1 |
Author: caster |
2 |
Date: 2014-06-06 06:50:22 +0000 (Fri, 06 Jun 2014) |
3 |
New Revision: 2812 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch |
7 |
genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch |
8 |
genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
9 |
genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
10 |
genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
11 |
genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch |
12 |
Modified: |
13 |
genpatches-2.6/trunk/3.2/0000_README |
14 |
Log: |
15 |
CVE-2014-3153 |
16 |
|
17 |
Modified: genpatches-2.6/trunk/3.2/0000_README |
18 |
=================================================================== |
19 |
--- genpatches-2.6/trunk/3.2/0000_README 2014-06-06 06:45:59 UTC (rev 2811) |
20 |
+++ genpatches-2.6/trunk/3.2/0000_README 2014-06-06 06:50:22 UTC (rev 2812) |
21 |
@@ -284,6 +284,30 @@ |
22 |
From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d |
23 |
Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types |
24 |
|
25 |
+Patch: 1501-futex-add-another-early-deadlock-detection-check.patch |
26 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f |
27 |
+Desc: CVE-2014-3153 |
28 |
+ |
29 |
+Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch |
30 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a |
31 |
+Desc: CVE-2014-3153 |
32 |
+ |
33 |
+Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
34 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8 |
35 |
+Desc: CVE-2014-3153 |
36 |
+ |
37 |
+Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
38 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
39 |
+Desc: CVE-2014-3153 |
40 |
+ |
41 |
+Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
42 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
43 |
+Desc: CVE-2014-3153 |
44 |
+ |
45 |
+Patch: 1506-futex-make-lookup_pi_state-more-robust.patch |
46 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339 |
47 |
+Desc: CVE-2014-3153 |
48 |
+ |
49 |
Patch: 1512_af_key-initialize-satype-in-key_notify_policy_flush.patch |
50 |
From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=85dfb745ee40232876663ae206cba35f24ab2a40 |
51 |
Desc: af_key: initialize satype in key_notify_policy_flush() |
52 |
|
53 |
Added: genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch |
54 |
=================================================================== |
55 |
--- genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0) |
56 |
+++ genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-06 06:50:22 UTC (rev 2812) |
57 |
@@ -0,0 +1,160 @@ |
58 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
59 |
+Date: Mon, 12 May 2014 20:45:34 +0000 |
60 |
+Subject: futex: Add another early deadlock detection check |
61 |
+Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f |
62 |
+ |
63 |
+Dave Jones trinity syscall fuzzer exposed an issue in the deadlock |
64 |
+detection code of rtmutex: |
65 |
+ http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com |
66 |
+ |
67 |
+That underlying issue has been fixed with a patch to the rtmutex code, |
68 |
+but the futex code must not call into rtmutex in that case because |
69 |
+ - it can detect that issue early |
70 |
+ - it avoids a different and more complex fixup for backing out |
71 |
+ |
72 |
+If the user space variable got manipulated to 0x80000000 which means |
73 |
+no lock holder, but the waiters bit set and an active pi_state in the |
74 |
+kernel is found we can figure out the recursive locking issue by |
75 |
+looking at the pi_state owner. If that is the current task, then we |
76 |
+can safely return -EDEADLK. |
77 |
+ |
78 |
+The check should have been added in commit 59fa62451 (futex: Handle |
79 |
+futex_pi OWNER_DIED take over correctly) already, but I did not see |
80 |
+the above issue caused by user space manipulation back then. |
81 |
