futex: Handle unlock_pi race gracefully

If userspace calls UNLOCK_PI unconditionally without trying the TID -> 0 transition in user space first then the user space value might not have the waiters bit set. This opens the following race: CPU0 CPU1 uval = get_user(futex) lock(hb) lock(hb) futex |= FUTEX_WAITERS .... unlock(hb) cmpxchg(futex, uval, newval) So the cmpxchg fails and returns -EINVAL to user space, which is wrong because the futex value is valid. To handle this (yes, yet another) corner case gracefully, check for a flag change and retry. [ tglx: Massaged changelog and slightly reworked implementation ] Fixes: ccf9e6a80d9e ("futex: Make unlock_pi more robust") Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: stable@vger.kernel.org Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/1460723739-5195-1-git-send-email-bigeasy@linutronix.de Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Sebastian Andrzej Siewior <bigeasy@linutronix.de> 2016-04-15 08:35:39 -0400
committer: Thomas Gleixner <tglx@linutronix.de> 2016-04-20 06:33:13 -0400
commit: 89e9e66ba1b3bde9d8ea90566c2aee20697ad681 (patch)
tree: 9cd0c1ecd75e6bbf03588e0c6d9b20e3d811c86f
parent: 6687659568e2ec5b3ac24b39c5d26ce8b9d90434 (diff)
1 files changed, 22 insertions, 3 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index a5d2e74c89e0..fd204e1670c9 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1295,10 +1295,20 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this,
        if (unlikely(should_fail_futex(true)))
                ret = -EFAULT;
-        if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
+        if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) {
                ret = -EFAULT;
-        else if (curval != uval)
+        } else if (curval != uval) {
-                ret = -EINVAL;
+                /*
+                 * If a unconditional UNLOCK_PI operation (user space did not
+                 * try the TID->0 transition) raced with a waiter setting the
+                 * FUTEX_WAITERS flag between get_user() and locking the hash
+                 * bucket lock, retry the operation.
+                 */
+                if ((FUTEX_TID_MASK & curval) == uval)
+                        ret = -EAGAIN;
+                else
+                        ret = -EINVAL;
+        }
        if (ret) {
                raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
                return ret;
@@ -2623,6 +2633,15 @@ retry:
                if (ret == -EFAULT)
                        goto pi_faulted;
                /*
+                 * A unconditional UNLOCK_PI op raced against a waiter
+                 * setting the FUTEX_WAITERS bit. Try again.
+                 */
+                if (ret == -EAGAIN) {
+                        spin_unlock(&hb->lock);
+                        put_futex_key(&key);
+                        goto retry;
+                }
+                /*
                 * wake_futex_pi has detected invalid state. Tell user
                 * space.
                 */
author	Sebastian Andrzej Siewior <bigeasy@linutronix.de>	2016-04-15 08:35:39 -0400
committer	Thomas Gleixner <tglx@linutronix.de>	2016-04-20 06:33:13 -0400
commit	89e9e66ba1b3bde9d8ea90566c2aee20697ad681 (patch)
tree	9cd0c1ecd75e6bbf03588e0c6d9b20e3d811c86f
parent	6687659568e2ec5b3ac24b39c5d26ce8b9d90434 (diff)

diff --git a/kernel/futex.c b/kernel/futex.c index a5d2e74c89e0..fd204e1670c9 100644 --- a/kernel/futex.c +++ b/kernel/futex.c
@@ -1295,10 +1295,20 @@ static int wake_futex_pi(u32 __user uaddr, u32 uval, struct futex_q this,
1295	if (unlikely(should_fail_futex(true)))	1295	if (unlikely(should_fail_futex(true)))
1296	ret = -EFAULT;	1296	ret = -EFAULT;
1297		1297
1298	if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))	1298	if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) {
1299	ret = -EFAULT;	1299	ret = -EFAULT;
1300	else if (curval != uval)	1300	} else if (curval != uval) {
1301	ret = -EINVAL;	1301	/*
		1302	* If a unconditional UNLOCK_PI operation (user space did not
		1303	* try the TID->0 transition) raced with a waiter setting the
		1304	* FUTEX_WAITERS flag between get_user() and locking the hash
		1305	* bucket lock, retry the operation.
		1306	*/
		1307	if ((FUTEX_TID_MASK & curval) == uval)
		1308	ret = -EAGAIN;
		1309	else
		1310	ret = -EINVAL;
		1311	}
1302	if (ret) {	1312	if (ret) {
1303	raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);	1313	raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1304	return ret;	1314	return ret;
@@ -2623,6 +2633,15 @@ retry:
2623	if (ret == -EFAULT)	2633	if (ret == -EFAULT)
2624	goto pi_faulted;	2634	goto pi_faulted;
2625	/*	2635	/*
		2636	* A unconditional UNLOCK_PI op raced against a waiter
		2637	* setting the FUTEX_WAITERS bit. Try again.
		2638	*/
		2639	if (ret == -EAGAIN) {
		2640	spin_unlock(&hb->lock);
		2641	put_futex_key(&key);
		2642	goto retry;
		2643	}
		2644	/*
2626	* wake_futex_pi has detected invalid state. Tell user	2645	* wake_futex_pi has detected invalid state. Tell user
2627	* space.	2646	* space.
2628	*/	2647	*/