Preparatory only, no functional change.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
a waiter when the futex owner is currently executing the exit cleanup to
prevent a potential live lock.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
--- /dev/null
+Subject: futex: Ensure the correct return value from futex_lock_pi()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed Jan 20 16:00:24 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 upstream
+
+In case that futex_lock_pi() was aborted by a signal or a timeout and the
+task returned without acquiring the rtmutex, but is the designated owner of
+the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to
+establish consistent state. In that case it invokes fixup_pi_state_owner()
+which in turn tries to acquire the rtmutex again. If that succeeds then it
+does not propagate this success to fixup_owner() and futex_lock_pi()
+returns -EINTR or -ETIMEOUT despite having the futex locked.
+
+Return success from fixup_pi_state_owner() in all cases where the current
+task owns the rtmutex and therefore the futex and propagate it correctly
+through fixup_owner(). Fixup the other callsite which does not expect a
+positive return value.
+
+Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2489,8 +2489,8 @@ retry:
+ }
+
+ if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
+- /* We got the lock after all, nothing to fix. */
+- ret = 0;
++ /* We got the lock. pi_state is correct. Tell caller. */
++ ret = 1;
+ goto out_unlock;
+ }
+
+@@ -2518,7 +2518,7 @@ retry:
+ * We raced against a concurrent self; things are
+ * already fixed up. Nothing to do.
+ */
+- ret = 0;
++ ret = 1;
+ goto out_unlock;
+ }
+ newowner = argowner;
+@@ -2564,7 +2564,7 @@ retry:
+ raw_spin_unlock(&newowner->pi_lock);
+ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
+
+- return 0;
++ return argowner == current;
+
+ /*
+ * In order to reschedule or handle a page fault, we need to drop the
+@@ -2606,7 +2606,7 @@ handle_err:
+ * Check if someone else fixed it for us:
+ */
+ if (pi_state->owner != oldowner) {
+- ret = 0;
++ ret = argowner == current;
+ goto out_unlock;
+ }
+
+@@ -2639,8 +2639,6 @@ static long futex_wait_restart(struct re
+ */
+ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
+ {
+- int ret = 0;
+-
+ if (locked) {
+ /*
+ * Got the lock. We might not be the anticipated owner if we
+@@ -2651,8 +2649,8 @@ static int fixup_owner(u32 __user *uaddr
+ * stable state, anything else needs more attention.
+ */
+ if (q->pi_state->owner != current)
+- ret = fixup_pi_state_owner(uaddr, q, current);
+- goto out;
++ return fixup_pi_state_owner(uaddr, q, current);
++ return 1;
+ }
+
+ /*
+@@ -2663,10 +2661,8 @@ static int fixup_owner(u32 __user *uaddr
+ * Another speculative read; pi_state->owner == current is unstable
+ * but needs our attention.
+ */
+- if (q->pi_state->owner == current) {
+- ret = fixup_pi_state_owner(uaddr, q, NULL);
+- goto out;
+- }
++ if (q->pi_state->owner == current)
++ return fixup_pi_state_owner(uaddr, q, NULL);
+
+ /*
+ * Paranoia check. If we did not take the lock, then we should not be
+@@ -2679,8 +2675,7 @@ static int fixup_owner(u32 __user *uaddr
+ q->pi_state->owner);
+ }
+
+-out:
+- return ret ? ret : locked;
++ return 0;
+ }
+
+ /**
+@@ -3411,7 +3406,7 @@ static int futex_wait_requeue_pi(u32 __u
+ if (q.pi_state && (q.pi_state->owner != current)) {
+ spin_lock(q.lock_ptr);
+ ret = fixup_pi_state_owner(uaddr2, &q, current);
+- if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
++ if (ret < 0 && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
+ pi_state = q.pi_state;
+ get_pi_state(pi_state);
+ }
+@@ -3421,6 +3416,11 @@ static int futex_wait_requeue_pi(u32 __u
+ */
+ put_pi_state(q.pi_state);
+ spin_unlock(q.lock_ptr);
++ /*
++ * Adjust the return value. It's either -EFAULT or
++ * success (1) but the caller expects 0 for success.