+ |
82 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
83 |
+Cc: Dave Jones <davej@××××××.com> |
84 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
85 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
86 |
+Cc: Darren Hart <darren@××××××.com> |
87 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
88 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
89 |
+Cc: Clark Williams <williams@××××××.com> |
90 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
91 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
92 |
+Cc: Roland McGrath <roland@×××××××××.com> |
93 |
+Cc: Carlos ODonell <carlos@××××××.com> |
94 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
95 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
96 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
97 |
+Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de |
98 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
99 |
+Cc: stable@×××××××××××.org |
100 |
+--- |
101 |
+ kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- |
102 |
+ 1 file changed, 34 insertions(+), 13 deletions(-) |
103 |
+ |
104 |
+Index: linux-3.4/kernel/futex.c |
105 |
+=================================================================== |
106 |
+--- linux-3.4.orig/kernel/futex.c |
107 |
++++ linux-3.4/kernel/futex.c |
108 |
+@@ -590,7 +590,8 @@ void exit_pi_state_list(struct task_stru |
109 |
+ |
110 |
+ static int |
111 |
+ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, |
112 |
+- union futex_key *key, struct futex_pi_state **ps) |
113 |
++ union futex_key *key, struct futex_pi_state **ps, |
114 |
++ struct task_struct *task) |
115 |
+ { |
116 |
+ struct futex_pi_state *pi_state = NULL; |
117 |
+ struct futex_q *this, *next; |
118 |
+@@ -634,6 +635,16 @@ lookup_pi_state(u32 uval, struct futex_h |
119 |
+ return -EINVAL; |
120 |
+ } |
121 |
+ |
122 |
++ /* |
123 |
++ * Protect against a corrupted uval. If uval |
124 |
++ * is 0x80000000 then pid is 0 and the waiter |
125 |
++ * bit is set. So the deadlock check in the |
126 |
++ * calling code has failed and we did not fall |
127 |
++ * into the check above due to !pid. |
128 |
++ */ |
129 |
++ if (task && pi_state->owner == task) |
130 |
++ return -EDEADLK; |
131 |
++ |
132 |
+ atomic_inc(&pi_state->refcount); |
133 |
+ *ps = pi_state; |
134 |
+ |
135 |
+@@ -783,7 +794,7 @@ retry: |
136 |
+ * We dont have the lock. Look up the PI state (or create it if |
137 |
+ * we are the first waiter): |
138 |
+ */ |
139 |
+- ret = lookup_pi_state(uval, hb, key, ps); |
140 |
++ ret = lookup_pi_state(uval, hb, key, ps, task); |
141 |
+ |
142 |
+ if (unlikely(ret)) { |
143 |
+ switch (ret) { |
144 |
+@@ -1193,7 +1204,7 @@ void requeue_pi_wake_futex(struct futex_ |
145 |
+ * |
146 |
+ * Returns: |
147 |
+ * 0 - failed to acquire the lock atomicly |
148 |
+- * 1 - acquired the lock |
149 |
++ * >0 - acquired the lock, return value is vpid of the top_waiter |
150 |
+ * <0 - error |
151 |
+ */ |
152 |
+ static int futex_proxy_trylock_atomic(u32 __user *pifutex, |
153 |
+@@ -1204,7 +1215,7 @@ static int futex_proxy_trylock_atomic(u3 |
154 |
+ { |
155 |
+ struct futex_q *top_waiter = NULL; |
156 |
+ u32 curval; |
157 |
+- int ret; |
158 |
++ int ret, vpid; |
159 |
+ |
160 |
+ if (get_futex_value_locked(&curval, pifutex)) |
161 |
+ return -EFAULT; |
162 |
+@@ -1232,11 +1243,13 @@ static int futex_proxy_trylock_atomic(u3 |
163 |
+ * the contended case or if set_waiters is 1. The pi_state is returned |
164 |
+ * in ps in contended cases. |
165 |
+ */ |
166 |
++ vpid = task_pid_vnr(top_waiter->task); |
167 |
+ ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, |
168 |
+ set_waiters); |
169 |
+- if (ret == 1) |
170 |
++ if (ret == 1) { |
171 |
+ requeue_pi_wake_futex(top_waiter, key2, hb2); |
172 |
+- |
173 |
++ return vpid; |
174 |
++ } |
175 |
+ return ret; |
176 |
+ } |
177 |
+ |
178 |
