From: Greg Kroah-Hartman Date: Fri, 29 Jan 2021 10:12:02 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.254~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49d05fdcd243cb72ae8abe5972ea76c4c55d8317;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: exitexec_Seperate_mm_release_.patch futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch futex_Handle_faults_correctly_for_PI_futexes.patch futex_Provide_and_use_pi_state_update_owner_.patch futex_Provide_state_handling_for_exec__as_well.patch futex_Replace_pointless_printk_in_fixup_owner_.patch futex_Simplify_fixup_pi_state_owner_.patch futex_Split_futex_mm_release__for_exitexec.patch futex_Use_pi_state_update_owner__in_put_pi_state_.patch hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch --- diff --git a/queue-4.19/exitexec_Seperate_mm_release().patch b/queue-4.19/exitexec_Seperate_mm_release_.patch similarity index 98% rename from queue-4.19/exitexec_Seperate_mm_release().patch rename to queue-4.19/exitexec_Seperate_mm_release_.patch index 6f1eca6d78a..a1e62d8ba6c 100644 --- a/queue-4.19/exitexec_Seperate_mm_release().patch +++ b/queue-4.19/exitexec_Seperate_mm_release_.patch @@ -17,7 +17,6 @@ needs to be split into two functions. Preparatory only, no functional change. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Add_mutex_around_futex_exit.patch b/queue-4.19/futex_Add_mutex_around_futex_exit.patch index ef9d6d5ac26..1a35f805040 100644 --- a/queue-4.19/futex_Add_mutex_around_futex_exit.patch +++ b/queue-4.19/futex_Add_mutex_around_futex_exit.patch @@ -10,7 +10,6 @@ The mutex will be used in subsequent changes to replace the busy looping of a waiter when the futex owner is currently executing the exit cleanup to prevent a potential live lock. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch b/queue-4.19/futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch new file mode 100644 index 00000000000..8ef4617a6d5 --- /dev/null +++ b/queue-4.19/futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch @@ -0,0 +1,134 @@ +Subject: futex: Ensure the correct return value from futex_lock_pi() +From: Thomas Gleixner +Date: Wed Jan 20 16:00:24 2021 +0100 + +From: Thomas Gleixner + +commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 upstream + +In case that futex_lock_pi() was aborted by a signal or a timeout and the +task returned without acquiring the rtmutex, but is the designated owner of +the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to +establish consistent state. In that case it invokes fixup_pi_state_owner() +which in turn tries to acquire the rtmutex again. If that succeeds then it +does not propagate this success to fixup_owner() and futex_lock_pi() +returns -EINTR or -ETIMEOUT despite having the futex locked. + +Return success from fixup_pi_state_owner() in all cases where the current +task owns the rtmutex and therefore the futex and propagate it correctly +through fixup_owner(). Fixup the other callsite which does not expect a +positive return value. + +Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex") +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2489,8 +2489,8 @@ retry: + } + + if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) { +- /* We got the lock after all, nothing to fix. */ +- ret = 0; ++ /* We got the lock. pi_state is correct. Tell caller. */ ++ ret = 1; + goto out_unlock; + } + +@@ -2518,7 +2518,7 @@ retry: + * We raced against a concurrent self; things are + * already fixed up. Nothing to do. + */ +- ret = 0; ++ ret = 1; + goto out_unlock; + } + newowner = argowner; +@@ -2564,7 +2564,7 @@ retry: + raw_spin_unlock(&newowner->pi_lock); + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); + +- return 0; ++ return argowner == current; + + /* + * In order to reschedule or handle a page fault, we need to drop the +@@ -2606,7 +2606,7 @@ handle_err: + * Check if someone else fixed it for us: + */ + if (pi_state->owner != oldowner) { +- ret = 0; ++ ret = argowner == current; + goto out_unlock; + } + +@@ -2639,8 +2639,6 @@ static long futex_wait_restart(struct re + */ + static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) + { +- int ret = 