++ */
++ ret = ret < 0 ? ret : 0;
+ }
+ } else {
+ struct rt_mutex *pi_mutex;
--- /dev/null
+Subject: futex: Handle faults correctly for PI futexes
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon Jan 18 19:01:21 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a upstream
+
+fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
+pi_state and the user space value related to the PI futex are consistent
+before returning to user space. In case that the user space value update
+faults and the fault cannot be resolved by faulting the page in via
+fault_in_user_writeable() the function returns with -EFAULT and leaves
+the rtmutex and pi_state owner state inconsistent.
+
+A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
+releases the rtmutex despite not owning it which can corrupt the RB tree of
+the rtmutex and cause a subsequent kernel stack use after free.
+
+It was suggested to loop forever in fixup_pi_state_owner() if the fault
+cannot be resolved, but that results in runaway tasks which is especially
+undesired when the problem happens due to a programming error and not due
+to malice.
+
+As the user space value cannot be fixed up, the proper solution is to make
+the rtmutex and the pi_state consistent so both have the same owner. This
+leaves the user space value out of sync. Any subsequent operation on the
+futex will fail because the 10th rule of PI futexes (pi_state owner and
+user space value are consistent) has been violated.
+
+As a consequence this removes the inept attempts of 'fixing' the situation
+in case that the current task owns the rtmutex when returning with an
+unresolvable fault by unlocking the rtmutex which left pi_state::owner and
+rtmutex::owner out of sync in a different and only slightly less dangerous
+way.
+
+Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
+Reported-by: gzobqq@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 56 ++++++++++++++++++++------------------------------------
+ 1 file changed, 20 insertions(+), 36 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1034,7 +1034,8 @@ static inline void exit_pi_state_list(st
+ * FUTEX_OWNER_DIED bit. See [4]
+ *
+ * [10] There is no transient state which leaves owner and user space
+- * TID out of sync.
++ * TID out of sync. Except one error case where the kernel is denied
++ * write access to the user address, see fixup_pi_state_owner().
+ *
+ *
+ * Serialization and lifetime rules:
+@@ -2596,6 +2597,24 @@ handle_err:
+ if (!err)
+ goto retry;
+
++ /*
++ * fault_in_user_writeable() failed so user state is immutable. At
++ * best we can make the kernel state consistent but user state will
++ * be most likely hosed and any subsequent unlock operation will be
++ * rejected due to PI futex rule [10].
++ *
++ * Ensure that the rtmutex owner is also the pi_state owner despite
++ * the user space value claiming something different. There is no
++ * point in unlocking the rtmutex if current is the owner as it
++ * would need to wait until the next waiter has taken the rtmutex
++ * to guarantee consistent state. Keep it simple. Userspace asked
++ * for this wreckaged state.
++ *
++ * The rtmutex has an owner - either current or some other
++ * task. See the EAGAIN loop above.
++ */
++ pi_state_update_owner(pi_state, rt_mutex_owner(&pi_state->pi_mutex));
++
+ return err;
+ }
+
+@@ -2885,7 +2904,6 @@ static int futex_lock_pi(u32 __user *uad
+ ktime_t *time, int trylock)
+ {
+ struct hrtimer_sleeper timeout, *to = NULL;
+- struct futex_pi_state *pi_state = NULL;
+ struct task_struct *exiting = NULL;
+ struct rt_mutex_waiter rt_waiter;
+ struct futex_hash_bucket *hb;
+@@ -3028,23 +3046,9 @@ no_block:
+ if (res)
+ ret = (res < 0) ? res : 0;
+
+- /*
+- * If fixup_owner() faulted and was unable to handle the fault, unlock
+- * it and return the fault to userspace.
