linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] futex:fix robust futex alignment exception
@ 2019-03-15  3:44 chenjie6
  2019-03-15  8:41 ` Peter Zijlstra
  2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie
  0 siblings, 2 replies; 6+ messages in thread
From: chenjie6 @ 2019-03-15  3:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: dvhart, peterz, mingo, tglx, zengweilin, chen jie

From: chen jie <chenjie6@huawei.com>

trinity test bug fix:
/tmp/trinity --children 4 --quiet -N 10000000 --logging=off -X -x perf_event_open --enable-fds=testfile

[1542.195981] Task track: trinity-c3(6911)>trinity-main(28313)>sh(839)>bash(824)>sshd(820)>sshd(662)>init(1)
[11542.214694] Alignment trap: not handling instruction e1915f9f at [<c017b1d4>]
[11542.214724] Unhandled fault: alignment exception (0x011) at 0x000265f9
[11542.214749] pgd = edde0000
[11542.214774] [000265f9] *pgd=84aa9831, *pte=bc10359f, *ppte=bc103e7e
[11542.214851] Internal error: : 11 [#1] SMP ARM
[11542.214857] Modules linked in: rtos_snapshot(O) rsm(O) nfsv3 veth(O) pthread_lsof(O) higmac(O) comm(O) nand mtdblock mtd_blkdevs nand_ecc nand_ids pramdisk(O) rtos_kbox_panic(O) double_cluster(O) uart_suspend(O) cache_ops(O) nfsd nfs_acl exportfs auth_rpcgss nfs lockd sunrpc oid_registry grace physmap cfi_probe cfi_cmdset_0002 cfi_util mtd gen_probe chipreg ohci_platform ehci_platform ohci_hcd ehci_hcd usb_device_hisi(O) vfat fat sd_mod enable_uart_rx(O) [last unloaded: rtos_snapshot]
[11542.215042] CPU: 3 PID: 6911 Comm: trinity-c3 Tainted: G    B   W  O    4.1.12 #1
[11542.215048] Hardware name: Hisilicon A9
[11542.215055] task: c3df8a20 ti: ebb2c000 task.ti: ebb2c000
[11542.215071] PC is at cmpxchg_futex_value_locked+0x44/0x88
[11542.215081] LR is at handle_futex_death+0x78/0xcc
[11542.215090] pc : [<c017b1d4>]    lr : [<c017da50>]    psr: 60000213
sp : ebb2dee4  ip : fffffff2  fp : fffffff2
[11542.215096] r10: 000238e3  r9 : 00000000  r8 : 00001000
[11542.215103] r7 : c3df8a20  r6 : 00000000  r5 : 00001aff  r4 : ebb2def4
[11542.215110] r3 : 40000000  r2 : 00001aff  r1 : 000265f9  r0 : 410265fc
[11542.215119] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[11542.215126] Control: 1ac5387d  Table: ae7e004a  DAC: 55555555
[11542.215133] Process trinity-c3 (pid: 6911, stack limit = 0xebb2c210)
[11542.215140] Stack: (0xebb2dee4 to 0xebb2e000)
[11542.215151] dee0:          000265f9 00001aff c017da50 000265f9 c3df8a20 b5ebc000 00000800
[11542.215161] df00: c3df8a20 00001000 00001000 c017dba8 c3df8a20 c399ef40 00000000 c3df8a20
[11542.215172] df20: c399ef40 c399ef40 000000f8 c0107b84 ebb2c000 00000001 0094d810 c011b40c
[11542.215182] df40: c3df8a20 c399ef40 c3df8a20 c399ef40 0094d830 c011f9a4 00000000 000000f8
[11542.215192] df60: c0107b84 c0197388 00002d16 ef1d3520 00000000 0094d830 000000f8 c0107b84
[11542.215203] df80: ebb2c000 00000200 0094d810 c0120250 00097d80 0094d8a4 0094d830 c01202a8
[11542.215213] dfa0: 00000000 c0107b6c 00097d80 0094d8a4 00000000 b6f0f4c0 b63ef000 00000000
[11542.215223] dfc0: 00097d80 0094d8a4 0094d830 000000f8 00000001 0094db88 0094db94 0094d810
[11542.215233] dfe0: 00097d64 be938310 00017a40 b6e1a340 60000210 00000000 00000000 00000000
[11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
[11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
[11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
[11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
[11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
[11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)
[11542.215321] Code: 0dc0e0e3 0a00001a 5bf07ff5 00f091f5 (9f5f91e1)
[11542.217918] CPU 1 will stop doing anything useful since another CPU has crashed
[11542.217924] CPU 0 will stop doing anything useful since another CPU has crashed
[11542.217930] CPU 2 will stop doing anything useful since another CPU has crashed
[11542.218626] Loading crashdump kernel...
[11542.218668] Bye!

