Re: [PATCH] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI

From: Peter Zijlstra
Date: Thu Dec 01 2016 - 00:34:34 EST

Next message: Peter Zijlstra: "Re: [RFC][PATCHv4 6/6] printk: remove zap_locks() function"
Previous message: Sergey Senozhatsky: "Re: [RFC][PATCHv4 3/6] printk: introduce per-cpu safe_print seq buffer"
Next in thread: Darren Hart: "Re: [PATCH] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 30, 2016 at 08:55:30PM -0800, Darren Hart wrote:
> On Thu, Nov 24, 2016 at 04:38:08PM +0100, Peter Zijlstra wrote:

> > > In this path the fixup can return -EFAIL as well, so it should drop rtmutex
> > > too if it owns it. We should move the rtmutex drop into the fixup functions...
> >
> > Urgh, so would really like to avoid doing that, I'll have to instantly
> > drag it back out again :/
>
> Why would you have to drag it back out again? Something else you're working on?

Yeah, the very reason I've been staring at this mess in the first place
:-)

So I could point you at the patches; and I will, see:

https://lkml.kernel.org/r/20161021122735.GA3117@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

but the TL;DR version is that we must not rt_mutex_unlock() while
holding hb->lock, because on RT hb->lock is itself a rt_mutex which
gives rise to some very fun prio inversions.

Next message: Peter Zijlstra: "Re: [RFC][PATCHv4 6/6] printk: remove zap_locks() function"
Previous message: Sergey Senozhatsky: "Re: [RFC][PATCHv4 3/6] printk: introduce per-cpu safe_print seq buffer"
Next in thread: Darren Hart: "Re: [PATCH] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]