Re: [PATCH V2] futex: Fix handling of bad requeue syscall pairing

Peter Zijlstra <peterz@xxxxxxxxxxxxx> · Mon, 10 Aug 2009 17:27:44 +0200



On Fri, 2009-08-07 at 15:20 -0700, Darren Hart wrote:
> From: Darren Hart <dvhltc@xxxxxxxxxx>
> 
> If futex_requeue(requeue_pi=1) finds a futex_q that was created by a call
> other the futex_wait_requeue_pi(), the q.rt_waiter may be null.  If so,
> this will result in an oops from the following call graph:
> 
> futex_requeue()
>   rt_mutex_start_proxy_lock()
>     task_blocks_on_rt_mutex()
>       waiter->task dereference
>         OOPS
> 
> We currently WARN_ON() if this is detected, clearly this is inadequate.
> If we detect a mispairing in futex_requeue(), bail out, seding -EINVAL to
> user-space.
> 
> V2: Fix parenthesis warnings.
> 
> Signed-off-by: Darren Hart <dvhltc@xxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>

Acked-by: Peter Zijlstra <peterz@xxxxxxxxxxxxx>

> Cc: Steven Rostedt <rostedt@xxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxx>
> CC: Eric Dumazet <eric.dumazet@xxxxxxxxx>
> CC: Dinakar Guniguntala <dino@xxxxxxxxxx>
> CC: John Stultz <johnstul@xxxxxxxxxx>
> ---
> 
>  kernel/futex.c |   11 +++++++++--
>  1 files changed, 9 insertions(+), 2 deletions(-)
> 
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index df30983..4705d89 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1306,8 +1306,15 @@ retry_private:
>  		if (!match_futex(&this->key, &key1))
>  			continue;
>  
> -		WARN_ON(!requeue_pi && this->rt_waiter);
> -		WARN_ON(requeue_pi && !this->rt_waiter);
> +		/*
> +		 * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
> +		 * be paired with each other and no other futex ops.
> +		 */
> +		if ((requeue_pi && !this->rt_waiter) ||
> +		    (!requeue_pi && this->rt_waiter)) {
> +			ret = -EINVAL;
> +			break;
> +		}
>  
>  		/*
>  		 * Wake nr_wake waiters.  For requeue_pi, if we acquired the
--
To unsubscribe from this list: send the line "unsubscribe linux-rt-users" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html