Re: potential NULL dereference in futex_wait_requeue_pi()
From: Darren Hart
Date: Wed Jul 18 2012 - 12:05:05 EST
On 07/18/2012 07:25 AM, Dan Carpenter wrote:
> Hi Darren,
>
> The patch 52400ba94675: "futex: add requeue_pi functionality" from
> Apr 3, 2009, leads to the following warning:
> kernel/futex.c:2373 futex_wait_requeue_pi()
> error: potential NULL dereference 'pi_mutex'.
>
> 2330 if (!q.rt_waiter) {
> 2331 /*
> 2332 * Got the lock. We might not be the anticipated owner if we
> 2333 * did a lock-steal - fix up the PI-state in that case.
> 2334 */
> 2335 if (q.pi_state && (q.pi_state->owner != current)) {
> 2336 spin_lock(q.lock_ptr);
> 2337 ret = fixup_pi_state_owner(uaddr2, &q, current);
>
> pi_mutex is NULL here and it looks like fixup_pi_state_owner() can
> return -EFAULT.
>
>
> 2338 spin_unlock(q.lock_ptr);
> 2339 }
> 2340 } else {
>
> [snipped]
>
> 2366 }
> 2367
> 2368 /*
> 2369 * If fixup_pi_state_owner() faulted and was unable to handle the
> 2370 * fault, unlock the rt_mutex and return the fault to userspace.
> 2371 */
> 2372 if (ret == -EFAULT) {
> 2373 if (rt_mutex_owner(pi_mutex) == current)
> ^^^^^^^^
> This will oops if pi_mutex is NULL.
>
> 2374 rt_mutex_unlock(pi_mutex);
> 2375 } else if (ret == -EINTR) {
Nice Dan, thanks for taking a closer look. This appears to be a simple fix, can
you try the following:
futex: Test for pi_mutex on fault in futex_wait_requeue_pi
If fixup_pi_state_owner() faults, pi_mutex may be NULL. Test
for pi_mutex != NULL before testing the owner against current
and possibly unlocking it.
Signed-off-by: Darren Hart <dvhart@xxxxxxxxxxxxxxx>
CC: Dave Jones <davej@xxxxxxxxxx>
CC: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
CC: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
diff --git a/kernel/futex.c b/kernel/futex.c
index e2b0fb9..05018bf 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2370,7 +2370,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
* fault, unlock the rt_mutex and return the fault to userspace.
*/
if (ret == -EFAULT) {
- if (rt_mutex_owner(pi_mutex) == current)
+ if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
rt_mutex_unlock(pi_mutex);
} else if (ret == -EINTR) {
/*
--
Darren Hart
Intel Open Source Technology Center
Yocto Project - Linux Kernel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/