Signed-off-by: chen jie <chenjie6@huawei.com>
---
 kernel/futex.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index a0514e0..70231c4 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3440,6 +3440,9 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
 {
 	u32 uval, uninitialized_var(nval), mval;
 
+	if (((unsigned long)uaddr & 0x3) > 0)
+		return -1;
+
 retry:
 	if (get_user(uval, uaddr))
 		return -1;
-- 
1.8.3.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
  2019-03-15  3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
@ 2019-03-15  8:41 ` Peter Zijlstra
  2019-03-17 14:36   ` Thomas Gleixner
  2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie
  1 sibling, 1 reply; 6+ messages in thread
From: Peter Zijlstra @ 2019-03-15  8:41 UTC (permalink / raw)
  To: chenjie6; +Cc: linux-kernel, dvhart, mingo, tglx, zengweilin

On Fri, Mar 15, 2019 at 03:44:38AM +0000, chenjie6@huawei.com wrote:
> From: chen jie <chenjie6@huawei.com>

> [11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
> [11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
> [11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
> [11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
> [11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
> [11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)

> Signed-off-by: chen jie <chenjie6@huawei.com>

Reviewed-by: Peter Zijlstra (Intel) <peterz@infradead.org>

However, should there not also be alignment tests on set_robust_list()?

Also; do_futex() should probably check uaddr and uaddr2.

That is; why aren't there any alignment tests anywhere? Or am I just
gone blind?

> ---
>  kernel/futex.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index a0514e0..70231c4 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -3440,6 +3440,9 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
>  {
>  	u32 uval, uninitialized_var(nval), mval;
>  
> +	if (((unsigned long)uaddr & 0x3) > 0)
> +		return -1;
> +
>  retry:
>  	if (get_user(uval, uaddr))
>  		return -1;
> -- 
> 1.8.3.4
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
  2019-03-15  8:41 ` Peter Zijlstra
@ 2019-03-17 14:36   ` Thomas Gleixner
  2019-03-18 10:48     ` Peter Zijlstra
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Gleixner @ 2019-03-17 14:36 UTC (permalink / raw)
  To: Peter Zijlstra; +Cc: chenjie6, linux-kernel, dvhart, mingo, zengweilin

On Fri, 15 Mar 2019, Peter Zijlstra wrote:

> On Fri, Mar 15, 2019 at 03:44:38AM +0000, chenjie6@huawei.com wrote:
> > From: chen jie <chenjie6@huawei.com>
> 
> > [11542.215247] [<c017b1d4>] (cmpxchg_futex_value_locked) from [<c017da50>] (handle_futex_death+0x78/0xcc)
> > [11542.215259] [<c017da50>] (handle_futex_death) from [<c017dba8>] (exit_robust_list+0x104/0x160)
> > [11542.215273] [<c017dba8>] (exit_robust_list) from [<c011b40c>] (mm_release+0x1c/0x108)
> > [11542.215287] [<c011b40c>] (mm_release) from [<c011f9a4>] (do_exit+0x218/0x9a4)
> > [11542.215299] [<c011f9a4>] (do_exit) from [<c0120250>] (do_group_exit+0xac/0xf4)
> > [11542.215311] [<c0120250>] (do_group_exit) from [<c01202a8>] (__wake_up_parent+0x0/0x18)
> 
> > Signed-off-by: chen jie <chenjie6@huawei.com>
> 
> Reviewed-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> 
> However, should there not also be alignment tests on set_robust_list()?
> 
> Also; do_futex() should probably check uaddr and uaddr2.
> 
> That is; why aren't there any alignment tests anywhere? Or am I just
> gone blind?

uaddrs for the futex syscalls are checked in get_futex_key().