+- */
+- if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current)) {
+- pi_state = q.pi_state;
+- get_pi_state(pi_state);
+- }
+-
+ /* Unqueue and drop the lock */
+ unqueue_me_pi(&q);
+
+- if (pi_state) {
+- rt_mutex_futex_unlock(&pi_state->pi_mutex);
+- put_pi_state(pi_state);
+- }
+-
+ goto out_put_key;
+
+ out_unlock_put_key:
+@@ -3310,7 +3314,6 @@ static int futex_wait_requeue_pi(u32 __u
+ u32 __user *uaddr2)
+ {
+ struct hrtimer_sleeper timeout, *to = NULL;
+- struct futex_pi_state *pi_state = NULL;
+ struct rt_mutex_waiter rt_waiter;
+ struct futex_hash_bucket *hb;
+ union futex_key key2 = FUTEX_KEY_INIT;
+@@ -3395,10 +3398,6 @@ static int futex_wait_requeue_pi(u32 __u
+ if (q.pi_state && (q.pi_state->owner != current)) {
+ spin_lock(q.lock_ptr);
+ ret = fixup_pi_state_owner(uaddr2, &q, current);
+- if (ret < 0 && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
+- pi_state = q.pi_state;
+- get_pi_state(pi_state);
+- }
+ /*
+ * Drop the reference to the pi state which
+ * the requeue_pi() code acquired for us.
+@@ -3440,25 +3439,10 @@ static int futex_wait_requeue_pi(u32 __u
+ if (res)
+ ret = (res < 0) ? res : 0;
+
+- /*
+- * If fixup_pi_state_owner() faulted and was unable to handle
+- * the fault, unlock the rt_mutex and return the fault to
+- * userspace.
+- */
+- if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
+- pi_state = q.pi_state;
+- get_pi_state(pi_state);
+- }
+-
+ /* Unqueue and drop the lock. */
+ unqueue_me_pi(&q);
+ }
+
+- if (pi_state) {
+- rt_mutex_futex_unlock(&pi_state->pi_mutex);
+- put_pi_state(pi_state);
+- }
+-
+ if (ret == -EINTR) {
+ /*
+ * We've already been requeued, but cannot restart by calling
This allows to simplify that logic in a next step.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Folded build fix from Borislav.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Fixes: 778e9a9c3e71 ("pi-futex: fix exit races and locking problems")
Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Stable Team <stable@vger.kernel.org>
--- /dev/null
+Subject: futex: Provide and use pi_state_update_owner()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue Jan 19 15:21:35 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7 upstream
+
+Updating pi_state::owner is done at several places with the same
+code. Provide a function for it and use that at the obvious places.
+
+This is also a preparation for a bug fix to avoid yet another copy of the
+same code or alternatively introducing a completely unpenetratable mess of
+gotos.
+
+Originally-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 66 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 33 insertions(+), 33 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -839,6 +839,29 @@ static struct futex_pi_state *alloc_pi_s
+ return pi_state;
+ }
+
++static void pi_state_update_owner(struct futex_pi_state *pi_state,
++ struct task_struct *new_owner)
++{
++ struct task_struct *old_owner = pi_state->owner;
++
++ lockdep_assert_held(&pi_state->pi_mutex.wait_lock);
++
++ if (old_owner) {
++ raw_spin_lock(&old_owner->pi_lock);
++ WARN_ON(list_empty(&pi_state->list));
++ list_del_init(&pi_state->list);
++ raw_spin_unlock(&old_owner->pi_lock);
++ }
++
++ if (new_owner) {
++ raw_spin_lock(&new_owner->pi_lock);
++ WARN_ON(!list_empty(&pi_state->list));
++ list_add(&pi_state->list, &new_owner->pi_state_list);
++ pi_state->owner = new_owner;
++ raw_spin_unlock(&new_owner->pi_lock);
++ }
++}
++
+ static void get_pi_state(struct futex_pi_state *pi_state)
+ {
+ WARN_ON_ONCE(!atomic_inc_not_zero(&pi_state->refcount));
+@@ -1597,26 +1620,15 @@ static int wake_futex_pi(u32 __user *uad
+ ret = -EINVAL;
+ }
+
+- if (ret)
+- goto out_unlock;
+-
+- /*
+- * This is a point of no return; once we modify the uval there is no
+- * going back and subsequent operations must not fail.
+- */
+-
+- raw_spin_lock(&pi_state->owner->pi_lock);
+- WARN_ON(list_empty(&pi_state->list));
+- list_del_init(&pi_state->list);
+- raw_spin_unlock(&pi_state->owner->pi_lock);
+-
+- raw_spin_lock(&new_owner->pi_lock);
+- WARN_ON(!list_empty(&pi_state->list));
+- list_add(&pi_state->list, &new_owner->pi_state_list);
+- pi_state->owner = new_owner;
+- raw_spin_unlock(&new_owner->pi_lock);
+-
+- postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q);
++ if (!ret) {
++ /*
++ * This is a point of no return; once we modified the uval
++ * there is no going back and subsequent operations must
++ * not fail.