0; +- + if (locked) { + /* + * Got the lock. We might not be the anticipated owner if we +@@ -2651,8 +2649,8 @@ static int fixup_owner(u32 __user *uaddr + * stable state, anything else needs more attention. + */ + if (q->pi_state->owner != current) +- ret = fixup_pi_state_owner(uaddr, q, current); +- goto out; ++ return fixup_pi_state_owner(uaddr, q, current); ++ return 1; + } + + /* +@@ -2663,10 +2661,8 @@ static int fixup_owner(u32 __user *uaddr + * Another speculative read; pi_state->owner == current is unstable + * but needs our attention. + */ +- if (q->pi_state->owner == current) { +- ret = fixup_pi_state_owner(uaddr, q, NULL); +- goto out; +- } ++ if (q->pi_state->owner == current) ++ return fixup_pi_state_owner(uaddr, q, NULL); + + /* + * Paranoia check. If we did not take the lock, then we should not be +@@ -2679,8 +2675,7 @@ static int fixup_owner(u32 __user *uaddr + q->pi_state->owner); + } + +-out: +- return ret ? ret : locked; ++ return 0; + } + + /** +@@ -3411,7 +3406,7 @@ static int futex_wait_requeue_pi(u32 __u + if (q.pi_state && (q.pi_state->owner != current)) { + spin_lock(q.lock_ptr); + ret = fixup_pi_state_owner(uaddr2, &q, current); +- if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { ++ if (ret < 0 && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { + pi_state = q.pi_state; + get_pi_state(pi_state); + } +@@ -3421,6 +3416,11 @@ static int futex_wait_requeue_pi(u32 __u + */ + put_pi_state(q.pi_state); + spin_unlock(q.lock_ptr); ++ /* ++ * Adjust the return value. It's either -EFAULT or ++ * success (1) but the caller expects 0 for success. ++ */ ++ ret = ret < 0 ? ret : 0; + } + } else { + struct rt_mutex *pi_mutex; diff --git a/queue-4.19/futex_Handle_faults_correctly_for_PI_futexes.patch b/queue-4.19/futex_Handle_faults_correctly_for_PI_futexes.patch new file mode 100644 index 00000000000..e80f2a00a60 --- /dev/null +++ b/queue-4.19/futex_Handle_faults_correctly_for_PI_futexes.patch @@ -0,0 +1,160 @@ +Subject: futex: Handle faults correctly for PI futexes +From: Thomas Gleixner +Date: Mon Jan 18 19:01:21 2021 +0100 + +From: Thomas Gleixner + +commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a upstream + +fixup_pi_state_owner() tries to ensure that the state of the rtmutex, +pi_state and the user space value related to the PI futex are consistent +before returning to user space. In case that the user space value update +faults and the fault cannot be resolved by faulting the page in via +fault_in_user_writeable() the function returns with -EFAULT and leaves +the rtmutex and pi_state owner state inconsistent. + +A subsequent futex_unlock_pi() operates on the inconsistent pi_state and +releases the rtmutex despite not owning it which can corrupt the RB tree of +the rtmutex and cause a subsequent kernel stack use after free. + +It was suggested to loop forever in fixup_pi_state_owner() if the fault +cannot be resolved, but that results in runaway tasks which is especially +undesired when the problem happens due to a programming error and not due +to malice. + +As the user space value cannot be fixed up, the proper solution is to make +the rtmutex and the pi_state consistent so both have the same owner. This +leaves the user space value out of sync. Any subsequent operation on the +futex will fail because the 10th rule of PI futexes (pi_state owner and +user space value are consistent) has been violated. + +As a consequence this removes the inept attempts of 'fixing' the situation +in case that the current task owns the rtmutex when returning with an +unresolvable fault by unlocking the rtmutex which left pi_state::owner and +rtmutex::owner out of sync in a different and only slightly less dangerous +way. + +Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi") +Reported-by: gzobqq@gmail.com +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 56 ++++++++++++++++++++------------------------------------ + 1 file changed, 20 insertions(+), 36 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1034,7 +1034,8 @@ static inline void exit_pi_state_list(st + * FUTEX_OWNER_DIED bit. See [4] + * + * [10] There is no transient state which leaves owner