+@@ -1268,7 +1281,6 @@ static int futex_requeue(u32 __user *uad |
179 |
+ struct futex_hash_bucket *hb1, *hb2; |
180 |
+ struct plist_head *head1; |
181 |
+ struct futex_q *this, *next; |
182 |
+- u32 curval2; |
183 |
+ |
184 |
+ if (requeue_pi) { |
185 |
+ /* |
186 |
+@@ -1354,16 +1366,25 @@ retry_private: |
187 |
+ * At this point the top_waiter has either taken uaddr2 or is |
188 |
+ * waiting on it. If the former, then the pi_state will not |
189 |
+ * exist yet, look it up one more time to ensure we have a |
190 |
+- * reference to it. |
191 |
++ * reference to it. If the lock was taken, ret contains the |
192 |
++ * vpid of the top waiter task. |
193 |
+ */ |
194 |
+- if (ret == 1) { |
195 |
++ if (ret > 0) { |
196 |
+ WARN_ON(pi_state); |
197 |
+ drop_count++; |
198 |
+ task_count++; |
199 |
+- ret = get_futex_value_locked(&curval2, uaddr2); |
200 |
+- if (!ret) |
201 |
+- ret = lookup_pi_state(curval2, hb2, &key2, |
202 |
+- &pi_state); |
203 |
++ /* |
204 |
++ * If we acquired the lock, then the user |
205 |
++ * space value of uaddr2 should be vpid. It |
206 |
++ * cannot be changed by the top waiter as it |
207 |
++ * is blocked on hb2 lock if it tries to do |
208 |
++ * so. If something fiddled with it behind our |
209 |
++ * back the pi state lookup might unearth |
210 |
++ * it. So we rather use the known value than |
211 |
++ * rereading and handing potential crap to |
212 |
++ * lookup_pi_state. |
213 |
++ */ |
214 |
++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); |
215 |
+ } |
216 |
+ |
217 |
+ switch (ret) { |
218 |
|
219 |
Added: genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch |
220 |
=================================================================== |
221 |
--- genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0) |
222 |
+++ genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-06 06:50:22 UTC (rev 2812) |
223 |
@@ -0,0 +1,52 @@ |
224 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
225 |
+Date: Mon, 12 May 2014 20:45:35 +0000 |
226 |
+Subject: futex: Prevent attaching to kernel threads |
227 |
+Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a |
228 |
+ |
229 |
+We happily allow userspace to declare a random kernel thread to be the |
230 |
+owner of a user space PI futex. |
231 |
+ |
232 |
+Found while analysing the fallout of Dave Jones syscall fuzzer. |
233 |
+ |
234 |
+We also should validate the thread group for private futexes and find |
235 |
+some fast way to validate whether the "alleged" owner has RW access on |
236 |
+the file which backs the SHM, but that's a separate issue. |
237 |
+ |
238 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
239 |
+Cc: Dave Jones <davej@××××××.com> |
240 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
241 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
242 |
+Cc: Darren Hart <darren@××××××.com> |
243 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
244 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
245 |
+Cc: Clark Williams <williams@××××××.com> |
246 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
247 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
248 |
+Cc: Roland McGrath <roland@×××××××××.com> |
249 |
+Cc: Carlos ODonell <carlos@××××××.com> |
250 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
251 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
252 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
253 |
+Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de |
254 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
255 |
+Cc: stable@×××××××××××.org |
256 |
+--- |
257 |
+ kernel/futex.c | 5 +++++ |
258 |
+ 1 file changed, 5 insertions(+) |
259 |
+ |
260 |
+Index: linux-3.4/kernel/futex.c |
261 |
+=================================================================== |
262 |
+--- linux-3.4.orig/kernel/futex.c |
263 |
++++ linux-3.4/kernel/futex.c |
264 |
