]>
Commit | Line | Data |
---|---|---|
56bc4bca GKH |
1 | From 5a07168d8d89b00fe1760120714378175b3ef992 Mon Sep 17 00:00:00 2001 |
2 | From: Chen Jie <chenjie6@huawei.com> | |
3 | Date: Fri, 15 Mar 2019 03:44:38 +0000 | |
4 | Subject: futex: Ensure that futex address is aligned in handle_futex_death() | |
5 | ||
6 | From: Chen Jie <chenjie6@huawei.com> | |
7 | ||
8 | commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream. | |
9 | ||
10 | The futex code requires that the user space addresses of futexes are 32bit | |
11 | aligned. sys_futex() checks this in futex_get_keys() but the robust list | |
12 | code has no alignment check in place. | |
13 | ||
14 | As a consequence the kernel crashes on architectures with strict alignment | |
15 | requirements in handle_futex_death() when trying to cmpxchg() on an | |
16 | unaligned futex address which was retrieved from the robust list. | |
17 | ||
18 | [ tglx: Rewrote changelog, proper sizeof() based alignement check and add | |
19 | comment ] | |
20 | ||
21 | Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core") | |
22 | Signed-off-by: Chen Jie <chenjie6@huawei.com> | |
23 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
24 | Cc: <dvhart@infradead.org> | |
25 | Cc: <peterz@infradead.org> | |
26 | Cc: <zengweilin@huawei.com> | |
27 | Cc: stable@vger.kernel.org | |
28 | Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com | |
29 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
30 | ||
31 | --- | |
32 | kernel/futex.c | 4 ++++ | |
33 | 1 file changed, 4 insertions(+) | |
34 | ||
35 | --- a/kernel/futex.c | |
36 | +++ b/kernel/futex.c | |
37 | @@ -2897,6 +2897,10 @@ int handle_futex_death(u32 __user *uaddr | |
38 | { | |
39 | u32 uval, uninitialized_var(nval), mval; | |
40 | ||
41 | + /* Futex address must be 32bit aligned */ | |
42 | + if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0) | |
43 | + return -1; | |
44 | + | |
45 | retry: | |
46 | if (get_user(uval, uaddr)) | |
47 | return -1; |