and user space +- * TID out of sync. ++ * TID out of sync. Except one error case where the kernel is denied ++ * write access to the user address, see fixup_pi_state_owner(). + * + * + * Serialization and lifetime rules: +@@ -2596,6 +2597,24 @@ handle_err: + if (!err) + goto retry; + ++ /* ++ * fault_in_user_writeable() failed so user state is immutable. At ++ * best we can make the kernel state consistent but user state will ++ * be most likely hosed and any subsequent unlock operation will be ++ * rejected due to PI futex rule [10]. ++ * ++ * Ensure that the rtmutex owner is also the pi_state owner despite ++ * the user space value claiming something different. There is no ++ * point in unlocking the rtmutex if current is the owner as it ++ * would need to wait until the next waiter has taken the rtmutex ++ * to guarantee consistent state. Keep it simple. Userspace asked ++ * for this wreckaged state. ++ * ++ * The rtmutex has an owner - either current or some other ++ * task. See the EAGAIN loop above. ++ */ ++ pi_state_update_owner(pi_state, rt_mutex_owner(&pi_state->pi_mutex)); ++ + return err; + } + +@@ -2885,7 +2904,6 @@ static int futex_lock_pi(u32 __user *uad + ktime_t *time, int trylock) + { + struct hrtimer_sleeper timeout, *to = NULL; +- struct futex_pi_state *pi_state = NULL; + struct task_struct *exiting = NULL; + struct rt_mutex_waiter rt_waiter; + struct futex_hash_bucket *hb; +@@ -3028,23 +3046,9 @@ no_block: + if (res) + ret = (res < 0) ? res : 0; + +- /* +- * If fixup_owner() faulted and was unable to handle the fault, unlock +- * it and return the fault to userspace. +- */ +- if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current)) { +- pi_state = q.pi_state; +- get_pi_state(pi_state); +- } +- + /* Unqueue and drop the lock */ + unqueue_me_pi(&q); + +- if (pi_state) { +- rt_mutex_futex_unlock(&pi_state->pi_mutex); +- put_pi_state(pi_state); +- } +- + goto out_put_key; + + out_unlock_put_key: +@@ -3310,7 +3314,6 @@ static int futex_wait_requeue_pi(u32 __u + u32 __user *uaddr2) + { + struct hrtimer_sleeper timeout, *to = NULL; +- struct futex_pi_state *pi_state = NULL; + struct rt_mutex_waiter rt_waiter; + struct futex_hash_bucket *hb; + union futex_key key2 = FUTEX_KEY_INIT; +@@ -3395,10 +3398,6 @@ static int futex_wait_requeue_pi(u32 __u + if (q.pi_state && (q.pi_state->owner != current)) { + spin_lock(q.lock_ptr); + ret = fixup_pi_state_owner(uaddr2, &q, current); +- if (ret < 0 && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { +- pi_state = q.pi_state; +- get_pi_state(pi_state); +- } + /* + * Drop the reference to the pi state which + * the requeue_pi() code acquired for us. +@@ -3440,25 +3439,10 @@ static int futex_wait_requeue_pi(u32 __u + if (res) + ret = (res < 0) ? res : 0; + +- /* +- * If fixup_pi_state_owner() faulted and was unable to handle +- * the fault, unlock the rt_mutex and return the fault to +- * userspace. +- */ +- if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { +- pi_state = q.pi_state; +- get_pi_state(pi_state); +- } +- + /* Unqueue and drop the lock. */ + unqueue_me_pi(&q); + } + +- if (pi_state) { +- rt_mutex_futex_unlock(&pi_state->pi_mutex); +- put_pi_state(pi_state); +- } +- + if (ret == -EINTR) { + /* + * We've already been requeued, but cannot restart by calling diff --git a/queue-4.19/futex_Mark_the_begin_of_futex_exit_explicitly.patch b/queue-4.19/futex_Mark_the_begin_of_futex_exit_explicitly.patch index 973da35c0ca..fd9ac0ca5f7 100644 --- a/queue-4.19/futex_Mark_the_begin_of_futex_exit_explicitly.patch +++ b/queue-4.19/futex_Mark_the_begin_of_futex_exit_explicitly.patch @@ -15,7 +15,6 @@ continues to use the same task struct. This allows to simplify that logic in a next step. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Move_futex_exit_handling_into_futex_code.patch b/queue-4.19/futex_Move_futex_exit_handling_into_futex_code.patch index d08d9ed4a18..a144413fb7e 100644 --- a/queue-4.19/futex_Move_futex_exit_handling_into_futex_code.patch +++ b/queue-4.19/futex_Move_futex_exit_handling_into_futex_code.patch @@ -17,7 +17,6 @@ Preparatory only and no functional change. Folded build fix from Borislav. