From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758666AbcLAFeb (ORCPT ); Thu, 1 Dec 2016 00:34:31 -0500 Received: from merlin.infradead.org ([205.233.59.134]:47024 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751423AbcLAFea (ORCPT ); Thu, 1 Dec 2016 00:34:30 -0500 Date: Thu, 1 Dec 2016 06:34:27 +0100 From: Peter Zijlstra To: Darren Hart Cc: Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org Subject: Re: [PATCH] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Message-ID: <20161201053427.GD3092@twins.programming.kicks-ass.net> References: <20161124144235.GD3124@twins.programming.kicks-ass.net> <20161124153808.GH3092@twins.programming.kicks-ass.net> <20161201045530.GA124104@f23x64.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161201045530.GA124104@f23x64.localdomain> User-Agent: Mutt/1.5.23.1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 30, 2016 at 08:55:30PM -0800, Darren Hart wrote: > On Thu, Nov 24, 2016 at 04:38:08PM +0100, Peter Zijlstra wrote: > > > In this path the fixup can return -EFAIL as well, so it should drop rtmutex > > > too if it owns it. We should move the rtmutex drop into the fixup functions... > > > > Urgh, so would really like to avoid doing that, I'll have to instantly > > drag it back out again :/ > > Why would you have to drag it back out again? Something else you're working on? Yeah, the very reason I've been staring at this mess in the first place :-) So I could point you at the patches; and I will, see: https://lkml.kernel.org/r/20161021122735.GA3117@twins.programming.kicks-ass.net but the TL;DR version is that we must not rt_mutex_unlock() while holding hb->lock, because on RT hb->lock is itself a rt_mutex which gives rise to some very fun prio inversions.