mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-12-26 10:29:03 +00:00
c3123c4314
The new rt_mutex_spin_on_onwer() loop checks whether the spinning waiter is
still the top waiter on the lock by utilizing rt_mutex_top_waiter(), which
is broken because that function contains a sanity check which dereferences
the top waiter pointer to check whether the waiter belongs to the
lock. That's wrong in the lockless spinwait case:
CPU 0 CPU 1
rt_mutex_lock(lock) rt_mutex_lock(lock);
queue(waiter0)
waiter0 == rt_mutex_top_waiter(lock)
rt_mutex_spin_on_onwer(lock, waiter0) { queue(waiter1)
waiter1 == rt_mutex_top_waiter(lock)
...
top_waiter = rt_mutex_top_waiter(lock)
leftmost = rb_first_cached(&lock->waiters);
-> signal
dequeue(waiter1)
destroy(waiter1)
w = rb_entry(leftmost, ....)
BUG_ON(w->lock != lock) <- UAF
The BUG_ON() is correct for the case where the caller holds lock->wait_lock
which guarantees that the leftmost waiter entry cannot vanish. For the
lockless spinwait case it's broken.
Create a new helper function which avoids the pointer dereference and just
compares the leftmost entry pointer with current's waiter pointer to
validate that currrent is still elegible for spinning.
Fixes:
|
||
|---|---|---|
| .. | ||
| irqflag-debug.c | ||
| lock_events_list.h | ||
| lock_events.c | ||
| lock_events.h | ||
| lockdep_internals.h | ||
| lockdep_proc.c | ||
| lockdep_states.h | ||
| lockdep.c | ||
| locktorture.c | ||
| Makefile | ||
| mcs_spinlock.h | ||
| mutex-debug.c | ||
| mutex.c | ||
| mutex.h | ||
| osq_lock.c | ||
| percpu-rwsem.c | ||
| qrwlock.c | ||
| qspinlock_paravirt.h | ||
| qspinlock_stat.h | ||
| qspinlock.c | ||
| rtmutex_api.c | ||
| rtmutex_common.h | ||
| rtmutex.c | ||
| rwbase_rt.c | ||
| rwsem.c | ||
| semaphore.c | ||
| spinlock_debug.c | ||
| spinlock_rt.c | ||
| spinlock.c | ||
| test-ww_mutex.c | ||
| ww_mutex.h | ||
| ww_rt_mutex.c | ||