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Prevent_exit_livelock.patch b/queue-4.19/futex_Prevent_exit_livelock.patch index 99b8d8c8fe7..4ff315418de 100644 --- a/queue-4.19/futex_Prevent_exit_livelock.patch +++ b/queue-4.19/futex_Prevent_exit_livelock.patch @@ -87,7 +87,6 @@ those kernels are definitely not stable material. Fixes: 778e9a9c3e71 ("pi-futex: fix exit races and locking problems") Reported-by: Oleg Nesterov Signed-off-by: Thomas Gleixner -Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) Cc: Stable Team diff --git a/queue-4.19/futex_Provide_and_use_pi_state_update_owner_.patch b/queue-4.19/futex_Provide_and_use_pi_state_update_owner_.patch new file mode 100644 index 00000000000..da5ec3a7756 --- /dev/null +++ b/queue-4.19/futex_Provide_and_use_pi_state_update_owner_.patch @@ -0,0 +1,113 @@ +Subject: futex: Provide and use pi_state_update_owner() +From: Thomas Gleixner +Date: Tue Jan 19 15:21:35 2021 +0100 + +From: Thomas Gleixner + +commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7 upstream + +Updating pi_state::owner is done at several places with the same +code. Provide a function for it and use that at the obvious places. + +This is also a preparation for a bug fix to avoid yet another copy of the +same code or alternatively introducing a completely unpenetratable mess of +gotos. + +Originally-by: Peter Zijlstra +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 66 ++++++++++++++++++++++++++++----------------------------- + 1 file changed, 33 insertions(+), 33 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -839,6 +839,29 @@ static struct futex_pi_state *alloc_pi_s + return pi_state; + } + ++static void pi_state_update_owner(struct futex_pi_state *pi_state, ++ struct task_struct *new_owner) ++{ ++ struct task_struct *old_owner = pi_state->owner; ++ ++ lockdep_assert_held(&pi_state->pi_mutex.wait_lock); ++ ++ if (old_owner) { ++ raw_spin_lock(&old_owner->pi_lock); ++ WARN_ON(list_empty(&pi_state->list)); ++ list_del_init(&pi_state->list); ++ raw_spin_unlock(&old_owner->pi_lock); ++ } ++ ++ if (new_owner) { ++ raw_spin_lock(&new_owner->pi_lock); ++ WARN_ON(!list_empty(&pi_state->list)); ++ list_add(&pi_state->list, &new_owner->pi_state_list); ++ pi_state->owner = new_owner; ++ raw_spin_unlock(&new_owner->pi_lock); ++ } ++} ++ + static void get_pi_state(struct futex_pi_state *pi_state) + { + WARN_ON_ONCE(!atomic_inc_not_zero(&pi_state->refcount)); +@@ -1597,26 +1620,15 @@ static int wake_futex_pi(u32 __user *uad + ret = -EINVAL; + } + +- if (ret) +- goto out_unlock; +- +- /* +- * This is a point of no return; once we modify the uval there is no +- * going back and subsequent operations must not fail. +- */ +- +- raw_spin_lock(&pi_state->owner->pi_lock); +- WARN_ON(list_empty(&pi_state->list)); +- list_del_init(&pi_state->list); +- raw_spin_unlock(&pi_state->owner->pi_lock); +- +- raw_spin_lock(&new_owner->pi_lock); +- WARN_ON(!list_empty(&pi_state->list)); +- list_add(&pi_state->list, &new_owner->pi_state_list); +- pi_state->owner = new_owner; +- raw_spin_unlock(&new_owner->pi_lock); +- +- postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q); ++ if (!ret) { ++ /* ++ * This is a point of no return; once we modified the uval ++ * there is no going back and subsequent operations must ++ * not fail. ++ */ ++ pi_state_update_owner(pi_state, new_owner); ++ postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q); ++ } + + out_unlock: + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); +@@ -2549,19 +2561,7 @@ retry: + * We fixed up user space. Now we need to fix the pi_state + * itself. + */ +- if (pi_state->owner != NULL) { +- raw_spin_lock(&pi_state->owner->pi_lock); +- WARN_ON(list_empty(&pi_state->list)); +- list_del_init(&pi_state->list); +- raw_spin_unlock(&pi_state->owner->pi_lock); +- } +- +- pi_state->owner = newowner; +- +- raw_spin_lock(&newowner->pi_lock); +- WARN_ON(!list_empty(&pi_state->list)); +- list_add(&pi_state->list, &newowner->pi_state_list); +- raw_spin_unlock(&newowner->pi_lock); ++ pi_state_update_owner(pi_state, newowner); + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); + + return argowner == current; diff --git a/queue-4.19/futex_Provide_distinct_return_value_when_owner_is_exiting.patch b/queue-4.19/futex_Provide_distinct_return_value_when_owner_is_exiting.patch index 6da55da7582..afbb495f5e0 100644 --- a/queue-4.19/futex_Provide_distinct_return_value_when_owner_is_exiting.patch +++ b/queue-4.19/futex_Provide_distinct_return_value_when_owner_is_exiting.patch @@ -3,7 +3,7 @@ From: Thomas Gleixner Date: Wed Nov 6 22:55:45 2019 +0100 From: Thomas Gleixner -` + commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream attach_to_pi_owner() returns -EAGAIN for various cases: @@ -20,7 +20,6 @@ value (EBUSY) for the owner exiting case. No functional change. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Provide_state_handling_for_exec()_as_well.patch b/queue-4.19/futex_Provide_state_handling_for_exec__as_well.patch similarity index 98% rename from queue-4.19/futex_Provide_state_handling_for_exec()_as_well.patch rename to queue-4.19/futex_Provide_state_handling_for_exec__as_well.patch index 782f5a73616..7309b99bb22 100644 --- a/queue-4.19/futex_Provide_state_handling_for_exec()_as_well.patch +++ b/queue-4.19/futex_Provide_state_handling_for_exec__as_well.patch @@ -22,7 +22,6 @@ cleanup has been finished, this cannot prevent subsequent attempts to attach to the task in case that the cleanup was not successfull in mopping up all leftovers. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Replace_PF_EXITPIDONE_with_a_state.patch b/queue-4.19/futex_Replace_PF_EXITPIDONE_with_a_state.patch index 11303d7f009..d6885aaa96d 100644 --- a/queue-4.19/futex_Replace_PF_EXITPIDONE_with_a_state.patch +++ b/queue-4.19/futex_Replace_PF_EXITPIDONE_with_a_state.patch @@ -17,7 +17,6 @@ later step. This prepares for handling various futex exit issues later. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Replace_pointless_printk_in_fixup_owner_.patch b/queue-4.19/futex_Replace_pointless_printk_in_fixup_owner_.patch new file mode 100644 index 00000000000..959bf31d992 --- /dev/null +++ b/queue-4.19/futex_Replace_pointless_printk_in_fixup_owner_.patch @@ -0,0 +1,40 @@ +Subject: futex: Replace pointless printk in fixup_owner() +From: Thomas Gleixner +Date: Tue Jan 19 16:06:10 2021 +0100 + +From: Thomas Gleixner + +commit 04b79c55201f02ffd675e1231d731365e335c307 upstream + +If that unexpected case of inconsistent arguments ever happens then the +futex state is left completely inconsistent and the printk is not really +helpful. Replace it with a warning and make the state consistent. + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2666,14 +2666,10 @@ static int fixup_owner(u32 __user *uaddr + + /* + * Paranoia check. If we did not take the lock, then we should not be +- * the owner of the rt_mutex. ++ * the owner of the rt_mutex. Warn and establish consistent state. + */ +- if (rt_mutex_owner(&q->pi_state->pi_mutex) == current) { +- printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p " +- "pi-state %p\n", ret, +- q->pi_state->pi_mutex.owner, +- q->pi_state->owner); +- } ++ if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current)) ++ return fixup_pi_state_owner(uaddr, q, current); + + return 0; + } diff --git a/queue-4.19/futex_Sanitize_exit_state_handling.patch b/queue-4.19/futex_Sanitize_exit_state_handling.patch index ea0c362f2bc..b2a2147e252 100644 --- a/queue-4.19/futex_Sanitize_exit_state_handling.patch +++ b/queue-4.19/futex_Sanitize_exit_state_handling.patch @@ -9,7 +9,6 @@ commit 4a8e991b91aca9e20705d434677ac013974e0e30 upstream Instead of having a smp_mb() and an empty lock/unlock of task::pi_lock move the state setting into to the lock section. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch b/queue-4.19/futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch index 8ea9cbbb411..f8835a2e002 100644 --- a/queue-4.19/futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch +++ b/queue-4.19/futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch @@ -13,7 +13,6 @@ Note, this is only done for the exit cleanup as the exec cleanup cannot set the state to FUTEX_STATE_DEAD because the task struct is still in active use. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Simplify_fixup_pi_state_owner_.patch b/queue-4.19/futex_Simplify_fixup_pi_state_owner_.patch new file mode 100644 index 00000000000..9bb373432d2 --- /dev/null +++ b/queue-4.19/futex_Simplify_fixup_pi_state_owner_.patch @@ -0,0 +1,134 @@ +Subject: futex: Simplify fixup_pi_state_owner() +From: Thomas Gleixner +Date: Tue Jan 19 16:26:38 2021 +0100 + +From: Thomas Gleixner + +commit f2dac39d93987f7de1e20b3988c8685523247ae2 upstream + +Too many gotos already and an upcoming fix would make it even more +unreadable. + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 53 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 26 insertions(+), 27 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2445,18 +2445,13 @@ static void unqueue_me_pi(struct futex_q + spin_unlock(q->lock_ptr); + } + +-static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, +- struct task_struct *argowner) ++static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, ++ struct task_struct *argowner) + { ++ u32 uval, uninitialized_var(curval), newval, newtid; + struct futex_pi_state *pi_state = q->pi_state; +- u32 uval, uninitialized_var(curval), newval; + struct task_struct *oldowner, *newowner; +- u32 newtid; +- int ret, err = 0; +- +- lockdep_assert_held(q->lock_ptr); +- +- raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); ++ int err = 0; + + oldowner = pi_state->owner; + +@@ -2490,14 +2485,12 @@ retry: + * We raced against a concurrent self; things are + * already fixed up. Nothing to do. + */ +- ret = 0; +- goto out_unlock; ++ return 0; + } + + if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) { + /* We got the lock. pi_state is correct. Tell caller. */ +- ret = 1; +- goto out_unlock; ++ return 1; + } + + /* +@@ -2524,8 +2517,7 @@ retry: + * We raced against a concurrent self; things are + * already fixed up. Nothing to do. + */ +- ret = 1; +- goto out_unlock; ++ return 1; + } + newowner = argowner; + } +@@ -2556,7 +2548,6 @@ retry: + * itself. + */ + pi_state_update_owner(pi_state, newowner); +- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); + + return argowner == current; + +@@ -2579,17 +2570,16 @@ handle_err: + + switch (err) { + case -EFAULT: +- ret = fault_in_user_writeable(uaddr); ++ err = fault_in_user_writeable(uaddr); + break; + + case -EAGAIN: + cond_resched(); +- ret = 0; ++ err = 0; + break; + + default: + WARN_ON_ONCE(1); +- ret = err; + break; + } + +@@ -2599,17 +2589,26 @@ handle_err: + /* + * Check if someone else fixed it for us: + */ +- if (pi_state->owner != oldowner) { +- ret = argowner == current; +- goto out_unlock; +- } ++ if (pi_state->owner != oldowner) ++ return argowner == current; + +- if (ret) +- goto out_unlock; ++ /* Retry if err was -EAGAIN or the fault in succeeded */ ++ if (!err) ++ goto retry; + +- goto retry; ++ return err; ++} + +-out_unlock: ++static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, ++ struct task_struct *argowner) ++{ ++ struct futex_pi_state *pi_state = q->pi_state; ++ int ret; ++ ++ lockdep_assert_held(q->lock_ptr); ++ ++ raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); ++ ret = __fixup_pi_state_owner(uaddr, q, argowner); + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); + return ret; + } diff --git a/queue-4.19/futex_Split_futex_mm_release()_for_exitexec.patch b/queue-4.19/futex_Split_futex_mm_release__for_exitexec.patch similarity index 98% rename from queue-4.19/futex_Split_futex_mm_release()_for_exitexec.patch rename to queue-4.19/futex_Split_futex_mm_release__for_exitexec.patch index ef555df81fd..7dc5f6d58af 100644 --- a/queue-4.19/futex_Split_futex_mm_release()_for_exitexec.patch +++ b/queue-4.19/futex_Split_futex_mm_release__for_exitexec.patch @@ -12,7 +12,6 @@ them from the corresponding exit/exec_mm_release() callsites. Preparatory only, no functional change. -Signed-off-by: Thomas Gleixner Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Acked-by: Peter Zijlstra (Intel) diff --git a/queue-4.19/futex_Use_pi_state_update_owner__in_put_pi_state_.patch b/queue-4.19/futex_Use_pi_state_update_owner__in_put_pi_state_.patch new file mode 100644 index 00000000000..4078ee372b4 --- /dev/null +++ b/queue-4.19/futex_Use_pi_state_update_owner__in_put_pi_state_.patch @@ -0,0 +1,38 @@ +Subject: futex: Use pi_state_update_owner() in put_pi_state() +From: Thomas Gleixner +Date: Wed Jan 20 11:35:19 2021 +0100 + +From: Thomas Gleixner + +commit 6ccc84f917d33312eb2846bd7b567639f585ad6d upstream + +No point in open coding it. This way it gains the extra sanity checks. + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -884,16 +884,10 @@ static void put_pi_state(struct futex_pi + * and has cleaned up the pi_state already + */ + if (pi_state->owner) { +- struct task_struct *owner; + unsigned long flags; + + raw_spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags); +- owner = pi_state->owner; +- if (owner) { +- raw_spin_lock(&owner->pi_lock); +- list_del_init(&pi_state->list); +- raw_spin_unlock(&owner->pi_lock); +- } ++ pi_state_update_owner(pi_state, NULL); + rt_mutex_proxy_unlock(&pi_state->pi_mutex); + raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags); + } diff --git a/queue-4.19/gpio-mvebu-fix-pwm-.get_state-period-calculation.patch b/queue-4.19/gpio-mvebu-fix-pwm-.get_state-period-calculation.patch index bca556c2c19..146d883fbef 100644 --- a/queue-4.19/gpio-mvebu-fix-pwm-.get_state-period-calculation.patch +++ b/queue-4.19/gpio-mvebu-fix-pwm-.get_state-period-calculation.patch @@ -29,7 +29,6 @@ Signed-off-by: Bartosz Golaszewski Reviewed-by: Uwe Kleine-König Signed-off-by: Baruch Siach Signed-off-by: Greg Kroah-Hartman - --- drivers/gpio/gpio-mvebu.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/queue-4.19/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch b/queue-4.19/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch new file mode 100644 index 00000000000..fed826eb64c --- /dev/null +++ b/queue-4.19/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch @@ -0,0 +1,76 @@ +From 179e8e47c02a1950f1c556f2b854bdb2259078fb Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 21 Jan 2021 10:46:49 -0800 +Subject: HID: wacom: Correct NULL dereference on AES pen proximity + +From: Jason Gerecke + +commit 179e8e47c02a1950f1c556f2b854bdb2259078fb upstream. + +The recent commit to fix a memory leak introduced an inadvertant NULL +pointer dereference. The `wacom_wac->pen_fifo` variable was never +intialized, resuling in a crash whenever functions tried to use it. +Since the FIFO is only used by AES pens (to buffer events from pen +proximity until the hardware reports the pen serial number) this would +have been easily overlooked without testing an AES device. + +This patch converts `wacom_wac->pen_fifo` over to a pointer (since the +call to `devres_alloc` allocates memory for us) and ensures that we assign +it to point to the allocated and initalized `pen_fifo` before the function +returns. + +Link: https://github.com/linuxwacom/input-wacom/issues/230 +Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc") +CC: stable@vger.kernel.org # v4.19+ +Signed-off-by: Jason Gerecke +Tested-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 7 ++++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -150,9 +150,9 @@ static int wacom_wac_pen_serial_enforce( + } + + if (flush) +- wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo); ++ wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo); + else if (insert) +- wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo, ++ wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo, + raw_data, report_size); + + return insert && !flush; +@@ -1251,7 +1251,7 @@ static void wacom_devm_kfifo_release(str + static int wacom_devm_kfifo_alloc(struct wacom *wacom) + { + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int error; + + pen_fifo = devres_alloc(wacom_devm_kfifo_release, +@@ -1268,6 +1268,7 @@ static int wacom_devm_kfifo_alloc(struct + } + + devres_add(&wacom->hdev->dev, pen_fifo); ++ wacom_wac->pen_fifo = pen_fifo; + + return 0; + } +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -344,7 +344,7 @@ struct wacom_wac { + struct input_dev *pen_input; + struct input_dev *touch_input; + struct input_dev *pad_input; +- struct kfifo_rec_ptr_2 pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int pid; + int num_contacts_left; + u8 bt_features; diff --git a/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch index a9ba18187a2..d18339b610c 100644 --- a/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch +++ b/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch @@ -36,7 +36,6 @@ Signed-off-by: Wang Hai Cc: Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman - --- mm/slub.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/queue-4.19/rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch b/queue-4.19/rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch new file mode 100644 index 00000000000..7ec5806711a --- /dev/null +++ b/queue-4.19/rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch @@ -0,0 +1,56 @@ +Subject: rtmutex: Remove unused argument from rt_mutex_proxy_unlock() +From: Thomas Gleixner +Date: Wed Jan 20 11:32:07 2021 +0100 + +From: Thomas Gleixner + +commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 upstream + +Nothing uses the argument. Remove it as preparation to use +pi_state_update_owner(). + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 2 +- + kernel/locking/rtmutex.c | 3 +-- + kernel/locking/rtmutex_common.h | 3 +-- + 3 files changed, 3 insertions(+), 5 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -894,7 +894,7 @@ static void put_pi_state(struct futex_pi + list_del_init(&pi_state->list); + raw_spin_unlock(&owner->pi_lock); + } +- rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner); ++ rt_mutex_proxy_unlock(&pi_state->pi_mutex); + raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags); + } + +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1719,8 +1719,7 @@ void rt_mutex_init_proxy_locked(struct r + * possible because it belongs to the pi_state which is about to be freed + * and it is not longer visible to other tasks. + */ +-void rt_mutex_proxy_unlock(struct rt_mutex *lock, +- struct task_struct *proxy_owner) ++void rt_mutex_proxy_unlock(struct rt_mutex *lock) + { + debug_rt_mutex_proxy_unlock(lock); + rt_mutex_set_owner(lock, NULL); +--- a/kernel/locking/rtmutex_common.h ++++ b/kernel/locking/rtmutex_common.h +@@ -133,8 +133,7 @@ enum rtmutex_chainwalk { + extern struct task_struct *rt_mutex_next_owner(struct rt_mutex *lock); + extern void rt_mutex_init_proxy_locked(struct rt_mutex *lock, + struct task_struct *proxy_owner); +-extern void rt_mutex_proxy_unlock(struct rt_mutex *lock, +- struct task_struct *proxy_owner); ++extern void rt_mutex_proxy_unlock(struct rt_mutex *lock); + extern void rt_mutex_init_waiter(struct rt_mutex_waiter *waiter); + extern int __rt_mutex_start_proxy_lock(struct rt_mutex *lock, + struct rt_mutex_waiter *waiter, diff --git a/queue-4.19/series b/queue-4.19/series index 2f6eb4bbd98..c99c08a4d66 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,13 +1,21 @@ +gpio-mvebu-fix-pwm-.get_state-period-calculation.patch +revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch futex_Move_futex_exit_handling_into_futex_code.patch futex_Replace_PF_EXITPIDONE_with_a_state.patch -exitexec_Seperate_mm_release().patch -futex_Split_futex_mm_release()_for_exitexec.patch +exitexec_Seperate_mm_release_.patch +futex_Split_futex_mm_release__for_exitexec.patch futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch futex_Mark_the_begin_of_futex_exit_explicitly.patch futex_Sanitize_exit_state_handling.patch -futex_Provide_state_handling_for_exec()_as_well.patch +futex_Provide_state_handling_for_exec__as_well.patch futex_Add_mutex_around_futex_exit.patch futex_Provide_distinct_return_value_when_owner_is_exiting.patch futex_Prevent_exit_livelock.patch -gpio-mvebu-fix-pwm-.get_state-period-calculation.patch -revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch +futex_Ensure_the_correct_return_value_from_futex_lock_pi_.patch +futex_Replace_pointless_printk_in_fixup_owner_.patch +futex_Provide_and_use_pi_state_update_owner_.patch +rtmutex_Remove_unused_argument_from_rt_mutex_proxy_unlock_.patch +futex_Use_pi_state_update_owner__in_put_pi_state_.patch +futex_Simplify_fixup_pi_state_owner_.patch +futex_Handle_faults_correctly_for_PI_futexes.patch +hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch