[thirdparty/kernel/stable-queue.git] / releases / 4.9.128 / kthread-fix-boot-hang-regression-on-mips-openrisc.patch

From b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 Mon Sep 17 00:00:00 2001
From: Vegard Nossum <vegard.nossum@oracle.com>
Date: Mon, 29 May 2017 09:22:07 +0200
Subject: kthread: fix boot hang (regression) on MIPS/OpenRISC

From: Vegard Nossum <vegard.nossum@oracle.com>

commit b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 upstream.

This fixes a regression in commit 4d6501dce079 where I didn't notice
that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to
NULL after our initialisation in copy_process().

We can simply get rid of the arch-specific initialisation here since it
is now always done in copy_process() before hitting copy_thread{,_tls}().

Review notes:

 - As far as I can tell, copy_process() is the only user of
   copy_thread_tls(), which is the only caller of copy_thread() for
   architectures that don't implement copy_thread_tls().

 - After this patch, there is no arch-specific code touching
   p->set_child_tid or p->clear_child_tid whatsoever.

 - It may look like MIPS/OpenRISC wanted to always have these fields be
   NULL, but that's not true, as copy_process() would unconditionally
   set them again _after_ calling copy_thread_tls() before commit
   4d6501dce079.

Fixes: 4d6501dce079c1eb6bf0b1d8f528a5e81770109e ("kthread: Fix use-after-free if kthread fork fails")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net> # MIPS only
Acked-by: Stafford Horne <shorne@gmail.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: Jonas Bonn <jonas@southpole.se>
Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
Cc: openrisc@lists.librecores.org
Cc: Jamie Iles <jamie.iles@oracle.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/process.c     |    1 -
 arch/openrisc/kernel/process.c |    2 --
 2 files changed, 3 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -118,7 +118,6 @@ int copy_thread(unsigned long clone_flag
 	struct thread_info *ti = task_thread_info(p);
 	struct pt_regs *childregs, *regs = current_pt_regs();
 	unsigned long childksp;
-	p->set_child_tid = p->clear_child_tid = NULL;
 
 	childksp = (unsigned long)task_stack_page(p) + THREAD_SIZE - 32;
 
--- a/arch/openrisc/kernel/process.c
+++ b/arch/openrisc/kernel/process.c
@@ -152,8 +152,6 @@ copy_thread(unsigned long clone_flags, u
 
 	top_of_kernel_stack = sp;
 
-	p->set_child_tid = p->clear_child_tid = NULL;
-
 	/* Locate userspace context on stack... */
 	sp -= STACK_FRAME_OVERHEAD;	/* redzone */
 	sp -= sizeof(struct pt_regs);
Commit	Line	Data
4d83a26e GKH	1	From b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 Mon Sep 17 00:00:00 2001
	2	From: Vegard Nossum <vegard.nossum@oracle.com>
	3	Date: Mon, 29 May 2017 09:22:07 +0200
	4	Subject: kthread: fix boot hang (regression) on MIPS/OpenRISC
	5
	6	From: Vegard Nossum <vegard.nossum@oracle.com>
	7
	8	commit b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 upstream.
	9
	10	This fixes a regression in commit 4d6501dce079 where I didn't notice
	11	that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to
	12	NULL after our initialisation in copy_process().
	13
	14	We can simply get rid of the arch-specific initialisation here since it
	15	is now always done in copy_process() before hitting copy_thread{,_tls}().
	16
	17	Review notes:
	18
	19	- As far as I can tell, copy_process() is the only user of
	20	copy_thread_tls(), which is the only caller of copy_thread() for
	21	architectures that don't implement copy_thread_tls().
	22
	23	- After this patch, there is no arch-specific code touching
	24	p->set_child_tid or p->clear_child_tid whatsoever.
	25
	26	- It may look like MIPS/OpenRISC wanted to always have these fields be
	27	NULL, but that's not true, as copy_process() would unconditionally
	28	set them again _after_ calling copy_thread_tls() before commit
	29	4d6501dce079.
	30
	31	Fixes: 4d6501dce079c1eb6bf0b1d8f528a5e81770109e ("kthread: Fix use-after-free if kthread fork fails")
	32	Reported-by: Guenter Roeck <linux@roeck-us.net>
	33	Tested-by: Guenter Roeck <linux@roeck-us.net> # MIPS only
	34	Acked-by: Stafford Horne <shorne@gmail.com>
	35	Acked-by: Oleg Nesterov <oleg@redhat.com>
	36	Cc: Ralf Baechle <ralf@linux-mips.org>
	37	Cc: linux-mips@linux-mips.org
	38	Cc: Jonas Bonn <jonas@southpole.se>
	39	Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
	40	Cc: openrisc@lists.librecores.org
	41	Cc: Jamie Iles <jamie.iles@oracle.com>
	42	Cc: Thomas Gleixner <tglx@linutronix.de>
	43	Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
	44	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	45	Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
	46	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	47
	48	---
	49	arch/mips/kernel/process.c \| 1 -
	50	arch/openrisc/kernel/process.c \| 2 --
	51	2 files changed, 3 deletions(-)
	52
	53	--- a/arch/mips/kernel/process.c
	54	+++ b/arch/mips/kernel/process.c
	55	@@ -118,7 +118,6 @@ int copy_thread(unsigned long clone_flag
	56	struct thread_info *ti = task_thread_info(p);
	57	struct pt_regs childregs, regs = current_pt_regs();
	58	unsigned long childksp;
	59	- p->set_child_tid = p->clear_child_tid = NULL;
	60
	61	childksp = (unsigned long)task_stack_page(p) + THREAD_SIZE - 32;
	62
	63	--- a/arch/openrisc/kernel/process.c
	64	+++ b/arch/openrisc/kernel/process.c
65	@@ -152,8 +152,6 @@ copy_thread(unsigned long clone_flags, u
66
67	top_of_kernel_stack = sp;
68
69	- p->set_child_tid = p->clear_child_tid = NULL;
70	-
71	/* Locate userspace context on stack... */
72	sp -= STACK_FRAME_OVERHEAD; /* redzone */
73	sp -= sizeof(struct pt_regs);