Commit ccf9e6a8 authored by Thomas Gleixner's avatar Thomas Gleixner

futex: Make unlock_pi more robust

The kernel tries to atomically unlock the futex without checking
whether there is kernel state associated to the futex.

So if user space manipulated the user space value, this will leave
kernel internal state around associated to the owner task. 

For robustness sake, lookup first whether there are waiters on the
futex. If there are waiters, wake the top priority waiter with all the
proper sanity checks applied.

If there are no waiters, do the atomic release. We do not have to
preserve the waiters bit in this case, because a potentially incoming
waiter is blocked on the hb->lock and will acquire the futex
atomically. We neither have to preserve the owner died bit. The caller
is the owner and it was supposed to cleanup the mess.
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Kees Cook <kees@outflux.net>
Cc: wad@chromium.org
Link: http://lkml.kernel.org/r/20140611204237.016987332@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
parent 67792e2c
...@@ -1186,22 +1186,6 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) ...@@ -1186,22 +1186,6 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
return 0; return 0;
} }
static int unlock_futex_pi(u32 __user *uaddr, u32 uval)
{
u32 uninitialized_var(oldval);
/*
* There is no waiter, so we unlock the futex. The owner died
* bit has not to be preserved here. We are the owner:
*/
if (cmpxchg_futex_value_locked(&oldval, uaddr, uval, 0))
return -EFAULT;
if (oldval != uval)
return -EAGAIN;
return 0;
}
/* /*
* Express the locking dependencies for lockdep: * Express the locking dependencies for lockdep:
*/ */
...@@ -2401,10 +2385,10 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags, int detect, ...@@ -2401,10 +2385,10 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags, int detect,
*/ */
static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags) static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
{ {
struct futex_hash_bucket *hb; u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
struct futex_q *this, *next;
union futex_key key = FUTEX_KEY_INIT; union futex_key key = FUTEX_KEY_INIT;
u32 uval, vpid = task_pid_vnr(current); struct futex_hash_bucket *hb;
struct futex_q *match;
int ret; int ret;
retry: retry:
...@@ -2417,57 +2401,47 @@ static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags) ...@@ -2417,57 +2401,47 @@ static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
return -EPERM; return -EPERM;
ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE); ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
if (unlikely(ret != 0)) if (ret)
goto out; return ret;
hb = hash_futex(&key); hb = hash_futex(&key);
spin_lock(&hb->lock); spin_lock(&hb->lock);
/* /*
* To avoid races, try to do the TID -> 0 atomic transition * Check waiters first. We do not trust user space values at
* again. If it succeeds then we can return without waking * all and we at least want to know if user space fiddled
* anyone else up. We only try this if neither the waiters nor * with the futex value instead of blindly unlocking.
* the owner died bit are set.
*/ */
if (!(uval & ~FUTEX_TID_MASK) && match = futex_top_waiter(hb, &key);
cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) if (match) {
goto pi_faulted; ret = wake_futex_pi(uaddr, uval, match);
/* /*
* Rare case: we managed to release the lock atomically, * The atomic access to the futex value generated a
* no need to wake anyone else up: * pagefault, so retry the user-access and the wakeup:
*/
if (unlikely(uval == vpid))
goto out_unlock;
/*
* Ok, other tasks may need to be woken up - check waiters
* and do the wakeup if necessary:
*/
plist_for_each_entry_safe(this, next, &hb->chain, list) {
if (!match_futex (&this->key, &key))
continue;
ret = wake_futex_pi(uaddr, uval, this);
/*
* The atomic access to the futex value
* generated a pagefault, so retry the
* user-access and the wakeup:
*/ */
if (ret == -EFAULT) if (ret == -EFAULT)
goto pi_faulted; goto pi_faulted;
goto out_unlock; goto out_unlock;
} }
/* /*
* No waiters - kernel unlocks the futex: * We have no kernel internal state, i.e. no waiters in the
* kernel. Waiters which are about to queue themselves are stuck
* on hb->lock. So we can safely ignore them. We do neither
* preserve the WAITERS bit not the OWNER_DIED one. We are the
* owner.
*/ */
ret = unlock_futex_pi(uaddr, uval); if (cmpxchg_futex_value_locked(&curval, uaddr, uval, 0))
if (ret == -EFAULT)
goto pi_faulted; goto pi_faulted;
/*
* If uval has changed, let user space handle it.
*/
ret = (curval == uval) ? 0 : -EAGAIN;
out_unlock: out_unlock:
spin_unlock(&hb->lock); spin_unlock(&hb->lock);
put_futex_key(&key); put_futex_key(&key);
out:
return ret; return ret;
pi_faulted: pi_faulted:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment