From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Aug 2012 21:38:52 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.5.1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb1e2a50b087f2dc4e5b6401df40ee34c18be840;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	futex-fix-bug-in-warn_on-for-null-q.pi_state.patch
	futex-forbid-uaddr-uaddr2-in-futex_wait_requeue_pi.patch
	futex-test-for-pi_mutex-on-fault-in-futex_wait_requeue_pi.patch
---

diff --git a/queue-3.0/futex-fix-bug-in-warn_on-for-null-q.pi_state.patch b/queue-3.0/futex-fix-bug-in-warn_on-for-null-q.pi_state.patch
new file mode 100644
index 00000000000..3796df09cf6
--- /dev/null
+++ b/queue-3.0/futex-fix-bug-in-warn_on-for-null-q.pi_state.patch
@@ -0,0 +1,34 @@
+From f27071cb7fe3e1d37a9dbe6c0dfc5395cd40fa43 Mon Sep 17 00:00:00 2001
+From: Darren Hart <dvhart@linux.intel.com>
+Date: Fri, 20 Jul 2012 11:53:30 -0700
+Subject: futex: Fix bug in WARN_ON for NULL q.pi_state
+
+From: Darren Hart <dvhart@linux.intel.com>
+
+commit f27071cb7fe3e1d37a9dbe6c0dfc5395cd40fa43 upstream.
+
+The WARN_ON in futex_wait_requeue_pi() for a NULL q.pi_state was testing
+the address (&q.pi_state) of the pointer instead of the value
+(q.pi_state) of the pointer. Correct it accordingly.
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Cc: Dave Jones <davej@redhat.com>
+Link: http://lkml.kernel.org/r/1c85d97f6e5f79ec389a4ead3e367363c74bd09a.1342809673.git.dvhart@linux.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2343,7 +2343,7 @@ static int futex_wait_requeue_pi(u32 __u
+ 		 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor
+ 		 * the pi_state.
+ 		 */
+-		WARN_ON(!&q.pi_state);
++		WARN_ON(!q.pi_state);
+ 		pi_mutex = &q.pi_state->pi_mutex;
+ 		ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
+ 		debug_rt_mutex_free_waiter(&rt_waiter);
diff --git a/queue-3.0/futex-forbid-uaddr-uaddr2-in-futex_wait_requeue_pi.patch b/queue-3.0/futex-forbid-uaddr-uaddr2-in-futex_wait_requeue_pi.patch
new file mode 100644
index 00000000000..54307b912b3
--- /dev/null
+++ b/queue-3.0/futex-forbid-uaddr-uaddr2-in-futex_wait_requeue_pi.patch
@@ -0,0 +1,56 @@
+From 6f7b0a2a5c0fb03be7c25bd1745baa50582348ef Mon Sep 17 00:00:00 2001
+From: Darren Hart <dvhart@linux.intel.com>
+Date: Fri, 20 Jul 2012 11:53:31 -0700
+Subject: futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
+
+From: Darren Hart <dvhart@linux.intel.com>
+
+commit 6f7b0a2a5c0fb03be7c25bd1745baa50582348ef upstream.
+
+If uaddr == uaddr2, then we have broken the rule of only requeueing
+from a non-pi futex to a pi futex with this call. If we attempt this,
+as the trinity test suite manages to do, we miss early wakeups as
+q.key is equal to key2 (because they are the same uaddr). We will then
+attempt to dereference the pi_mutex (which would exist had the futex_q
+been properly requeued to a pi futex) and trigger a NULL pointer
+dereference.
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Cc: Dave Jones <davej@redhat.com>
+Link: http://lkml.kernel.org/r/ad82bfe7f7d130247fbe2b5b4275654807774227.1342809673.git.dvhart@linux.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2231,11 +2231,11 @@ int handle_early_requeue_pi_wakeup(struc
+  * @uaddr2:	the pi futex we will take prior to returning to user-space
+  *
+  * The caller will wait on uaddr and will be requeued by futex_requeue() to
+- * uaddr2 which must be PI aware.  Normal wakeup will wake on uaddr2 and
+- * complete the acquisition of the rt_mutex prior to returning to userspace.
+- * This ensures the rt_mutex maintains an owner when it has waiters; without
+- * one, the pi logic wouldn't know which task to boost/deboost, if there was a
+- * need to.
++ * uaddr2 which must be PI aware and unique from uaddr.  Normal wakeup will wake
++ * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
++ * userspace.  This ensures the rt_mutex maintains an owner when it has waiters;
++ * without one, the pi logic would not know which task to boost/deboost, if
++ * there was a need to.
+  *
+  * We call schedule in futex_wait_queue_me() when we enqueue and return there
+  * via the following:
+@@ -2272,6 +2272,9 @@ static int futex_wait_requeue_pi(u32 __u
+ 	struct futex_q q = futex_q_init;
+ 	int res, ret;
+ 
++	if (uaddr == uaddr2)
++		return -EINVAL;
++
+ 	if (!bitset)
+ 		return -EINVAL;
+ 
diff --git a/queue-3.0/futex-test-for-pi_mutex-on-fault-in-futex_wait_requeue_pi.patch b/queue-3.0/futex-test-for-pi_mutex-on-fault-in-futex_wait_requeue_pi.patch
new file mode 100644
index 00000000000..1105a05493d
--- /dev/null
+++ b/queue-3.0/futex-test-for-pi_mutex-on-fault-in-futex_wait_requeue_pi.patch
@@ -0,0 +1,35 @@
+From b6070a8d9853eda010a549fa9a09eb8d7269b929 Mon Sep 17 00:00:00 2001
+From: Darren Hart <dvhart@linux.intel.com>
+Date: Fri, 20 Jul 2012 11:53:29 -0700
+Subject: futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
+
+From: Darren Hart <dvhart@linux.intel.com>
+
+commit b6070a8d9853eda010a549fa9a09eb8d7269b929 upstream.
+
+If fixup_pi_state_owner() faults, pi_mutex may be NULL. Test
+for pi_mutex != NULL before testing the owner against current
+and possibly unlocking it.
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Cc: Dave Jones <davej@redhat.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Link: http://lkml.kernel.org/r/dc59890338fc413606f04e5c5b131530734dae3d.1342809673.git.dvhart@linux.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2370,7 +2370,7 @@ static int futex_wait_requeue_pi(u32 __u
+ 	 * fault, unlock the rt_mutex and return the fault to userspace.
+ 	 */
+ 	if (ret == -EFAULT) {
+-		if (rt_mutex_owner(pi_mutex) == current)
++		if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
+ 			rt_mutex_unlock(pi_mutex);
+ 	} else if (ret == -EINTR) {
+ 		/*
diff --git a/queue-3.0/series b/queue-3.0/series
index a6eba62b26b..f7b7e778369 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -44,3 +44,6 @@ asoc-wm8962-allow-vmid-time-to-fully-ramp.patch
 asoc-wm8994-ensure-there-are-enough-bclks-for-four-channels.patch
 m68k-make-sys_atomic_cmpxchg_32-work-on-classic-m68k.patch
 m68k-correct-the-atari-allowint-definition.patch
+futex-test-for-pi_mutex-on-fault-in-futex_wait_requeue_pi.patch
+futex-fix-bug-in-warn_on-for-null-q.pi_state.patch
+futex-forbid-uaddr-uaddr2-in-futex_wait_requeue_pi.patch