.286084019@linuxfoundation.org> (raw)
In-Reply-To: <20170320174718.794407270@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.
While working on the futex code, I stumbled over this potential
use-after-free scenario. Dmitry triggered it later with syzkaller.
pi_mutex is a pointer into pi_state, which we drop the reference on in
unqueue_me_pi(). So any access to that pointer after that is bad.
Since other sites already do rt_mutex_unlock() with hb->lock held, see
for example futex_lock_pi(), simply move the unlock before
unqueue_me_pi().
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2690,7 +2690,6 @@ static int futex_wait_requeue_pi(u32 __u
{
struct hrtimer_sleeper timeout, *to = NULL;
struct rt_mutex_waiter rt_waiter;
- struct rt_mutex *pi_mutex = NULL;
struct futex_hash_bucket *hb;
union futex_key key2 = FUTEX_KEY_INIT;
struct futex_q q = futex_q_init;
@@ -2782,6 +2781,8 @@ static int futex_wait_requeue_pi(u32 __u
spin_unlock(q.lock_ptr);
}
} else {
+ struct rt_mutex *pi_mutex;
+
/*
* We have been woken up by futex_unlock_pi(), a timeout, or a
* signal. futex_unlock_pi() will not destroy the lock_ptr nor
@@ -2805,18 +2806,19 @@ static int futex_wait_requeue_pi(u32 __u
if (res)
ret = (res < 0) ? res : 0;
+ /*
+ * If fixup_pi_state_owner() faulted and was unable to handle
+ * the fault, unlock the rt_mutex and return the fault to
+ * userspace.
+ */
+ if (ret && rt_mutex_owner(pi_mutex) == current)
+ rt_mutex_unlock(pi_mutex);
+
/* Unqueue and drop the lock. */
unqueue_me_pi(&q);
}
- /*
- * If fixup_pi_state_owner() faulted and was unable to handle the
- * fault, unlock the rt_mutex and return the fault to userspace.
- */
- if (ret == -EFAULT) {
- if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
- rt_mutex_unlock(pi_mutex);
- } else if (ret == -EINTR) {
+ if (ret == -EINTR) {
/*
* We've already been requeued, but cannot restart by calling
* futex_lock_pi() directly. We could restart this syscall, but
next prev parent reply other threads:[~2017-03-20 17:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 17:48 [PATCH 4.4 00/28] 4.4.56-stable review Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 01/28] netlink: remove mmapped netlink support Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 02/28] [PATCH 04/41] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 03/28] [PATCH 05/41] vti6: return GRE_KEY for vti6 Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 04/28] ipv4: mask tos for input route Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 06/28] net: dont call strlen() on the user buffer in packet_bind_spkt() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 07/28] net: net_enable_timestamp() can be called from irq contexts Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 08/28] dccp: Unlock sock before calling sk_free() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 09/28] tcp: fix various issues for sockets morphing to listen state Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 10/28] net: fix socket refcounting in skb_complete_wifi_ack() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 11/28] net: fix socket refcounting in skb_complete_tx_timestamp() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 12/28] dccp: fix use-after-free in dccp_feat_activate_values Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 13/28] vrf: Fix use-after-free in vrf_xmit Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 14/28] uapi: fix linux/packet_diag.h userspace compilation error Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 16/28] mpls: Send route delete notifications when router module is unloaded Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 17/28] ipv6: make ECMP route replacement less greedy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 18/28] ipv6: avoid write to a possibly cloned skb Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 19/28] bridge: drop netfilter fake rtable unconditionally Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 21/28] dccp: fix memory leak during tear-down of unsuccessful connection request Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 22/28] net sched actions: decrement module reference count after table flush Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 23/28] fscrypt: fix renaming and linking special files Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 24/28] fscrypto: lock inode while setting encryption policy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 25/28] x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 26/28] x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman [this message]
2017-03-20 17:49 ` [PATCH 4.4 28/28] futex: Add missing error handling to FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-21 0:11 ` [PATCH 4.4 00/28] 4.4.56-stable review Shuah Khan
2017-03-21 2:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170320174720.286084019@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bigeasy@linutronix.de \
--cc=bristot@redhat.com \
--cc=dvhart@infradead.org \
--cc=dvhart@linux.intel.com \
--cc=dvyukov@google.com \
--cc=jdesfossez@efficios.com \
--cc=juri.lelli@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=xlpang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.