* [PATCH] futex:fix robust futex alignment exception
@ 2019-03-15 3:44 chenjie6
2019-03-15 8:41 ` Peter Zijlstra
2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie
0 siblings, 2 replies; 6+ messages in thread
From: chenjie6 @ 2019-03-15 3:44 UTC (permalink / raw)
To: linux-kernel; +Cc: dvhart, peterz, mingo, tglx, zengweilin, chen jie
From: chen jie <chenjie6@huawei.com>
trinity test bug fix:
/tmp/trinity --children 4 --quiet -N 10000000 --logging=off -X -x perf_event_open --enable-fds=testfile
[1542.195981] Task track: trinity-c3(6911)>trinity-main(28313)>sh(839)>bash(824)>sshd(820)>sshd(662)>init(1)
[11542.214694] Alignment trap: not handling instruction e1915f9f at [<c017b1d4>]
[11542.214724] Unhandled fault: alignment exception (0x011) at 0x000265f9
[11542.214749] pgd = edde0000
[11542.214774] [000265f9] *pgd=84aa9831, *pte=bc10359f, *ppte=bc103e7e
[11542.214851] Internal error: : 11 [#1] SMP ARM
[11542.214857] Modules linked in: rtos_snapshot(O) rsm(O) nfsv3 veth(O) pthread_lsof(O) higmac(O) comm(O) nand mtdblock mtd_blkdevs nand_ecc nand_ids pramdisk(O) rtos_kbox_panic(O) double_cluster(O) uart_suspend(O) cache_ops(O) nfsd nfs_acl exportfs auth_rpcgss nfs lockd sunrpc oid_registry grace physmap cfi_probe cfi_cmdset_0002 cfi_util mtd gen_probe chipreg ohci_platform ehci_platform ohci_hcd ehci_hcd usb_device_hisi(O) vfat fat sd_mod enable_uart_rx(O) [last unloaded: rtos_snapshot]
[11542.215042] CPU: 3 PID: 6911 Comm: trinity-c3 Tainted: G B W O 4.1.12 #1
[11542.215048] Hardware name: Hisilicon A9
[11542.215055] task: c3df8a20 ti: ebb2c000 task.ti: ebb2c000
[11542.215071] PC is at cmpxchg_futex_value_locked+0x44/0x88
[11542.215081] LR is at handle_futex_death+0x78/0xcc
[11542.215090] pc : [<c017b1d4>] lr : [<c017da50>] psr: 60000213
sp : ebb2dee4 ip : fffffff2 fp : fffffff2
[11542.215096] r10: 000238e3 r9 : 00000000 r8 : 00001000
[11542.215103] r7 : c3df8a20 r6 : 00000000 r5 : 00001aff r4 : ebb2def4
[11542.215110] r3 : 40000000 r2 : 00001aff r1 : 000265f9 r0 : 410265fc
[11542.215119] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[11542.215126] Control: 1ac5387d Table: ae7e004a DAC: 55555555
[11542.215133] Process trinity-c3 (pid: 6911, stack limit = 0xebb2c210)
[11542.215140] Stack: (0xebb2dee4 to 0xebb2e000)
[11542.215151] dee0: 000265f9 00001aff c017da50 000265f9 c3df8a20 b5ebc000 00000800
[11542.215161] df00: c3df8a20 00001000 00001000 c017dba8 c3df8a20 c399ef40 00000000 c3df8a20
[11542.215172] df20: c399ef40 c399ef40 000000f8 c0107b84 ebb2c000 00000001 0094d810 c011b40c
[11542.215182] df40: c3df8a20 c399ef40 c3df8a20 c399ef40 0094d830 c011f9a4 00000000 000000f8
[11542.215192] df60: c0107b84 c0197388 00002d16 ef1d3520 00000000 0094d830 000000f8 c0107b84
[11542.215203] df80: ebb2c000 00000200 0094d810 c0120250 00097d80 0094d8a4 0094d830 c01202a8
[11542.215213] dfa0: 00000000 c0107b6c 00097d80 0094d8a4 00000000 b6f0f4c0 b63ef000 00000000
[11542.215223] dfc0: 00097d80 0094d8a4 0094d830 000000f8 00000001 0094db88 0094db94 0094d810
[11542.215233] dfe0: 00097d64 be938310 00017a40 b6e1a340 60000210 00000000 00000000 00000000
[11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
[11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
[11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
[11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
[11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
[11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)
[11542.215321] Code: 0dc0e0e3 0a00001a 5bf07ff5 00f091f5 (9f5f91e1)
[11542.217918] CPU 1 will stop doing anything useful since another CPU has crashed
[11542.217924] CPU 0 will stop doing anything useful since another CPU has crashed
[11542.217930] CPU 2 will stop doing anything useful since another CPU has crashed
[11542.218626] Loading crashdump kernel...
