futex: Unbreak futex hashing

stable inclusion from linux-4.19.113 commit 17a8ca79a576972c5a2050ad6eba21a2024799a6 CVE: CVE-2020-14381 -------------------------------- commit 8d677436 upstream. The recent futex inode life time fix changed the ordering of the futex key union struct members, but forgot to adjust the hash function accordingly, As a result the hashing omits the leading 64bit and even hashes beyond the futex key causing a bad hash distribution which led to a ~100% performance regression. Hand in the futex key pointer instead of a random struct member and make the size calculation based of the struct offset. Fixes: 8019ad13 ("futex: Fix inode life-time issue") Reported-by: N Rong Chen <rong.a.chen@intel.com> Decoded-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Thomas Gleixner <tglx@linutronix.de> Tested-by: N Rong Chen <rong.a.chen@intel.com> Link: https://lkml.kernel.org/r/87h7yy90ve.fsf@nanos.tec.linutronix.deSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Reviewed-by: N Yang Erkun <yangerkun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

futex: Unbreak futex hashing
stable inclusion from linux-4.19.113 commit 17a8ca79a576972c5a2050ad6eba21a2024799a6 CVE: CVE-2020-14381 -------------------------------- commit 8d677436 upstream. The recent futex inode life time fix changed the ordering of the futex key union struct members, but forgot to adjust the hash function accordingly, As a result the hashing omits the leading 64bit and even hashes beyond the futex key causing a bad hash distribution which led to a ~100% performance regression. Hand in the futex key pointer instead of a random struct member and make the size calculation based of the struct offset. Fixes: 8019ad13 ("futex: Fix inode life-time issue") Reported-by: N Rong Chen <rong.a.chen@intel.com> Decoded-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Thomas Gleixner <tglx@linutronix.de> Tested-by: N Rong Chen <rong.a.chen@intel.com> Link: https://lkml.kernel.org/r/87h7yy90ve.fsf@nanos.tec.linutronix.deSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Reviewed-by: N Yang Erkun <yangerkun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
16b27ff7 · Thomas Gleixner · Yang Yingliang · eebee2f8 · 16b27ff7
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

kernel/futex.c kernel/futex.c +2 -2

未找到文件。
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -395,9 +395,9 @@ static inline int hb_waiters_pending(struct futex_hash_bucket *hb)
 */
 static struct futex_hash_bucket *hash_futex(union futex_key *key)
 {
-	u32 hash = jhash2((u32*)&key->both.word,
+	u32 hash = jhash2((u32 *)key, offsetof(typeof(*key), both.offset) / 4,
-			  (sizeof(key->both.word)+sizeof(key->both.ptr))/4,
 			  key->both.offset);
 	return &futex_queues[hash & (futex_hashsize - 1)];
 }