+@@ -662,6 +662,11 @@ lookup_pi_state(u32 uval, struct futex_h |
265 |
+ if (!p) |
266 |
+ return -ESRCH; |
267 |
+ |
268 |
++ if (!p->mm) { |
269 |
++ put_task_struct(p); |
270 |
++ return -EPERM; |
271 |
++ } |
272 |
++ |
273 |
+ /* |
274 |
+ * We need to look at the task state flags to figure out, |
275 |
+ * whether the task is exiting. To protect against the do_exit |
276 |
|
277 |
Added: genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
278 |
=================================================================== |
279 |
--- genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0) |
280 |
+++ genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-06 06:50:22 UTC (rev 2812) |
281 |
@@ -0,0 +1,81 @@ |
282 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
283 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
284 |
+Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == |
285 |
+ uaddr2 in futex_requeue(..., requeue_pi=1) |
286 |
+Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8 |
287 |
+ |
288 |
+If uaddr == uaddr2, then we have broken the rule of only requeueing from |
289 |
+a non-pi futex to a pi futex with this call. If we attempt this, then |
290 |
+dangling pointers may be left for rt_waiter resulting in an exploitable |
291 |
+condition. |
292 |
+ |
293 |
+This change brings futex_requeue() in line with futex_wait_requeue_pi() |
294 |
+which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid |
295 |
+uaddr == uaddr2 in futex_wait_requeue_pi()") |
296 |
+ |
297 |
+[ tglx: Compare the resulting keys as well, as uaddrs might be |
298 |
+ different depending on the mapping ] |
299 |
+ |
300 |
+Fixes CVE-2014-3153. |
301 |
+ |
302 |
+Reported-by: Pinkie Pie |
303 |
+Signed-off-by: Will Drewry <wad@××××××××.org> |
304 |
+Signed-off-by: Kees Cook <keescook@××××××××.org> |
305 |
+Cc: stable@×××××××××××.org |
306 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
307 |
+Reviewed-by: Darren Hart <dvhart@×××××××××××.com> |
308 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
309 |
+--- |
310 |
+ kernel/futex.c | 25 +++++++++++++++++++++++++ |
311 |
+ 1 file changed, 25 insertions(+) |
312 |
+ |
313 |
+Index: linux-3.4/kernel/futex.c |
314 |
+=================================================================== |
315 |
+--- linux-3.4.orig/kernel/futex.c |
316 |
++++ linux-3.4/kernel/futex.c |
317 |
+@@ -1289,6 +1289,13 @@ static int futex_requeue(u32 __user *uad |
318 |
+ |
319 |
+ if (requeue_pi) { |
320 |
+ /* |
321 |
++ * Requeue PI only works on two distinct uaddrs. This |
322 |
++ * check is only valid for private futexes. See below. |
323 |
++ */ |
324 |
++ if (uaddr1 == uaddr2) |
325 |
++ return -EINVAL; |
326 |
++ |
327 |
++ /* |
328 |
+ * requeue_pi requires a pi_state, try to allocate it now |
329 |
+ * without any locks in case it fails. |
330 |
+ */ |
331 |
+@@ -1326,6 +1333,15 @@ retry: |
332 |
+ if (unlikely(ret != 0)) |
333 |
+ goto out_put_key1; |
334 |
+ |
335 |
++ /* |
336 |
++ * The check above which compares uaddrs is not sufficient for |
337 |
++ * shared futexes. We need to compare the keys: |
338 |
++ */ |
339 |
++ if (requeue_pi && match_futex(&key1, &key2)) { |
340 |
++ ret = -EINVAL; |
341 |
++ goto out_put_keys; |
342 |
++ } |
343 |
++ |
344 |
+ hb1 = hash_futex(&key1); |
345 |
+ hb2 = hash_futex(&key2); |
346 |
+ |
347 |
+@@ -2357,6 +2373,15 @@ static int futex_wait_requeue_pi(u32 __u |
348 |
+ if (ret) |
349 |
+ goto out_key2; |
350 |
+ |
351 |
++ /* |
352 |
++ * The check above which compares uaddrs is not sufficient for |
353 |
++ * shared futexes. We need to compare the keys: |
354 |
++ */ |
355 |
++ if (match_futex(&q.key, &key2)) { |
356 |
++ ret = -EINVAL; |
357 |
++ goto out_put_keys; |
358 |
++ } |
359 |
++ |
360 |
+ /* Queue the futex_q, drop the hb lock, wait for wakeup. */ |
361 |
+ futex_wait_queue_me(hb, &q, to); |
362 |
+ |
363 |
|
364 |