[11542.218668] Bye!
Signed-off-by: chen jie <chenjie6@huawei.com>
---
kernel/futex.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/futex.c b/kernel/futex.c
index a0514e0..70231c4 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3440,6 +3440,9 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
{
u32 uval, uninitialized_var(nval), mval;
+ if (((unsigned long)uaddr & 0x3) > 0)
+ return -1;
+
retry:
if (get_user(uval, uaddr))
return -1;
--
1.8.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
2019-03-15 3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
@ 2019-03-15 8:41 ` Peter Zijlstra
2019-03-17 14:36 ` Thomas Gleixner
2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie
1 sibling, 1 reply; 6+ messages in thread
From: Peter Zijlstra @ 2019-03-15 8:41 UTC (permalink / raw)
To: chenjie6; +Cc: linux-kernel, dvhart, mingo, tglx, zengweilin
On Fri, Mar 15, 2019 at 03:44:38AM +0000, chenjie6@huawei.com wrote:
> From: chen jie <chenjie6@huawei.com>
> [11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
> [11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
> [11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
> [11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
> [11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
> [11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)
> Signed-off-by: chen jie <chenjie6@huawei.com>
Reviewed-by: Peter Zijlstra (Intel) <peterz@infradead.org>
However, should there not also be alignment tests on set_robust_list()?
Also; do_futex() should probably check uaddr and uaddr2.
That is; why aren't there any alignment tests anywhere? Or am I just
gone blind?
> ---
> kernel/futex.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/futex.c b/kernel/futex.c
> index a0514e0..70231c4 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -3440,6 +3440,9 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
> {
> u32 uval, uninitialized_var(nval), mval;
>
> + if (((unsigned long)uaddr & 0x3) > 0)
> + return -1;
> +
> retry:
> if (get_user(uval, uaddr))
> return -1;
> --
> 1.8.3.4
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
2019-03-15 8:41 ` Peter Zijlstra
@ 2019-03-17 14:36 ` Thomas Gleixner
2019-03-18 10:48 ` Peter Zijlstra
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Gleixner @ 2019-03-17 14:36 UTC (permalink / raw)
To: Peter Zijlstra; +Cc: chenjie6, linux-kernel, dvhart, mingo, zengweilin
On Fri, 15 Mar 2019, Peter Zijlstra wrote:
> On Fri, Mar 15, 2019 at 03:44:38AM +0000, chenjie6@huawei.com wrote:
> > From: chen jie <chenjie6@huawei.com>
>
> > [11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
> > [11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
> > [11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
> > [11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
> > [11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
> > [11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)
>
> > Signed-off-by: chen jie <chenjie6@huawei.com>
>
> Reviewed-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>
> However, should there not also be alignment tests on set_robust_list()?
>
> Also; do_futex() should probably check uaddr and uaddr2.
>
> That is; why aren't there any alignment tests anywhere? Or am I just
> gone blind?
uaddrs for the futex syscalls are checked in get_futex_key().
Thanks,
tglx
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
2019-03-17 14:36 ` Thomas Gleixner
@ 2019-03-18 10:48 ` Peter Zijlstra
2019-03-18 11:35 ` Chenjie (K)
0 siblings, 1 reply; 6+ messages in thread
From: Peter Zijlstra @ 2019-03-18 10:48 UTC (permalink / raw)
To: Thomas Gleixner; +Cc: chenjie6, linux-kernel, dvhart, mingo, zengweilin
On Sun, Mar 17, 2019 at 03:36:35PM +0100, Thomas Gleixner wrote:
> On Fri, 15 Mar 2019, Peter Zijlstra wrote:
> > That is; why aren't there any alignment tests anywhere? Or am I just
> > gone blind?
