From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Gratian Crisan <gratian.crisan@ni.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
dvhart@infradead.org,
syzbot
<bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.13 33/36] futex: Fix more put_pi_state() vs. exit_pi_state_list() races
Date: Mon, 6 Nov 2017 10:12:46 +0100 [thread overview]
Message-ID: <20171106085048.524762622@linuxfoundation.org> (raw)
In-Reply-To: <20171106085047.005824077@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 153fbd1226fb30b8630802aa5047b8af5ef53c9f upstream.
Dmitry (through syzbot) reported being able to trigger the WARN in
get_pi_state() and a use-after-free on:
raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
Both are due to this race:
exit_pi_state_list() put_pi_state()
lock(&curr->pi_lock)
while() {
pi_state = list_first_entry(head);
hb = hash_futex(&pi_state->key);
unlock(&curr->pi_lock);
dec_and_test(&pi_state->refcount);
lock(&hb->lock)
lock(&pi_state->pi_mutex.wait_lock) // uaf if pi_state free'd
lock(&curr->pi_lock);
....
unlock(&curr->pi_lock);
get_pi_state(); // WARN; refcount==0
The problem is we take the reference count too late, and don't allow it
being 0. Fix it by using inc_not_zero() and simply retrying the loop
when we fail to get a refcount. In that case put_pi_state() should
remove the entry from the list.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Gratian Crisan <gratian.crisan@ni.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: dvhart@infradead.org
Cc: syzbot <bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765@syzkaller.appspotmail.com>
Cc: syzkaller-bugs@googlegroups.com
Fixes: c74aef2d06a9 ("futex: Fix pi_state->owner serialization")
Link: http://lkml.kernel.org/r/20171031101853.xpfh72y643kdfhjs@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -901,11 +901,27 @@ void exit_pi_state_list(struct task_stru
*/
raw_spin_lock_irq(&curr->pi_lock);
while (!list_empty(head)) {
-
next = head->next;
pi_state = list_entry(next, struct futex_pi_state, list);
key = pi_state->key;
hb = hash_futex(&key);
+
+ /*
+ * We can race against put_pi_state() removing itself from the
+ * list (a waiter going away). put_pi_state() will first
+ * decrement the reference count and then modify the list, so
+ * its possible to see the list entry but fail this reference
+ * acquire.
+ *
+ * In that case; drop the locks to let put_pi_state() make
+ * progress and retry the loop.
+ */
+ if (!atomic_inc_not_zero(&pi_state->refcount)) {
+ raw_spin_unlock_irq(&curr->pi_lock);
+ cpu_relax();
+ raw_spin_lock_irq(&curr->pi_lock);
+ continue;
+ }
raw_spin_unlock_irq(&curr->pi_lock);
spin_lock(&hb->lock);
@@ -916,8 +932,10 @@ void exit_pi_state_list(struct task_stru
* task still owns the PI-state:
*/
if (head->next != next) {
+ /* retain curr->pi_lock for the loop invariant */
raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
spin_unlock(&hb->lock);
+ put_pi_state(pi_state);
continue;
}
@@ -925,9 +943,8 @@ void exit_pi_state_list(struct task_stru
WARN_ON(list_empty(&pi_state->list));
list_del_init(&pi_state->list);
pi_state->owner = NULL;
- raw_spin_unlock(&curr->pi_lock);
- get_pi_state(pi_state);
+ raw_spin_unlock(&curr->pi_lock);
raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
spin_unlock(&hb->lock);
next prev parent reply other threads:[~2017-11-06 9:19 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:12 [PATCH 4.13 00/36] 4.13.12-stable review Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 01/36] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 02/36] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 03/36] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 04/36] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 05/36] KEYS: trusted: fix writing past end of buffer in trusted_read() Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 06/36] KEYS: fix out-of-bounds read during ASN.1 parsing Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 07/36] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 08/36] virtio_blk: Fix an SG_IO regression Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 09/36] PM / QoS: Fix device resume latency PM QoS Greg Kroah-Hartman
2017-11-07 0:51 ` Rafael J. Wysocki
2017-11-07 10:32 ` Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 10/36] PM / QoS: Fix default runtime_pm device resume latency Greg Kroah-Hartman
2017-11-07 0:51 ` Rafael J. Wysocki
2017-11-06 9:12 ` [PATCH 4.13 11/36] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 12/36] KVM: arm64: its: Fix missing dynamic allocation check in scan_its_table Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 13/36] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 14/36] arm/arm64: kvm: Disable branch profiling in HYP code Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 15/36] ARM: dts: mvebu: pl310-cache disable double-linefill Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 16/36] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 17/36] drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 18/36] drm/amdgpu: allow harvesting check for Polaris VCE Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 19/36] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 20/36] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 21/36] fs/hugetlbfs/inode.c: fix hwpoison reserve accounting Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 22/36] mm, swap: fix race between swap count continuation operations Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 25/36] Revert "powerpc64/elfv1: Only dereference function descriptor for non-text symbols" Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 26/36] MIPS: bpf: Fix a typo in build_one_insn() Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 28/36] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 29/36] MIPS: SMP: Fix deadlock & online race Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 30/36] Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"" Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 31/36] x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 32/36] powerpc/kprobes: Dereference function pointers only if the address does not belong to kernel text Greg Kroah-Hartman
2017-11-06 9:12 ` Greg Kroah-Hartman [this message]
2017-11-06 9:12 ` [PATCH 4.13 34/36] perf/cgroup: Fix perf cgroup hierarchy support Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 36/36] irqchip/irq-mvebu-gicp: Add missing spin_lock init Greg Kroah-Hartman
2017-11-06 9:12 ` Greg Kroah-Hartman
2017-11-06 21:18 ` [PATCH 4.13 00/36] 4.13.12-stable review Guenter Roeck
2017-11-06 23:27 ` Shuah Khan
2017-11-07 10:33 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2017-11-06 9:12 [4.13,35/36] x86/mcelog: Get rid of RCU remnants Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 35/36] " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106085048.524762622@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765@syzkaller.appspotmail.com \
--cc=dvhart@infradead.org \
--cc=dvyukov@google.com \
--cc=gratian.crisan@ni.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.