Added: genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
365 |
=================================================================== |
366 |
--- genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0) |
367 |
+++ genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-06 06:50:22 UTC (rev 2812) |
368 |
@@ -0,0 +1,53 @@ |
369 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
370 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
371 |
+Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic() |
372 |
+Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
373 |
+ |
374 |
+We need to protect the atomic acquisition in the kernel against rogue |
375 |
+user space which sets the user space futex to 0, so the kernel side |
376 |
+acquisition succeeds while there is existing state in the kernel |
377 |
+associated to the real owner. |
378 |
+ |
379 |
+Verify whether the futex has waiters associated with kernel state. If |
380 |
+it has, return -EINVAL. The state is corrupted already, so no point in |
381 |
+cleaning it up. Subsequent calls will fail as well. Not our problem. |
382 |
+ |
383 |
+[ tglx: Use futex_top_waiter() and explain why we do not need to try |
384 |
+ restoring the already corrupted user space state. ] |
385 |
+ |
386 |
+Signed-off-by: Darren Hart <dvhart@×××××××××××.com> |
387 |
+Cc: Kees Cook <keescook@××××××××.org> |
388 |
+Cc: Will Drewry <wad@××××××××.org> |
389 |
+Cc: stable@×××××××××××.org |
390 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
391 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
392 |
+--- |
393 |
+ kernel/futex.c | 14 +++++++++++--- |
394 |
+ 1 file changed, 11 insertions(+), 3 deletions(-) |
395 |
+ |
396 |
+Index: linux-3.4/kernel/futex.c |
397 |
+=================================================================== |
398 |
+--- linux-3.4.orig/kernel/futex.c |
399 |
++++ linux-3.4/kernel/futex.c |
400 |
+@@ -758,10 +758,18 @@ retry: |
401 |
+ return -EDEADLK; |
402 |
+ |
403 |
+ /* |
404 |
+- * Surprise - we got the lock. Just return to userspace: |
405 |
++ * Surprise - we got the lock, but we do not trust user space at all. |
406 |
+ */ |
407 |
+- if (unlikely(!curval)) |
408 |
+- return 1; |
409 |
++ if (unlikely(!curval)) { |
410 |
++ /* |
411 |
++ * We verify whether there is kernel state for this |
412 |
++ * futex. If not, we can safely assume, that the 0 -> |
413 |
++ * TID transition is correct. If state exists, we do |
414 |
++ * not bother to fixup the user space state as it was |
415 |
++ * corrupted already. |
416 |
++ */ |
417 |
++ return futex_top_waiter(hb, key) ? -EINVAL : 1; |
418 |
++ } |
419 |
+ |
420 |
+ uval = curval; |
421 |
+ |
422 |
|
423 |
Added: genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
424 |
=================================================================== |
425 |
--- genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0) |
426 |
+++ genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-06 06:50:22 UTC (rev 2812) |
427 |
@@ -0,0 +1,99 @@ |
428 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
429 |
+Date: Tue, 3 Jun 2014 12:27:07 +0000 |
430 |
+Subject: futex: Always cleanup owner tid in unlock_pi |
431 |
+Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
432 |
+ |
433 |
+If the owner died bit is set at futex_unlock_pi, we currently do not |
434 |
+cleanup the user space futex. So the owner TID of the current owner |
435 |
+(the unlocker) persists. That's observable inconsistant state, |
436 |
+especially when the ownership of the pi state got transferred. |
437 |
+ |
438 |
+Clean it up unconditionally. |
439 |
+ |
440 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
441 |
+Cc: Kees Cook <keescook@××××××××.org> |
442 |
+Cc: Will Drewry <wad@××××××××.org> |
443 |
+Cc: Darren Hart <dvhart@×××××××××××.com> |
444 |
+Cc: stable@×××××××××××.org |
445 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