++ */
++ pi_state_update_owner(pi_state, new_owner);
++ postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q);
++ }
+
+ out_unlock:
+ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
+@@ -2549,19 +2561,7 @@ retry:
+ * We fixed up user space. Now we need to fix the pi_state
+ * itself.
+ */
+- if (pi_state->owner != NULL) {
+- raw_spin_lock(&pi_state->owner->pi_lock);
+- WARN_ON(list_empty(&pi_state->list));
+- list_del_init(&pi_state->list);
+- raw_spin_unlock(&pi_state->owner->pi_lock);
+- }
+-
+- pi_state->owner = newowner;
+-
+- raw_spin_lock(&newowner->pi_lock);
+- WARN_ON(!list_empty(&pi_state->list));
+- list_add(&pi_state->list, &newowner->pi_state_list);
+- raw_spin_unlock(&newowner->pi_lock);
++ pi_state_update_owner(pi_state, newowner);
+ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
+
+ return argowner == current;
Date: Wed Nov 6 22:55:45 2019 +0100
From: Thomas Gleixner <tglx@linutronix.de>
-`
+
commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream
attach_to_pi_owner() returns -EAGAIN for various cases:
No functional change.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
attach to the task in case that the cleanup was not successfull in mopping
up all leftovers.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
This prepares for handling various futex exit issues later.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
--- /dev/null
+Subject: futex: Replace pointless printk in fixup_owner()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue Jan 19 16:06:10 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 04b79c55201f02ffd675e1231d731365e335c307 upstream
+
+If that unexpected case of inconsistent arguments ever happens then the
+futex state is left completely inconsistent and the printk is not really
+helpful. Replace it with a warning and make the state consistent.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2666,14 +2666,10 @@ static int fixup_owner(u32 __user *uaddr
+
+ /*
+ * Paranoia check. If we did not take the lock, then we should not be
+- * the owner of the rt_mutex.
++ * the owner of the rt_mutex. Warn and establish consistent state.
+ */
+- if (rt_mutex_owner(&q->pi_state->pi_mutex) == current) {
+- printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p "
+- "pi-state %p\n", ret,
+- q->pi_state->pi_mutex.owner,
+- q->pi_state->owner);
+- }
++ if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current))
++ return fixup_pi_state_owner(uaddr, q, current);
+
+ return 0;
+ }
Instead of having a smp_mb() and an empty lock/unlock of task::pi_lock move
the state setting into to the lock section.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
the state to FUTEX_STATE_DEAD because the task struct is still in active
use.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
--- /dev/null
+Subject: futex: Simplify fixup_pi_state_owner()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue Jan 19 16:26:38 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f2dac39d93987f7de1e20b3988c8685523247ae2 upstream
+
+Too many gotos already and an upcoming fix would make it even more
+unreadable.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 53 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2445,18 +2445,13 @@ static void unqueue_me_pi(struct futex_q
+ spin_unlock(q->lock_ptr);
+ }
+
+-static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
+- struct task_struct *argowner)
++static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
++ struct task_struct *argowner)
+ {
++ u32 uval, uninitialized_var(curval), newval, newtid;
+ struct futex_pi_state *pi_state = q->pi_state;
+- u32 uval, uninitialized_var(curval), newval;
+ struct task_struct *oldowner, *newowner;
+- u32 newtid;
+- int ret, err = 0;
+-
+- lockdep_assert_held(q->lock_ptr);
+-
+- raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
++ int err = 0;
+
+ oldowner = pi_state->owner;
+
+@@ -2490,14 +2485,12 @@ retry:
+ * We raced against a concurrent self; things are
+ * already fixed up. Nothing to do.
+ */
+- ret = 0;
+- goto out_unlock;
++ return 0;
+ }
+
+ if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
+ /* We got the lock. pi_state is correct. Tell caller. */
+- ret = 1;
+- goto out_unlock;
++ return 1;
+ }
+
+ /*
+@@ -2524,8 +2517,7 @@ retry:
+ * We raced against a concurrent self; things are
+ * already fixed up. Nothing to do.
+ */
+- ret = 1;
+- goto out_unlock;
++ return 1;
+ }
+ newowner = argowner;
+ }
+@@ -2556,7 +2548,6 @@ retry:
+ * itself.
+ */
+ pi_state_update_owner(pi_state, newowner);
+- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
+
+ return argowner == current;
+
+@@ -2579,17 +2570,16 @@ handle_err:
+
+ switch (err) {
+ case -EFAULT:
+- ret = fault_in_user_writeable(uaddr);
++ err = fault_in_user_writeable(uaddr);
+ break;
+
+ case -EAGAIN:
+ cond_resched();
+- ret = 0;
++ err = 0;
+ break;
+
+ default:
+ WARN_ON_ONCE(1);
+- ret = err;
+ break;
+ }
+
+@@ -2599,17 +2589,26 @@ handle_err:
+ /*
+ * Check if someone else fixed it for us:
+ */
+- if (pi_state->owner != oldowner) {
+- ret = argowner == current;
+- goto out_unlock;
+- }
++ if (pi_state->owner != oldowner)
++ return argowner == current;
+
+- if (ret)
+- goto out_unlock;
++ /* Retry if err was -EAGAIN or the fault in succeeded */
++ if (!err)
++ goto retry;
+
+- goto retry;
++ return err;
++}
+
+-out_unlock:
++static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
++ struct task_struct *argowner)
++{
++ struct futex_pi_state *pi_state = q->pi_state;
++ int ret;
++
++ lockdep_assert_held(q->lock_ptr);
++
++ raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
++ ret = __fixup_pi_state_owner(uaddr, q, argowner);
+ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
+ return ret;
+ }
Preparatory only, no functional change.
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
--- /dev/null
+Subject: futex: Use pi_state_update_owner() in put_pi_state()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed Jan 20 11:35:19 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 6ccc84f917d33312eb2846bd7b567639f585ad6d upstream
+
+No point in open coding it. This way it gains the extra sanity checks.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -884,16 +884,10 @@ static void put_pi_state(struct futex_pi
+ * and has cleaned up the pi_state already
+ */
+ if (pi_state->owner) {
+- struct task_struct *owner;
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags);
+- owner = pi_state->owner;
+- if (owner) {
+- raw_spin_lock(&owner->pi_lock);
+- list_del_init(&pi_state->list);
+- raw_spin_unlock(&owner->pi_lock);
+- }
++ pi_state_update_owner(pi_state, NULL);
+ rt_mutex_proxy_unlock(&pi_state->pi_mutex);
+ raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags);
+ }
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
drivers/gpio/gpio-mvebu.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
--- /dev/null
+From 179e8e47c02a1950f1c556f2b854bdb2259078fb Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Thu, 21 Jan 2021 10:46:49 -0800
+Subject: HID: wacom: Correct NULL dereference on AES pen proximity
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 179e8e47c02a1950f1c556f2b854bdb2259078fb upstream.
+
+The recent commit to fix a memory leak introduced an inadvertant NULL
+pointer dereference. The `wacom_wac->pen_fifo` variable was never
+intialized, resuling in a crash whenever functions tried to use it.
+Since the FIFO is only used by AES pens (to buffer events from pen
+proximity until the hardware reports the pen serial number) this would
+have been easily overlooked without testing an AES device.
+
+This patch converts `wacom_wac->pen_fifo` over to a pointer (since the
+call to `devres_alloc` allocates memory for us) and ensures that we assign
+it to point to the allocated and initalized `pen_fifo` before the function
+returns.
+
+Link: https://github.com/linuxwacom/input-wacom/issues/230
+Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc")
+CC: stable@vger.kernel.org # v4.19+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 7 ++++---
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -150,9 +150,9 @@ static int wacom_wac_pen_serial_enforce(
+ }
+
+ if (flush)
+- wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo);
++ wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo);
+ else if (insert)
+- wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo,
++ wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo,
+ raw_data, report_size);
+
+ return insert && !flush;
+@@ -1251,7 +1251,7 @@ static void wacom_devm_kfifo_release(str
+ static int wacom_devm_kfifo_alloc(struct wacom *wacom)
+ {
+ struct wacom_wac *wacom_wac = &wacom->wacom_wac;
+- struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo;
++ struct kfifo_rec_ptr_2 *pen_fifo;
+ int error;
+
+ pen_fifo = devres_alloc(wacom_devm_kfifo_release,
+@@ -1268,6 +1268,7 @@ static int wacom_devm_kfifo_alloc(struct
+ }
+
+ devres_add(&wacom->hdev->dev, pen_fifo);
++ wacom_wac->pen_fifo = pen_fifo;
+
+ return 0;
+ }
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -344,7 +344,7 @@ struct wacom_wac {
+ struct input_dev *pen_input;
+ struct input_dev *touch_input;
+ struct input_dev *pad_input;
+- struct kfifo_rec_ptr_2 pen_fifo;
++ struct kfifo_rec_ptr_2 *pen_fifo;
+ int pid;
+ int num_contacts_left;
+ u8 bt_features;
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
mm/slub.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- /dev/null
+Subject: rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed Jan 20 11:32:07 2021 +0100
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 upstream
+
+Nothing uses the argument. Remove it as preparation to use
+pi_state_update_owner().
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c | 2 +-
+ kernel/locking/rtmutex.c | 3 +--
+ kernel/locking/rtmutex_common.h | 3 +--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -894,7 +894,7 @@ static void put_pi_state(struct futex_pi
+ list_del_init(&pi_state->list);
+ raw_spin_unlock(&owner->pi_lock);
+ }
+- rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner);
++ rt_mutex_proxy_unlock(&pi_state->pi_mutex);
+ raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags);
+ }
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1719,8 +1719,7 @@ void rt_mutex_init_proxy_locked(struct r
+ * possible because it belongs to the pi_state which is about to be freed
+ * and it is not longer visible to other tasks.
+ */
+-void rt_mutex_proxy_unlock(struct rt_mutex *lock,
+- struct task_struct *proxy_owner)
++void rt_mutex_proxy_unlock(struct rt_mutex *lock)
+ {
+ debug_rt_mutex_proxy_unlock(lock);
+ rt_mutex_set_owner(lock, NULL);
+--- a/kernel/locking/rtmutex_common.h
++++ b/kernel/locking/rtmutex_common.h
+@@ -133,8 +133,7 @@ enum rtmutex_chainwalk {
+ extern struct task_struct *rt_mutex_next_owner(struct rt_mutex *lock);
+ extern void rt_mutex_init_proxy_locked(struct rt_mutex *lock,
+ struct task_struct *proxy_owner);
+-extern void rt_mutex_proxy_unlock(struct rt_mutex *lock,
+- struct task_struct *proxy_owner);
++extern void rt_mutex_proxy_unlock(struct rt_mutex *lock);
+ extern void rt_mutex_init_waiter(struct rt_mutex_waiter *waiter);
+ extern int __rt_mutex_start_proxy_lock(struct rt_mutex *lock,
+ struct rt_mutex_waiter *waiter,
+gpio-mvebu-fix-pwm-.get_state-period-calculation.patch
+revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
futex_Move_futex_exit_handling_into_futex_code.patch
futex_Replace_PF_EXITPIDONE_with_a_state.patch
-exitexec_Seperate_mm_release().patch
-futex_Split_futex_mm_release()_for_exitexec.patch
+exitexec_Seperate_mm_release_.patch
+futex_Split_futex_mm_release__for_exitexec.patch
futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch
futex_Mark_the_begin_of_futex_exit_explicitly.patch
futex_Sanitize_exit_state_handling.patch
-futex_Provide_state_handling_for_exec()_as_well.patch
+futex_Provide_state_handling_for_exec__as_well.patch
futex_Add_mutex_around_futex_exit.patch
futex_Provide_distinct_return_value_when_owner_is_exiting.patch
futex_Prevent_exit_livelock.patch
-gpio-mvebu-fix-pwm-.get_state-period-calculation.patch
-revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
+futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch
+futex_Replace_pointless_printk_in_fixup_owner_.patch
+futex_Provide_and_use_pi_state_update_owner_.patch
+rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch
+futex_Use_pi_state_update_owner__in_put_pi_state_.patch
+futex_Simplify_fixup_pi_state_owner_.patch
+futex_Handle_faults_correctly_for_PI_futexes.patch
+hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