>
> uaddrs for the futex syscalls are checked in get_futex_key().
blind it is...
Thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
2019-03-18 10:48 ` Peter Zijlstra
@ 2019-03-18 11:35 ` Chenjie (K)
0 siblings, 0 replies; 6+ messages in thread
From: Chenjie (K) @ 2019-03-18 11:35 UTC (permalink / raw)
To: Peter Zijlstra, Thomas Gleixner; +Cc: linux-kernel, dvhart, mingo, zengweilin
The test case:
#include <stdio.h>
#include <linux/futex.h>
#include <syscall.h>
#include <unistd.h>
#include <stdlib.h>
int main()
{
char *p = malloc(128);
struct robust_list_head *ro1;
struct robust_list *entry;
struct robust_list *pending;
int ret = 0;
pid_t pid = getpid();
printf("p %p pid [%d] \n", p, pid);
ro1 = p;
entry = p + 20;
pending = p + 40;
ro1->list.next = entry;
ro1->list_op_pending = pending;
entry->next = &(ro1->list);
ro1->futex_offset = 41;
*((int *)((char *)entry + 41)) = pid;
printf(" entry + offert [%p] [%d] \n", (int *)((char *)entry + 41),
*((int *)((char *)entry + 41)));
ret = syscall(SYS_set_robust_list, ro1, 12);
printf("ret = [%d]\n", ret);
return 0;
}
and we test it on arm a9 platform
Alignment trap: not handling instruction e191ef9f at [<c018cf5c>]
Unhandled fault: alignment exception (0x011) at 0x01b1218d
pgd = c3b50000
[01b1218d] *pgd=843c8831, *pte=b831d75f, *ppte=b831dc7f
Internal error: : 11 [#1] SMP ARM
Modules linked in: nfsv3 veth(O) ping(O) nand mtdblock mtd_blkdevs
nand_ecc nand_ids gmac(O) pramdisk(O) rtos_kbox_panic(O)
rtos_snapshot(O) double_cluster(O) uart_suspend(O) rsm(O)
follow_huge_pfn(O) cache_ops(O) nfsd auth_rpcgss exportfs nfs_acl nfs
lockd sunrpc oid_registry grace physmap cfi_cmdset_0002 cfi_probe
cfi_util mtd gen_probe chipreg ohci_platform ehci_platform ohci_hcd
ehci_hcd vfat fat sd_mod enable_uart_rx(O)
CPU: 1 PID: 786 Comm: set_robust_list Tainted: G W O 4.4.171 #3
Hardware name: Hisilicon A9
task: ef0045e8 task.stack: c3b68000
PC is at cmpxchg_futex_value_locked+0x48/0xac
LR is at 0x42b12190
pc : [<c018cf5c>] lr : [<42b12190>] psr: 60070213
sp : c3b69ed8 ip : fffffff2 fp : c05d9eeb
r10: ffffe000 r9 : ef0045e8 r8 : 00000000
r7 : 01b12178 r6 : 00000312 r5 : 01b1218d r4 : ef0045e8
r3 : 40000000 r2 : 00000312 r1 : 01b1218d r0 : c3b69ee0
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 1ac5387d Table: 8455004a DAC: 55555555
Process set_robust_list (pid: 786, stack limit = 0xc3b68210)
Stack: (0xc3b69ed8 to 0xc3b6a000)
9ec0: c080e2a8
c018ff44
9ee0: 01b1218d dc8ba6ab 00000000 01b12164 01b12150 ef0045e8 01b12178
01b12150
9f00: 00000000 00000029 01b12178 c01900dc 00000800 00000000 ffffe000
00000000
9f20: ffffe000 ef0045e8 c2e6dc00 ffffe000 c2e6dc00 c01077a4 00000000
000000f8
9f40: b6fa2e30 c011afd8 ef0045e8 c2e6dc00 dc8ba6ab ef0045e8 c2e6dc00
ffffe000
9f60: ffffe000 c011f370 00000000 ef00486c ef00486c dc8ba6ab c38aed20
ffffe000
9f80: b6fa2e30 c0120d44 00000000 b6fa1500 00000000 000000f8 c01077a4
c0120e14
9fa0: b6fa1500 c0107790 b6fa1500 b6fa1500 00000000 00000000 0097fadd
00000000
9fc0: b6fa1500 b6fa1500 00000000 000000f8 00000000 00000001 b6fa6120
b6fa2e30
9fe0: 00000000 be80eb98 b6e8d4c8 b6efe53c 60070210 00000000 00000000
00000000
