[10/10] futex: Handle faults correctly for PI futexes

Message ID	20210203134539.2583943-11-lee.jones@linaro.org
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; From: Lee Jones <lee.jones@linaro.org> To: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de>, gzobqq@gmail.com, Peter Zijlstra <peterz@infradead.org>, Lee Jones <lee.jones@linaro.org> Subject: [PATCH 10/10] futex: Handle faults correctly for PI futexes Date: Wed, 3 Feb 2021 13:45:39 +0000 Message-Id: <20210203134539.2583943-11-lee.jones@linaro.org> In-Reply-To: <20210203134539.2583943-1-lee.jones@linaro.org> References: <20210203134539.2583943-1-lee.jones@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Futex back-port \| expand [4.9,00/10,Set,2] Futex back-port [01/10] futex,rt_mutex: Provide futex specific rt_mutex API [02/10] futex: Remove rt_mutex_deadlock_account_*() [03/10] futex: Rework inconsistent rt_mutex/futex_q state [04/10] futex: Avoid violating the 10th rule of futex [05/10] futex: Replace pointless printk in fixup_owner() [06/10] futex: Provide and use pi_state_update_owner() [07/10] rtmutex: Remove unused argument from rt_mutex_proxy_unlock() [08/10] futex: Use pi_state_update_owner() in put_pi_state() [09/10] futex: Simplify fixup_pi_state_owner() [10/10] futex: Handle faults correctly for PI futexes

Message ID

20210203134539.2583943-11-lee.jones@linaro.org

State

New

Headers

Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org
	designates 23.128.96.18 as permitted sender)
	client-ip=23.128.96.18; 
From: Lee Jones <lee.jones@linaro.org>
To: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>, gzobqq@gmail.com,
	Peter Zijlstra <peterz@infradead.org>, Lee Jones <lee.jones@linaro.org>
Subject: [PATCH 10/10] futex: Handle faults correctly for PI futexes
Date: Wed,  3 Feb 2021 13:45:39 +0000
Message-Id: <20210203134539.2583943-11-lee.jones@linaro.org>
In-Reply-To: <20210203134539.2583943-1-lee.jones@linaro.org>
References: <20210203134539.2583943-1-lee.jones@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Futex back-port | expand

Commit Message

Lee Jones Feb. 3, 2021, 1:45 p.m. UTC

From: Thomas Gleixner <tglx@linutronix.de>


fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
pi_state and the user space value related to the PI futex are consistent
before returning to user space. In case that the user space value update
faults and the fault cannot be resolved by faulting the page in via
fault_in_user_writeable() the function returns with -EFAULT and leaves
the rtmutex and pi_state owner state inconsistent.

A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
releases the rtmutex despite not owning it which can corrupt the RB tree of
the rtmutex and cause a subsequent kernel stack use after free.

It was suggested to loop forever in fixup_pi_state_owner() if the fault
cannot be resolved, but that results in runaway tasks which is especially
undesired when the problem happens due to a programming error and not due
to malice.

As the user space value cannot be fixed up, the proper solution is to make
the rtmutex and the pi_state consistent so both have the same owner. This
leaves the user space value out of sync. Any subsequent operation on the
futex will fail because the 10th rule of PI futexes (pi_state owner and
user space value are consistent) has been violated.

As a consequence this removes the inept attempts of 'fixing' the situation
in case that the current task owns the rtmutex when returning with an
unresolvable fault by unlocking the rtmutex which left pi_state::owner and
rtmutex::owner out of sync in a different and only slightly less dangerous
way.

Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
Reported-by: gzobqq@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>

---
 kernel/futex.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

-- 
2.25.1

diff --git a/kernel/futex.c b/kernel/futex.c
index c163f5d6efab3..83db5787c67ef 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1017,7 +1017,8 @@  static void exit_pi_state_list(struct task_struct *curr)
  *	FUTEX_OWNER_DIED bit. See [4]
  *
  * [10] There is no transient state which leaves owner and user space
- *	TID out of sync.
+ *	TID out of sync. Except one error case where the kernel is denied
+ *	write access to the user address, see fixup_pi_state_owner().
  */
 
 /*
@@ -2392,6 +2393,24 @@  static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
 	if (!err)
 		goto retry;
 
+	/*
+	 * fault_in_user_writeable() failed so user state is immutable. At
+	 * best we can make the kernel state consistent but user state will
+	 * be most likely hosed and any subsequent unlock operation will be
+	 * rejected due to PI futex rule [10].
+	 *
+	 * Ensure that the rtmutex owner is also the pi_state owner despite
+	 * the user space value claiming something different. There is no
+	 * point in unlocking the rtmutex if current is the owner as it
+	 * would need to wait until the next waiter has taken the rtmutex
+	 * to guarantee consistent state. Keep it simple. Userspace asked
+	 * for this wreckaged state.
+	 *
+	 * The rtmutex has an owner - either current or some other
+	 * task. See the EAGAIN loop above.
+	 */
+	pi_state_update_owner(pi_state, rt_mutex_owner(&pi_state->pi_mutex));
+
 	return err;
 }
 
@@ -2777,13 +2796,6 @@  static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
 	if (res)
 		ret = (res < 0) ? res : 0;
 
-	/*
-	 * If fixup_owner() faulted and was unable to handle the fault, unlock
-	 * it and return the fault to userspace.
-	 */
-	if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
-		rt_mutex_futex_unlock(&q.pi_state->pi_mutex);
-
 	/* Unqueue and drop the lock */
 	unqueue_me_pi(&q);
 
@@ -3088,8 +3100,6 @@  static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 		if (q.pi_state && (q.pi_state->owner != current)) {
 			spin_lock(q.lock_ptr);
 			ret = fixup_pi_state_owner(uaddr2, &q, current);
-			if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
-				rt_mutex_futex_unlock(&q.pi_state->pi_mutex);
 			/*
 			 * Drop the reference to the pi state which
 			 * the requeue_pi() code acquired for us.
@@ -3126,14 +3136,6 @@  static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 		if (res)
 			ret = (res < 0) ? res : 0;
 
-		/*
-		 * If fixup_pi_state_owner() faulted and was unable to handle
-		 * the fault, unlock the rt_mutex and return the fault to
-		 * userspace.
-		 */
-		if (ret && rt_mutex_owner(pi_mutex) == current)
-			rt_mutex_futex_unlock(pi_mutex);
-
 		/* Unqueue and drop the lock. */
 		unqueue_me_pi(&q);
 	}

[10/10] futex: Handle faults correctly for PI futexes

Commit Message

Patch