446 |
+--- |
447 |
+ kernel/futex.c | 40 ++++++++++++++++++---------------------- |
448 |
+ 1 file changed, 18 insertions(+), 22 deletions(-) |
449 |
+ |
450 |
+Index: linux-3.4/kernel/futex.c |
451 |
+=================================================================== |
452 |
+--- linux-3.4.orig/kernel/futex.c |
453 |
++++ linux-3.4/kernel/futex.c |
454 |
+@@ -899,6 +899,7 @@ static int wake_futex_pi(u32 __user *uad |
455 |
+ struct task_struct *new_owner; |
456 |
+ struct futex_pi_state *pi_state = this->pi_state; |
457 |
+ u32 uninitialized_var(curval), newval; |
458 |
++ int ret = 0; |
459 |
+ |
460 |
+ if (!pi_state) |
461 |
+ return -EINVAL; |
462 |
+@@ -922,23 +923,19 @@ static int wake_futex_pi(u32 __user *uad |
463 |
+ new_owner = this->task; |
464 |
+ |
465 |
+ /* |
466 |
+- * We pass it to the next owner. (The WAITERS bit is always |
467 |
+- * kept enabled while there is PI state around. We must also |
468 |
+- * preserve the owner died bit.) |
469 |
+- */ |
470 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
471 |
+- int ret = 0; |
472 |
+- |
473 |
+- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
474 |
+- |
475 |
+- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
476 |
+- ret = -EFAULT; |
477 |
+- else if (curval != uval) |
478 |
+- ret = -EINVAL; |
479 |
+- if (ret) { |
480 |
+- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
481 |
+- return ret; |
482 |
+- } |
483 |
++ * We pass it to the next owner. The WAITERS bit is always |
484 |
++ * kept enabled while there is PI state around. We cleanup the |
485 |
++ * owner died bit, because we are the owner. |
486 |
++ */ |
487 |
++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
488 |
++ |
489 |
++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
490 |
++ ret = -EFAULT; |
491 |
++ else if (curval != uval) |
492 |
++ ret = -EINVAL; |
493 |
++ if (ret) { |
494 |
++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
495 |
++ return ret; |
496 |
+ } |
497 |
+ |
498 |
+ raw_spin_lock_irq(&pi_state->owner->pi_lock); |
499 |
+@@ -2183,9 +2180,10 @@ retry: |
500 |
+ /* |
501 |
+ * To avoid races, try to do the TID -> 0 atomic transition |
502 |
+ * again. If it succeeds then we can return without waking |
503 |
+- * anyone else up: |
504 |
++ * anyone else up. We only try this if neither the waiters nor |
505 |
++ * the owner died bit are set. |
506 |
+ */ |
507 |
+- if (!(uval & FUTEX_OWNER_DIED) && |
508 |
++ if (!(uval & ~FUTEX_TID_MASK) && |
509 |
+ cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) |
510 |
+ goto pi_faulted; |
511 |
+ /* |
512 |
+@@ -2217,11 +2215,9 @@ retry: |
513 |
+ /* |
514 |
+ * No waiters - kernel unlocks the futex: |
515 |
+ */ |
516 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
517 |
+- ret = unlock_futex_pi(uaddr, uval); |
518 |
+- if (ret == -EFAULT) |
519 |
+- goto pi_faulted; |
520 |
+- } |
521 |
++ ret = unlock_futex_pi(uaddr, uval); |
522 |
++ if (ret == -EFAULT) |
523 |
++ goto pi_faulted; |
524 |
+ |
525 |
+ out_unlock: |
526 |
+ spin_unlock(&hb->lock); |
527 |
|
528 |
Added: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch |
529 |
=================================================================== |
530 |
(Binary files differ) |
531 |
|
532 |
Index: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch |
533 |
=================================================================== |
534 |
--- genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-06 06:45:59 UTC (rev 2811) |
535 |
+++ genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-06 06:50:22 UTC (rev 2812) |
536 |
|
537 |
Property changes on: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch |
538 |
___________________________________________________________________ |
539 |
Added: svn:mime-type |
540 |
## -0,0 +1 ## |
541 |
+message/rfc822 |
542 |
\ No newline at end of property |