Thanks,

	tglx

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
  2019-03-17 14:36   ` Thomas Gleixner
@ 2019-03-18 10:48     ` Peter Zijlstra
  2019-03-18 11:35       ` Chenjie (K)
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Zijlstra @ 2019-03-18 10:48 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: chenjie6, linux-kernel, dvhart, mingo, zengweilin

On Sun, Mar 17, 2019 at 03:36:35PM +0100, Thomas Gleixner wrote:
> On Fri, 15 Mar 2019, Peter Zijlstra wrote:

> > That is; why aren't there any alignment tests anywhere? Or am I just
> > gone blind?
> 
> uaddrs for the futex syscalls are checked in get_futex_key().

blind it is...

Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] futex:fix robust futex alignment exception
  2019-03-18 10:48     ` Peter Zijlstra
@ 2019-03-18 11:35       ` Chenjie (K)
  0 siblings, 0 replies; 6+ messages in thread
From: Chenjie (K) @ 2019-03-18 11:35 UTC (permalink / raw)
  To: Peter Zijlstra, Thomas Gleixner; +Cc: linux-kernel, dvhart, mingo, zengweilin

The test case:

#include <stdio.h>
#include <linux/futex.h>
#include <syscall.h>
#include <unistd.h>
  #include <stdlib.h>

int main()
{
	char *p = malloc(128);

	struct robust_list_head *ro1;
	struct robust_list *entry;
	struct robust_list *pending;

	int ret = 0;

	pid_t pid = getpid();
	
	printf("p %p  pid [%d] \n", p, pid);

	ro1 = p;
	entry = p + 20;
	pending = p + 40;

	ro1->list.next = entry;
	ro1->list_op_pending = pending;

	entry->next = &(ro1->list);

	ro1->futex_offset = 41;

	*((int *)((char *)entry + 41)) = pid;

	printf(" entry + offert [%p] [%d] \n",  (int *)((char *)entry + 41), 
*((int *)((char *)entry + 41)));

	ret = syscall(SYS_set_robust_list, ro1, 12);

	printf("ret = [%d]\n", ret);


	return 0;
}

and we test it on arm a9 platform

Alignment trap: not handling instruction e191ef9f at [<c018cf5c>]
Unhandled fault: alignment exception (0x011) at 0x01b1218d
pgd = c3b50000
[01b1218d] *pgd=843c8831, *pte=b831d75f, *ppte=b831dc7f
Internal error: : 11 [#1] SMP ARM
Modules linked in: nfsv3 veth(O) ping(O) nand mtdblock mtd_blkdevs 
nand_ecc nand_ids gmac(O) pramdisk(O) rtos_kbox_panic(O) 
rtos_snapshot(O) double_cluster(O) uart_suspend(O) rsm(O) 
follow_huge_pfn(O) cache_ops(O) nfsd auth_rpcgss exportfs nfs_acl nfs 
lockd sunrpc oid_registry grace physmap cfi_cmdset_0002 cfi_probe 
cfi_util mtd gen_probe chipreg ohci_platform ehci_platform ohci_hcd 
ehci_hcd vfat fat sd_mod enable_uart_rx(O)
CPU: 1 PID: 786 Comm: set_robust_list Tainted: G        W  O    4.4.171 #3
Hardware name: Hisilicon A9
task: ef0045e8 task.stack: c3b68000
PC is at cmpxchg_futex_value_locked+0x48/0xac
LR is at 0x42b12190
pc : [<c018cf5c>]    lr : [<42b12190>]    psr: 60070213
sp : c3b69ed8  ip : fffffff2  fp : c05d9eeb
r10: ffffe000  r9 : ef0045e8  r8 : 00000000
r7 : 01b12178  r6 : 00000312  r5 : 01b1218d  r4 : ef0045e8
r3 : 40000000  r2 : 00000312  r1 : 01b1218d  r0 : c3b69ee0
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 1ac5387d  Table: 8455004a  DAC: 55555555
Process set_robust_list (pid: 786, stack limit = 0xc3b68210)
Stack: (0xc3b69ed8 to 0xc3b6a000)
9ec0:                                                       c080e2a8 
c018ff44
9ee0: 01b1218d dc8ba6ab 00000000 01b12164 01b12150 ef0045e8 01b12178 
01b12150
9f00: 00000000 00000029 01b12178 c01900dc 00000800 00000000 ffffe000 
00000000
9f20: ffffe000 ef0045e8 c2e6dc00 ffffe000 c2e6dc00 c01077a4 00000000 
000000f8
9f40: b6fa2e30 c011afd8 ef0045e8 c2e6dc00 dc8ba6ab ef0045e8 c2e6dc00 
ffffe000
9f60: ffffe000 c011f370 00000000 ef00486c ef00486c dc8ba6ab c38aed20 
ffffe000
9f80: b6fa2e30 c0120d44 00000000 b6fa1500 00000000 000000f8 c01077a4 
c0120e14
9fa0: b6fa1500 c0107790 b6fa1500 b6fa1500 00000000 00000000 0097fadd 
00000000
9fc0: b6fa1500 b6fa1500 00000000 000000f8 00000000 00000001 b6fa6120 
b6fa2e30
9fe0: 00000000 be80eb98 b6e8d4c8 b6efe53c 60070210 00000000 00000000 
00000000
[<c018cf5c>] (cmpxchg_futex_value_locked) from [<c018ff44>] 
(handle_futex_death+0xa8/0x110)
[<c018ff44>] (handle_futex_death) from [<c01900dc>] 
(exit_robust_list+0x130/0x1b4)
[<c01900dc>] (exit_robust_list) from [<c011afd8>] (mm_release+0x1c/0x13c)
[<c011afd8>] (mm_release) from [<c011f370>] (do_exit+0x240/0x9b8)
[<c011f370>] (do_exit) from [<c0120d44>] (do_group_exit+0x58/0x108)
[<c0120d44>] (do_group_exit) from [<c0120e14> (__wake_up_parent+0x0/0x18)
Code: 0c40a011 0900001a 5bf07ff5 00f091f5 (9fef91e1)


