futex: Make unlock_pi more robust

The kernel tries to atomically unlock the futex without checking
whether there is kernel state associated to the futex.

So if user space manipulated the user space value, this will leave
kernel internal state around associated to the owner task. 

For robustness sake, lookup first whether there are waiters on the
futex. If there are waiters, wake the top priority waiter with all the
proper sanity checks applied.

If there are no waiters, do the atomic release. We do not have to
preserve the waiters bit in this case, because a potentially incoming
waiter is blocked on the hb->lock and will acquire the futex
atomically. We neither have to preserve the owner died bit. The caller
is the owner and it was supposed to cleanup the mess.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Kees Cook <kees@outflux.net>
Cc: wad@chromium.org
Link: http://lkml.kernel.org/r/20140611204237.016987332@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

1 files changed, 25 insertions, 51 deletions

diff --git a/kernel/futex.c b/kernel/futex.c
index e5c6c404be1d..346d5c280545 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1186,22 +1186,6 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
         return 0;
 }
 
-static int unlock_futex_pi(u32 __user *uaddr, u32 uval)
-{
-        u32 uninitialized_var(oldval);
-
-        /*
-         * There is no waiter, so we unlock the futex. The owner died
-         * bit has not to be preserved here. We are the owner:
-         */
-        if (cmpxchg_futex_value_locked(&oldval, uaddr, uval, 0))
-                return -EFAULT;
-        if (oldval != uval)
-                return -EAGAIN;
-
-        return 0;
-}
-
 /*
  * Express the locking dependencies for lockdep:
  */
@@ -2401,10 +2385,10 @@ uaddr_faulted:
  */
 static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
 {
-        struct futex_hash_bucket *hb;
-        struct futex_q *this, *next;
+        u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
         union futex_key key = FUTEX_KEY_INIT;
-        u32 uval, vpid = task_pid_vnr(current);
+        struct futex_hash_bucket *hb;
+        struct futex_q *match;
         int ret;
 
 retry:
@@ -2417,57 +2401,47 @@ retry:
                 return -EPERM;
 
         ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
-        if (unlikely(ret != 0))
-                goto out;
+        if (ret)
+                return ret;
 
         hb = hash_futex(&key);
         spin_lock(&hb->lock);
 
         /*
-         * To avoid races, try to do the TID -> 0 atomic transition
-         * again. If it succeeds then we can return without waking
-         * anyone else up. We only try this if neither the waiters nor
-         * the owner died bit are set.
+         * Check waiters first. We do not trust user space values at
+         * all and we at least want to know if user space fiddled
+         * with the futex value instead of blindly unlocking.
          */
-        if (!(uval & ~FUTEX_TID_MASK) &&
-            cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
-                goto pi_faulted;
-        /*
-         * Rare case: we managed to release the lock atomically,
-         * no need to wake anyone else up:
-         */
-        if (unlikely(uval == vpid))
-                goto out_unlock;
-
-        /*
-         * Ok, other tasks may need to be woken up - check waiters
-         * and do the wakeup if necessary:
-         */
-        plist_for_each_entry_safe(this, next, &hb->chain, list) {
-                if (!match_futex (&this->key, &key))
-                        continue;
-                ret = wake_futex_pi(uaddr, uval, this);
+        match = futex_top_waiter(hb, &key);
+        if (match) {
+                ret = wake_futex_pi(uaddr, uval, match);
                 /*
-                 * The atomic access to the futex value
-                 * generated a pagefault, so retry the
-                 * user-access and the wakeup:
+                 * The atomic access to the futex value generated a
+                 * pagefault, so retry the user-access and the wakeup:
                  */
                 if (ret == -EFAULT)
                         goto pi_faulted;
                 goto out_unlock;
         }
+
         /*
-         * No waiters - kernel unlocks the futex:
+         * We have no kernel internal state, i.e. no waiters in the
+         * kernel. Waiters which are about to queue themselves are stuck
+         * on hb->lock. So we can safely ignore them. We do neither
+         * preserve the WAITERS bit not the OWNER_DIED one. We are the
+         * owner.
          */
-        ret = unlock_futex_pi(uaddr, uval);
-        if (ret == -EFAULT)
+        if (cmpxchg_futex_value_locked(&curval, uaddr, uval, 0))
                 goto pi_faulted;
 
+        /*
+         * If uval has changed, let user space handle it.
+         */
+        ret = (curval == uval) ? 0 : -EAGAIN;
+
 out_unlock:
         spin_unlock(&hb->lock);
         put_futex_key(&key);
-
-out:
         return ret;
 
 pi_faulted: