--- /dev/null
+From 9bbb25afeb182502ca4f2c4f3f88af0681b34cae Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Sat, 4 Mar 2017 10:27:19 +0100
+Subject: futex: Add missing error handling to FUTEX_REQUEUE_PI
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream.
+
+Thomas spotted that fixup_pi_state_owner() can return errors and we
+fail to unlock the rt_mutex in that case.
+
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Darren Hart <dvhart@linux.intel.com>
+Cc: juri.lelli@arm.com
+Cc: bigeasy@linutronix.de
+Cc: xlpang@redhat.com
+Cc: rostedt@goodmis.org
+Cc: mathieu.desnoyers@efficios.com
+Cc: jdesfossez@efficios.com
+Cc: dvhart@infradead.org
+Cc: bristot@redhat.com
+Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2773,6 +2773,8 @@ static int futex_wait_requeue_pi(u32 __u
+ if (q.pi_state && (q.pi_state->owner != current)) {
+ spin_lock(q.lock_ptr);
+ ret = fixup_pi_state_owner(uaddr2, &q, current);
++ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
++ rt_mutex_unlock(&q.pi_state->pi_mutex);
+ /*
+ * Drop the reference to the pi state which
+ * the requeue_pi() code acquired for us.
--- /dev/null
+From c236c8e95a3d395b0494e7108f0d41cf36ec107c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Sat, 4 Mar 2017 10:27:18 +0100
+Subject: futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.
+
+While working on the futex code, I stumbled over this potential
+use-after-free scenario. Dmitry triggered it later with syzkaller.
+
+pi_mutex is a pointer into pi_state, which we drop the reference on in
+unqueue_me_pi(). So any access to that pointer after that is bad.
+
+Since other sites already do rt_mutex_unlock() with hb->lock held, see
+for example futex_lock_pi(), simply move the unlock before
+unqueue_me_pi().
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Darren Hart <dvhart@linux.intel.com>
+Cc: juri.lelli@arm.com
+Cc: bigeasy@linutronix.de
+Cc: xlpang@redhat.com
+Cc: rostedt@goodmis.org
+Cc: mathieu.desnoyers@efficios.com
+Cc: jdesfossez@efficios.com
+Cc: dvhart@infradead.org
+Cc: bristot@redhat.com
+Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2690,7 +2690,6 @@ static int futex_wait_requeue_pi(u32 __u
+ {
+ struct hrtimer_sleeper timeout, *to = NULL;
+ struct rt_mutex_waiter rt_waiter;
+- struct rt_mutex *pi_mutex = NULL;
+ struct futex_hash_bucket *hb;
+ union futex_key key2 = FUTEX_KEY_INIT;
+ struct futex_q q = futex_q_init;
+@@ -2782,6 +2781,8 @@ static int futex_wait_requeue_pi(u32 __u
+ spin_unlock(q.lock_ptr);
+ }
+ } else {
++ struct rt_mutex *pi_mutex;
++
+ /*
+ * We have been woken up by futex_unlock_pi(), a timeout, or a
+ * signal. futex_unlock_pi() will not destroy the lock_ptr nor
+@@ -2805,18 +2806,19 @@ static int futex_wait_requeue_pi(u32 __u
+ if (res)
+ ret = (res < 0) ? res : 0;
+
++ /*
++ * If fixup_pi_state_owner() faulted and was unable to handle
++ * the fault, unlock the rt_mutex and return the fault to
++ * userspace.
++ */
++ if (ret && rt_mutex_owner(pi_mutex) == current)
++ rt_mutex_unlock(pi_mutex);
++
+ /* Unqueue and drop the lock. */
+ unqueue_me_pi(&q);
+ }
+
+- /*
+- * If fixup_pi_state_owner() faulted and was unable to handle the
+- * fault, unlock the rt_mutex and return the fault to userspace.
+- */
+- if (ret == -EFAULT) {
+- if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
+- rt_mutex_unlock(pi_mutex);
+- } else if (ret == -EINTR) {
++ if (ret == -EINTR) {
+ /*
+ * We've already been requeued, but cannot restart by calling
+ * futex_lock_pi() directly. We could restart this syscall, but
net-sched-actions-decrement-module-reference-count-after-table-flush.patch
fscrypt-fix-renaming-and-linking-special-files.patch
fscrypto-lock-inode-while-setting-encryption-policy.patch
+x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch
+x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch
+futex-fix-potential-use-after-free-in-futex_requeue_pi.patch
+futex-add-missing-error-handling-to-futex_requeue_pi.patch
--- /dev/null
+From be3606ff739d1c1be36389f8737c577ad87e1f57 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Mon, 13 Mar 2017 19:33:37 +0300
+Subject: x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit be3606ff739d1c1be36389f8737c577ad87e1f57 upstream.
+
+The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y
+options selected. With branch profiling enabled we end up calling
+ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is
+built with KASAN instrumentation, so calling it before kasan has been
+initialized leads to crash.
+
+Use DISABLE_BRANCH_PROFILING define to make sure that we don't call
+ftrace_likely_update() from early code before kasan_early_init().
+
+Fixes: ef7f0d6a6ca8 ("x86_64: add KASan support")
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: kasan-dev@googlegroups.com
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: lkp@01.org
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head64.c | 1 +
+ arch/x86/mm/kasan_init_64.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2000 Andrea Arcangeli <andrea@suse.de> SuSE
+ */
+
++#define DISABLE_BRANCH_PROFILING
+ #include <linux/init.h>
+ #include <linux/linkage.h>
+ #include <linux/types.h>
+--- a/arch/x86/mm/kasan_init_64.c
++++ b/arch/x86/mm/kasan_init_64.c
+@@ -1,3 +1,4 @@
++#define DISABLE_BRANCH_PROFILING
+ #define pr_fmt(fmt) "kasan: " fmt
+ #include <linux/bootmem.h>
+ #include <linux/kasan.h>
--- /dev/null
+From 5dc855d44c2ad960a86f593c60461f1ae1566b6d Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Thu, 16 Mar 2017 12:59:39 -0700
+Subject: x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream.
+
+If one thread mmaps a perf event while another thread in the same mm
+is in some context where active_mm != mm (which can happen in the
+scheduler, for example), refresh_pce() would write the wrong value
+to CR4.PCE. This broke some PAPI tests.
+
+Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: 7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped")
+Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event.c
++++ b/arch/x86/kernel/cpu/perf_event.c
+@@ -1996,8 +1996,8 @@ static int x86_pmu_event_init(struct per
+
+ static void refresh_pce(void *ignored)
+ {
+- if (current->mm)
+- load_mm_cr4(current->mm);
++ if (current->active_mm)
++ load_mm_cr4(current->active_mm);
+ }
+
+ static void x86_pmu_event_mapped(struct perf_event *event)
projects / thirdparty / kernel / stable-queue.git / commitdiff
