From: Greg KH <greg@kroah.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>,
x86@kernel.org, mingo@redhat.com,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
h.zuidam@computer.org, stable@vger.kernel.org
Subject: Re: [RFC]: Possible race condition in kernel futex code
Date: Sat, 17 Oct 2015 17:23:17 -0700 [thread overview]
Message-ID: <20151018002317.GH18971@kroah.com> (raw)
In-Reply-To: <alpine.DEB.2.11.1510090946200.6097@nanos>
On Fri, Oct 09, 2015 at 10:06:41AM +0100, Thomas Gleixner wrote:
> On Mon, 5 Oct 2015, Jaccon Bastiaansen wrote:
> > We did some tests with different compilers, kernel versions and kernel
> > configs, with the following results:
> >
> > Linux 3.12.48, x86_64_defconfig, GCC 4.6.1 :
> > copy_user_generic_unrolled being used, so race condition possible
> > Linux 3.12.48, x86_64_defconfig, GCC 4.9.1 :
> > copy_user_generic_unrolled being used, so race condition possible
> > Linux 4.2.3, x86_64_defconfig, GCC 4.6.1 : 32 bit read being used, no
> > race condition
> > Linux 4.2.3, x86_64_defconfig, GCC 4.9.1 : 32 bit read being used, no
> > race condition
> >
> >
> > Our idea to fix this problem is use an explicit 32 bit read in
> > get_futex_value_locked() instead of using the generic function
> > copy_from_user_inatomic() and hoping the compiler uses an atomic
> > access and the right access size.
>
> You cannot use an explicit 32bit read. We need an access which handles
> the fault gracefully.
>
> In current mainline this is done proper:
>
> ret = __copy_from_user_inatomic(dst, src, size = sizeof(u32))
>
> __copy_from_user_nocheck(dst, src, size)
>
> if (!__builtin_constant_p(size))
> return copy_user_generic(dst, (__force void *)src, size);
>
> size is constant so we end up in the switch case
>
> switch(size) {
>
> case 4:
> __get_user_asm(*(u32 *)dst, (u32 __user *)src,
> ret, "l", "k", "=r", 4);
> return ret;
> ....
>
> In 3.12 this is different:
>
> __copy_from_user_inatomic()
> copy_user_generic()
> copy_user_generic_unrolled()
>
> So this is only an issue for kernel versions < 3.13. It was fixed with
>
> ff47ab4ff3cd: Add 1/2/4/8 byte optimization to 64bit __copy_{from,to}_user_inatomic
>
> but nobody noticed that the race you described can happen, so it was
> never backported to the stable kernels.
>
> @stable: Can you please pick up ff47ab4ff3cd plus
>
> df90ca969035d x86, sparse: Do not force removal of __user when calling copy_to/from_user_nocheck()
>
> for stable kernels <= 3.12?
>
> If that's too much of churn, then I can come up with an explicit fix
> for this. Let me know.
Now applied to 3.10-stable, thanks.
greg k-h
next prev parent reply other threads:[~2015-10-18 0:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 15:11 [RFC]: Possible race condition in kernel futex code Jaccon Bastiaansen
2015-10-09 9:06 ` Thomas Gleixner
2015-10-09 9:49 ` Hans Zuidam
2015-10-09 10:25 ` Thomas Gleixner
2015-10-09 11:35 ` Peter Zijlstra
2015-10-18 0:23 ` Greg KH [this message]
2016-05-15 22:34 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151018002317.GH18971@kroah.com \
--to=greg@kroah.com \
--cc=h.zuidam@computer.org \
--cc=hpa@zytor.com \
--cc=jaccon.bastiaansen@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.