Bug#433187: [Fwd: Re: Fix for sparc64 cpu hangs.]

To: 433187@bugs.debian.org
Subject: Bug#433187: [Fwd: Re: Fix for sparc64 cpu hangs.]
From: Bernd Zeimetz <bernd@bzed.de>
Date: Wed, 07 Nov 2007 11:41:11 +0100
Message-id: <[🔎] 47319647.1010203@bzed.de>
Reply-to: Bernd Zeimetz <bernd@bzed.de>, 433187@bugs.debian.org


-------- Original Message --------
From: davem@davemloft.net  Wed Nov  7 06:14:01 2007
Return-Path: <davem@davemloft.net>
X-Original-To: bzed@recluse.de
Delivered-To: bzed@recluse.de
Received: from localhost (mail.recluse.de [78.47.255.98])	by mail.recluse.de (Postfix) with ESMTP id B51FF392926	for <bzed@recluse.de>; Wed,  7 Nov 2007 06:14:01 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at recluse.de
Received: from mail.recluse.de ([78.47.255.98])	by localhost (mail.recluse.de [78.47.255.98]) (amavisd-new, port 10024)	with ESMTP id G2XieC59A2xV for <bzed@recluse.de>;	Wed,  7 Nov 2007 06:14:00 +0100 (CET)
Received: from sunset.davemloft.net (unknown [74.93.104.97])	by mail.recluse.de (Postfix) with ESMTP id 8373A392919	for <bernd@bzed.de>; Wed,  7 Nov 2007 06:13:58 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])	by sunset.davemloft.net (Postfix) with ESMTP id 1BEBEC8C526;	Tue,  6 Nov 2007 21:13:57 -0800 (PST)
Date: Tue, 06 Nov 2007 21:13:56 -0800 (PST)
Message-Id: <20071106.211356.60087540.davem@davemloft.net>
To: torvalds@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, sparclinux@vger.kernel.org, linux-arch@vger.kernel.org, bernd@bzed.de, joy@entuzijast.net, fabbione@ubuntu.com, arnd@arndb.de
Subject: Re: Fix for sparc64 cpu hangs.
From: David Miller <davem@davemloft.net>
In-Reply-To: <20071106.203433.144763156.davem@davemloft.net>
References: <20071106.203433.144763156.davem@davemloft.net>
X-Mailer: Mew version 5.2 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

From: David Miller <davem@davemloft.net>
Date: Tue, 06 Nov 2007 20:34:33 -0800 (PST)

> [FUTEX]: Fix address computation in compat code.

Sorry, I just noticed there is a second handle_futex_death()
call in compat_exit_robust_list() which has the same
address computation bug.

Here is an updated patch:

[FUTEX]: Fix address computation in compat code.

compat_exit_robust_list() computes a pointer to the
futex entry in userspace as follows:

	(void __user *)entry + futex_offset

'entry' is a 'struct robust_list __user *', and
'futex_offset' is a 'compat_long_t' (typically a 's32').

Things explode if the 32-bit sign bit is set in futex_offset.

Type promotion sign extends futex_offset to a 64-bit value before
adding it to 'entry'.

This triggered a problem on sparc64 running 32-bit applications which
would lock up a cpu looping forever in the fault handling for the
userspace load in handle_futex_death().

Compat userspace runs with address masking (wherein the cpu zeros out
the top 32-bits of every effective address given to a memory operation
instruction) so the sparc64 fault handler accounts for this by
zero'ing out the top 32-bits of the fault address too.

Since the kernel properly uses the compat_uptr interfaces, kernel side
accesses to compat userspace work too since they will only use
addresses with the top 32-bit clear.

Because of this compat futex layer bug we get into the following loop
when executing the get_user() load near the top of handle_futex_death():

1) load from address '0xfffffffff7f16bd8', FAULT
2) fault handler clears upper 32-bits, processes fault
   for address '0xf7f16bd8' which succeeds
3) goto #1

I want to thank Bernd Zeimetz, Josip Rodin, and Fabio Massimo Di Nitto
for their tireless efforts helping me track down this bug.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index 00b5726..1931457 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -30,6 +30,15 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
 	return 0;
 }

+static void __user *futex_uaddr(struct robust_list *entry,
+				compat_long_t futex_offset)
+{
+	compat_uptr_t base = ptr_to_compat(entry);
+	void __user *uaddr = compat_ptr(base + futex_offset);
+
+	return uaddr;
+}
+
 /*
  * Walk curr->robust_list (very carefully, it's a userspace list!)
  * and mark any locks found there dead, and notify any waiters.
@@ -76,11 +85,13 @@ void compat_exit_robust_list(struct task_struct *curr)
 		 * A pending lock might already be on the list, so
 		 * dont process it twice:
 		 */
-		if (entry != pending)
-			if (handle_futex_death((void __user *)entry + futex_offset,
-						curr, pi))
-				return;
+		if (entry != pending) {
+			void __user *uaddr = futex_uaddr(entry,
+							 futex_offset);

+			if (handle_futex_death(uaddr, curr, pi))
+				return;
+		}
 		if (rc)
 			return;
 		uentry = next_uentry;
@@ -94,9 +105,11 @@ void compat_exit_robust_list(struct task_struct *curr)

 		cond_resched();
 	}
-	if (pending)
-		handle_futex_death((void __user *)pending + futex_offset,
-				   curr, pip);
+	if (pending) {
+		void __user *uaddr = futex_uaddr(pending, futex_offset);
+
+		handle_futex_death(uaddr, curr, pip);
+	}
 }

 asmlinkage long

Reply to:

Follow-Ups:
- Re: Bug#433187: [Fwd: Re: Fix for sparc64 cpu hangs.]
  - From: Martin Zobel-Helas <zobel@ftbfs.de>

Prev by Date: Bug#450424: ata1.00: DISK MIGHT NOT BE SPUN DOWN PROPERLY. UPDATE SHUTDOWN UTILITY
Next by Date: Processed: tagging 433187
Previous by thread: Bug#450424: ata1.00: DISK MIGHT NOT BE SPUN DOWN PROPERLY. UPDATE SHUTDOWN UTILITY
Next by thread: Re: Bug#433187: [Fwd: Re: Fix for sparc64 cpu hangs.]
Index(es):
- Date
- Thread