[<c018cf5c>] (cmpxchg_futex_value_locked) from [<c018ff44>]
(handle_futex_death+0xa8/0x110)
[<c018ff44>] (handle_futex_death) from [<c01900dc>]
(exit_robust_list+0x130/0x1b4)
[<c01900dc>] (exit_robust_list) from [<c011afd8>] (mm_release+0x1c/0x13c)
[<c011afd8>] (mm_release) from [<c011f370>] (do_exit+0x240/0x9b8)
[<c011f370>] (do_exit) from [<c0120d44>] (do_group_exit+0x58/0x108)
[<c0120d44>] (do_group_exit) from [<c0120e14> (__wake_up_parent+0x0/0x18)
Code: 0c40a011 0900001a 5bf07ff5 00f091f5 (9fef91e1)
On 2019/3/18 18:48, Peter Zijlstra wrote:
> On Sun, Mar 17, 2019 at 03:36:35PM +0100, Thomas Gleixner wrote:
>> On Fri, 15 Mar 2019, Peter Zijlstra wrote:
>
>>> That is; why aren't there any alignment tests anywhere? Or am I just
>>> gone blind?
>>
>> uaddrs for the futex syscalls are checked in get_futex_key().
>
> blind it is...
>
> Thanks!
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death()
2019-03-15 3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
2019-03-15 8:41 ` Peter Zijlstra
@ 2019-03-22 12:10 ` tip-bot for Chen Jie
1 sibling, 0 replies; 6+ messages in thread
From: tip-bot for Chen Jie @ 2019-03-22 12:10 UTC (permalink / raw)
To: linux-tip-commits
Cc: mingo, linux-kernel, dvhart, hpa, tglx, peterz, chenjie6, zengweilin
Commit-ID: 5a07168d8d89b00fe1760120714378175b3ef992
Gitweb: https://git.kernel.org/tip/5a07168d8d89b00fe1760120714378175b3ef992
Author: Chen Jie <chenjie6@huawei.com>
AuthorDate: Fri, 15 Mar 2019 03:44:38 +0000
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 22 Mar 2019 13:05:26 +0100
futex: Ensure that futex address is aligned in handle_futex_death()
The futex code requires that the user space addresses of futexes are 32bit
aligned. sys_futex() checks this in futex_get_keys() but the robust list
code has no alignment check in place.
As a consequence the kernel crashes on architectures with strict alignment
requirements in handle_futex_death() when trying to cmpxchg() on an
unaligned futex address which was retrieved from the robust list.
[ tglx: Rewrote changelog, proper sizeof() based alignement check and add
comment ]
Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Chen Jie <chenjie6@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <dvhart@infradead.org>
Cc: <peterz@infradead.org>
Cc: <zengweilin@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com
---
kernel/futex.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/futex.c b/kernel/futex.c
index c3b73b0311bc..9e40cf7be606 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3436,6 +3436,10 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
{
u32 uval, uninitialized_var(nval), mval;
+ /* Futex address must be 32bit aligned */
+ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
+ return -1;
+
retry:
if (get_user(uval, uaddr))
return -1;
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-03-22 12:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-15 3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
2019-03-15 8:41 ` Peter Zijlstra
2019-03-17 14:36 ` Thomas Gleixner
2019-03-18 10:48 ` Peter Zijlstra
2019-03-18 11:35 ` Chenjie (K)
2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.