On 2019/3/18 18:48, Peter Zijlstra wrote:
> On Sun, Mar 17, 2019 at 03:36:35PM +0100, Thomas Gleixner wrote:
>> On Fri, 15 Mar 2019, Peter Zijlstra wrote:
>
>>> That is; why aren't there any alignment tests anywhere? Or am I just
>>> gone blind?
>>
>> uaddrs for the futex syscalls are checked in get_futex_key().
>
> blind it is...
>
> Thanks!
>
>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death()
  2019-03-15  3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
  2019-03-15  8:41 ` Peter Zijlstra
@ 2019-03-22 12:10 ` tip-bot for Chen Jie
  1 sibling, 0 replies; 6+ messages in thread
From: tip-bot for Chen Jie @ 2019-03-22 12:10 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: mingo, linux-kernel, dvhart, hpa, tglx, peterz, chenjie6, zengweilin

Commit-ID:  5a07168d8d89b00fe1760120714378175b3ef992
Gitweb:     https://git.kernel.org/tip/5a07168d8d89b00fe1760120714378175b3ef992
Author:     Chen Jie <chenjie6@huawei.com>
AuthorDate: Fri, 15 Mar 2019 03:44:38 +0000
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 22 Mar 2019 13:05:26 +0100

futex: Ensure that futex address is aligned in handle_futex_death()

The futex code requires that the user space addresses of futexes are 32bit
aligned. sys_futex() checks this in futex_get_keys() but the robust list
code has no alignment check in place.

As a consequence the kernel crashes on architectures with strict alignment
requirements in handle_futex_death() when trying to cmpxchg() on an
unaligned futex address which was retrieved from the robust list.

[ tglx: Rewrote changelog, proper sizeof() based alignement check and add
  	comment ]

Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Chen Jie <chenjie6@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <dvhart@infradead.org>
Cc: <peterz@infradead.org>
Cc: <zengweilin@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com

---
 kernel/futex.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index c3b73b0311bc..9e40cf7be606 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3436,6 +3436,10 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int p
 {
 	u32 uval, uninitialized_var(nval), mval;
 
+	/* Futex address must be 32bit aligned */
+	if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
+		return -1;
+
 retry:
 	if (get_user(uval, uaddr))
 		return -1;

^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-03-22 12:36 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-15  3:44 [PATCH] futex:fix robust futex alignment exception chenjie6
2019-03-15  8:41 ` Peter Zijlstra
2019-03-17 14:36   ` Thomas Gleixner
2019-03-18 10:48     ` Peter Zijlstra
2019-03-18 11:35       ` Chenjie (K)
2019-03-22 12:10 ` [tip:locking/urgent] futex: Ensure that futex address is aligned in handle_futex_death() tip-bot for Chen Jie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).