From f04f2151300acd02e26dfaeaaa6f66c1119d8072 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 4 Mar 2021 14:12:14 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	futex-ensure-the-correct-return-value-from-futex_lock_pi.patch
---
 ...rect-return-value-from-futex_lock_pi.patch | 108 ++++++++++++++++++
 queue-4.4/series                              |   1 +
 queue-4.9/series                              |   7 ++
 3 files changed, 116 insertions(+)
 create mode 100644 queue-4.4/futex-ensure-the-correct-return-value-from-futex_lock_pi.patch
 create mode 100644 queue-4.4/series
 create mode 100644 queue-4.9/series

diff --git a/queue-4.4/futex-ensure-the-correct-return-value-from-futex_lock_pi.patch b/queue-4.4/futex-ensure-the-correct-return-value-from-futex_lock_pi.patch
new file mode 100644
index 00000000000..156f964db2e
--- /dev/null
+++ b/queue-4.4/futex-ensure-the-correct-return-value-from-futex_lock_pi.patch
@@ -0,0 +1,108 @@
+From 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 20 Jan 2021 16:00:24 +0100
+Subject: futex: Ensure the correct return value from futex_lock_pi()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 upstream.
+
+In case that futex_lock_pi() was aborted by a signal or a timeout and the
+task returned without acquiring the rtmutex, but is the designated owner of
+the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to
+establish consistent state. In that case it invokes fixup_pi_state_owner()
+which in turn tries to acquire the rtmutex again. If that succeeds then it
+does not propagate this success to fixup_owner() and futex_lock_pi()
+returns -EINTR or -ETIMEOUT despite having the futex locked.
+
+Return success from fixup_pi_state_owner() in all cases where the current
+task owns the rtmutex and therefore the futex and propagate it correctly
+through fixup_owner(). Fixup the other callsite which does not expect a
+positive return value.
+
+Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+[Sharan: Backported patch for kernel 4.4.y. Also folded in is a part
+ of the cleanup patch d7c5ed73b19c("futex: Remove needless goto's")]
+Signed-off-by: Sharan Turlapati <sturlapati@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex.c |   24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2283,7 +2283,7 @@ retry:
+ 		}
+ 
+ 		if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
+-			/* We got the lock after all, nothing to fix. */
++			/* We got the lock. pi_state is correct. Tell caller */
+ 			return 1;
+ 		}
+ 
+@@ -2328,7 +2328,7 @@ retry:
+ 	 */
+ 	pi_state_update_owner(pi_state, newowner);
+ 
+-	return 0;
++	return argowner == current;
+ 
+ 	/*
+ 	 * To handle the page fault we need to drop the hash bucket
+@@ -2411,8 +2411,6 @@ static long futex_wait_restart(struct re
+  */
+ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
+ {
+-	int ret = 0;
+-
+ 	if (locked) {
+ 		/*
+ 		 * Got the lock. We might not be the anticipated owner if we
+@@ -2423,8 +2421,8 @@ static int fixup_owner(u32 __user *uaddr
+ 		 * stable state, anything else needs more attention.
+ 		 */
+ 		if (q->pi_state->owner != current)
+-			ret = fixup_pi_state_owner(uaddr, q, current);
+-		goto out;
++			return fixup_pi_state_owner(uaddr, q, current);
++		return 1;
+ 	}
+ 
+ 	/*
+@@ -2435,10 +2433,8 @@ static int fixup_owner(u32 __user *uaddr
+ 	 * Another speculative read; pi_state->owner == current is unstable
+ 	 * but needs our attention.
+ 	 */
+-	if (q->pi_state->owner == current) {
+-		ret = fixup_pi_state_owner(uaddr, q, NULL);
+-		goto out;
+-	}
++	if (q->pi_state->owner == current)
++		return fixup_pi_state_owner(uaddr, q, NULL);
+ 
+ 	/*
+ 	 * Paranoia check. If we did not take the lock, then we should not be
+@@ -2447,8 +2443,7 @@ static int fixup_owner(u32 __user *uaddr
+ 	if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current))
+ 		return fixup_pi_state_owner(uaddr, q, current);
+ 
+-out:
+-	return ret ? ret : locked;
++	return 0;
+ }
+ 
+ /**
+@@ -3070,6 +3065,11 @@ static int futex_wait_requeue_pi(u32 __u
+ 			 */
+ 			free_pi_state(q.pi_state);
+ 			spin_unlock(q.lock_ptr);
++			/*
++			 * Adjust the return value. It's either -EFAULT or
++			 * success (1) but the caller expects 0 for success.
++			 */
++			ret = ret < 0 ? ret : 0;
+ 		}
+ 	} else {
+ 		struct rt_mutex *pi_mutex;
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..ab30f0f7c58
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1 @@
+futex-ensure-the-correct-return-value-from-futex_lock_pi.patch
diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644
index 00000000000..d684987a8c8
--- /dev/null
+++ b/queue-4.9/series
@@ -0,0 +1,7 @@
+futex-cleanup-variable-names-for-futex_top_waiter.patch
+futex-cleanup-refcounting.patch
+futex-pull-rt_mutex_futex_unlock-out-from-under-hb-lock.patch
+futex-futex_unlock_pi-determinism.patch
+futex-fix-pi_state-owner-serialization.patch
+futex-fix-more-put_pi_state-vs.-exit_pi_state_list-races.patch
+futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch
-- 
2.47.3