From: Thomas Gleixner <tglx@linutronix.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Dave Jones <davej@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Darren Hart <darren@dvhart.com>,
Davidlohr Bueso <davidlohr@hp.com>,
Ingo Molnar <mingo@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Clark Williams <williams@redhat.com>,
Paul McKenney <paulmck@linux.vnet.ibm.com>,
Lai Jiangshan <laijs@cn.fujitsu.com>,
Roland McGrath <roland@hack.frob.com>,
Carlos ODonell <carlos@redhat.com>,
Jakub Jelinek <jakub@redhat.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Subject: [patch 3/3] futex: Prevent attaching to kernel threads
Date: Mon, 12 May 2014 20:45:35 -0000 [thread overview]
Message-ID: <20140512201701.194824402@linutronix.de> (raw)
In-Reply-To: 20140512190438.314125476@linutronix.de
[-- Attachment #1: futex-prevent-attaching-futex-to-kernel-threads.patch --]
[-- Type: text/plain, Size: 935 bytes --]
We happily allow userspace to declare a random kernel thread to be the
owner of a user space PI futex.
Found while analysing the fallout of Dave Jones syscall fuzzer.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---
kernel/futex.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: linux-2.6/kernel/futex.c
===================================================================
--- linux-2.6.orig/kernel/futex.c
+++ linux-2.6/kernel/futex.c
@@ -682,6 +682,8 @@ static struct task_struct * futex_find_g
p = find_task_by_vpid(pid);
if (p)
get_task_struct(p);
+ else
+ p = NULL;
rcu_read_unlock();
@@ -814,6 +816,11 @@ lookup_pi_state(u32 uval, struct futex_h
if (!p)
return -ESRCH;
+ if (!p->mm) {
+ put_task_struct(p);
+ return -EPERM;
+ }
+
/*
* We need to look at the task state flags to figure out,
* whether the task is exiting. To protect against the do_exit
next prev parent reply other threads:[~2014-05-12 20:45 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 20:45 [patch 0/3] futex/rtmutex: Fix issues exposed by trinity Thomas Gleixner
2014-05-12 20:45 ` [patch 1/3] rtmutex: Add missing deadlock check Thomas Gleixner
2014-05-13 5:51 ` Lai Jiangshan
2014-05-13 8:45 ` Thomas Gleixner
2014-05-13 8:48 ` Peter Zijlstra
2014-05-13 16:12 ` Paul E. McKenney
2014-05-13 19:42 ` Thomas Gleixner
2014-05-13 20:20 ` Steven Rostedt
2014-05-13 20:36 ` Paul E. McKenney
2014-05-13 21:27 ` Thomas Gleixner
2014-05-13 22:00 ` Paul E. McKenney
2014-05-13 22:44 ` Steven Rostedt
2014-05-13 23:27 ` Paul E. McKenney
2014-05-13 23:53 ` Steven Rostedt
2014-05-14 0:12 ` Paul E. McKenney
2014-05-14 6:54 ` Thomas Gleixner
[not found] ` <CAGChsmO9GO1Z2VBbw7uLtTXpYowdoUQbK8C3=Dt2jtGAnc6D2A@mail.gmail.com>
2014-05-14 13:33 ` Thomas Gleixner
2014-05-14 6:42 ` Thomas Gleixner
2014-05-14 12:59 ` Thomas Gleixner
2014-05-12 20:45 ` [patch 2/3] futex: Add another early deadlock detection check Thomas Gleixner
2014-05-19 12:22 ` [tip:core/urgent] " tip-bot for Thomas Gleixner
2014-05-12 20:45 ` Thomas Gleixner [this message]
2014-05-12 20:54 ` [patch 3/3] futex: Prevent attaching to kernel threads Peter Zijlstra
2014-05-12 21:16 ` Thomas Gleixner
2014-05-12 21:59 ` Davidlohr Bueso
2014-05-12 22:18 ` Thomas Gleixner
2014-05-19 12:22 ` [tip:core/urgent] " tip-bot for Thomas Gleixner
2014-05-12 21:37 ` [patch 0/3] futex/rtmutex: Fix issues exposed by trinity Steven Rostedt
2014-05-12 21:52 ` Thomas Gleixner
2014-05-12 22:08 ` Steven Rostedt
2014-05-12 22:37 ` Thomas Gleixner
2014-05-12 23:18 ` Steven Rostedt
2014-05-13 6:37 ` Ingo Molnar
2014-05-13 3:54 ` Darren Hart
2014-05-13 9:08 ` Thomas Gleixner
2014-05-14 7:06 ` Carlos O'Donell
2014-05-14 10:26 ` Thomas Gleixner
2014-05-14 20:59 ` Carlos O'Donell
2014-05-14 22:54 ` Thomas Gleixner
2014-05-15 7:37 ` Peter Zijlstra
2014-05-15 8:25 ` Peter Zijlstra
2014-05-16 18:21 ` Carlos O'Donell
2014-05-14 6:58 ` Carlos O'Donell
2014-05-14 9:22 ` Peter Zijlstra
2014-05-14 21:17 ` Carlos O'Donell
2014-05-14 23:11 ` Thomas Gleixner
2014-05-16 17:54 ` Carlos O'Donell
2014-05-15 8:07 ` Peter Zijlstra
2014-05-16 18:14 ` Carlos O'Donell
2014-05-14 9:53 ` Thomas Gleixner
2014-05-14 10:07 ` Peter Zijlstra
2014-05-14 10:28 ` Thomas Gleixner
2014-05-16 17:55 ` Carlos O'Donell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140512201701.194824402@linutronix.de \
--to=tglx@linutronix.de \
--cc=bigeasy@linutronix.de \
--cc=carlos@redhat.com \
--cc=darren@dvhart.com \
--cc=davej@redhat.com \
--cc=davidlohr@hp.com \
--cc=jakub@redhat.com \
--cc=laijs@cn.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=roland@hack.frob.com \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox