Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Vlastimil Babka (caster)" <caster@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r2812 - genpatches-2.6/trunk/3.2
Date: Fri, 06 Jun 2014 06:50:25
Message-Id: 20140606065022.6821A2004E@flycatcher.gentoo.org
1 Author: caster
2 Date: 2014-06-06 06:50:22 +0000 (Fri, 06 Jun 2014)
3 New Revision: 2812
4
5 Added:
6 genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch
7 genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch
8 genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
9 genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
10 genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
11 genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
12 Modified:
13 genpatches-2.6/trunk/3.2/0000_README
14 Log:
15 CVE-2014-3153
16
17 Modified: genpatches-2.6/trunk/3.2/0000_README
18 ===================================================================
19 --- genpatches-2.6/trunk/3.2/0000_README 2014-06-06 06:45:59 UTC (rev 2811)
20 +++ genpatches-2.6/trunk/3.2/0000_README 2014-06-06 06:50:22 UTC (rev 2812)
21 @@ -284,6 +284,30 @@
22 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d
23 Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types
24
25 +Patch: 1501-futex-add-another-early-deadlock-detection-check.patch
26 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f
27 +Desc: CVE-2014-3153
28 +
29 +Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch
30 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a
31 +Desc: CVE-2014-3153
32 +
33 +Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
34 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
35 +Desc: CVE-2014-3153
36 +
37 +Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
38 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
39 +Desc: CVE-2014-3153
40 +
41 +Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
42 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
43 +Desc: CVE-2014-3153
44 +
45 +Patch: 1506-futex-make-lookup_pi_state-more-robust.patch
46 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
47 +Desc: CVE-2014-3153
48 +
49 Patch: 1512_af_key-initialize-satype-in-key_notify_policy_flush.patch
50 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=85dfb745ee40232876663ae206cba35f24ab2a40
51 Desc: af_key: initialize satype in key_notify_policy_flush()
52
53 Added: genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch
54 ===================================================================
55 --- genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0)
56 +++ genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-06 06:50:22 UTC (rev 2812)
57 @@ -0,0 +1,160 @@
58 +From: Thomas Gleixner <tglx@××××××××××.de>
59 +Date: Mon, 12 May 2014 20:45:34 +0000
60 +Subject: futex: Add another early deadlock detection check
61 +Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f
62 +
63 +Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
64 +detection code of rtmutex:
65 + http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com
66 +
67 +That underlying issue has been fixed with a patch to the rtmutex code,
68 +but the futex code must not call into rtmutex in that case because
69 + - it can detect that issue early
70 + - it avoids a different and more complex fixup for backing out
71 +
72 +If the user space variable got manipulated to 0x80000000 which means
73 +no lock holder, but the waiters bit set and an active pi_state in the
74 +kernel is found we can figure out the recursive locking issue by
75 +looking at the pi_state owner. If that is the current task, then we
76 +can safely return -EDEADLK.
77 +
78 +The check should have been added in commit 59fa62451 (futex: Handle
79 +futex_pi OWNER_DIED take over correctly) already, but I did not see
80 +the above issue caused by user space manipulation back then.
81 +
82 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
83 +Cc: Dave Jones <davej@××××××.com>
84 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
85 +Cc: Peter Zijlstra <peterz@×××××××××.org>
86 +Cc: Darren Hart <darren@××××××.com>
87 +Cc: Davidlohr Bueso <davidlohr@××.com>
88 +Cc: Steven Rostedt <rostedt@×××××××.org>
89 +Cc: Clark Williams <williams@××××××.com>
90 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
91 +Cc: Lai Jiangshan <laijs@××××××××××.com>
92 +Cc: Roland McGrath <roland@×××××××××.com>
93 +Cc: Carlos ODonell <carlos@××××××.com>
94 +Cc: Jakub Jelinek <jakub@××××××.com>
95 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
96 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
97 +Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de
98 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
99 +Cc: stable@×××××××××××.org
100 +---
101 + kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
102 + 1 file changed, 34 insertions(+), 13 deletions(-)
103 +
104 +Index: linux-3.4/kernel/futex.c
105 +===================================================================
106 +--- linux-3.4.orig/kernel/futex.c
107 ++++ linux-3.4/kernel/futex.c
108 +@@ -590,7 +590,8 @@ void exit_pi_state_list(struct task_stru
109 +
110 + static int
111 + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
112 +- union futex_key *key, struct futex_pi_state **ps)
113 ++ union futex_key *key, struct futex_pi_state **ps,
114 ++ struct task_struct *task)
115 + {
116 + struct futex_pi_state *pi_state = NULL;
117 + struct futex_q *this, *next;
118 +@@ -634,6 +635,16 @@ lookup_pi_state(u32 uval, struct futex_h
119 + return -EINVAL;
120 + }
121 +
122 ++ /*
123 ++ * Protect against a corrupted uval. If uval
124 ++ * is 0x80000000 then pid is 0 and the waiter
125 ++ * bit is set. So the deadlock check in the
126 ++ * calling code has failed and we did not fall
127 ++ * into the check above due to !pid.
128 ++ */
129 ++ if (task && pi_state->owner == task)
130 ++ return -EDEADLK;
131 ++
132 + atomic_inc(&pi_state->refcount);
133 + *ps = pi_state;
134 +
135 +@@ -783,7 +794,7 @@ retry:
136 + * We dont have the lock. Look up the PI state (or create it if
137 + * we are the first waiter):
138 + */
139 +- ret = lookup_pi_state(uval, hb, key, ps);
140 ++ ret = lookup_pi_state(uval, hb, key, ps, task);
141 +
142 + if (unlikely(ret)) {
143 + switch (ret) {
144 +@@ -1193,7 +1204,7 @@ void requeue_pi_wake_futex(struct futex_
145 + *
146 + * Returns:
147 + * 0 - failed to acquire the lock atomicly
148 +- * 1 - acquired the lock
149 ++ * >0 - acquired the lock, return value is vpid of the top_waiter
150 + * <0 - error
151 + */
152 + static int futex_proxy_trylock_atomic(u32 __user *pifutex,
153 +@@ -1204,7 +1215,7 @@ static int futex_proxy_trylock_atomic(u3
154 + {
155 + struct futex_q *top_waiter = NULL;
156 + u32 curval;
157 +- int ret;
158 ++ int ret, vpid;
159 +
160 + if (get_futex_value_locked(&curval, pifutex))
161 + return -EFAULT;
162 +@@ -1232,11 +1243,13 @@ static int futex_proxy_trylock_atomic(u3
163 + * the contended case or if set_waiters is 1. The pi_state is returned
164 + * in ps in contended cases.
165 + */
166 ++ vpid = task_pid_vnr(top_waiter->task);
167 + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
168 + set_waiters);
169 +- if (ret == 1)
170 ++ if (ret == 1) {
171 + requeue_pi_wake_futex(top_waiter, key2, hb2);
172 +-
173 ++ return vpid;
174 ++ }
175 + return ret;
176 + }
177 +
178 +@@ -1268,7 +1281,6 @@ static int futex_requeue(u32 __user *uad
179 + struct futex_hash_bucket *hb1, *hb2;
180 + struct plist_head *head1;
181 + struct futex_q *this, *next;
182 +- u32 curval2;
183 +
184 + if (requeue_pi) {
185 + /*
186 +@@ -1354,16 +1366,25 @@ retry_private:
187 + * At this point the top_waiter has either taken uaddr2 or is
188 + * waiting on it. If the former, then the pi_state will not
189 + * exist yet, look it up one more time to ensure we have a
190 +- * reference to it.
191 ++ * reference to it. If the lock was taken, ret contains the
192 ++ * vpid of the top waiter task.
193 + */
194 +- if (ret == 1) {
195 ++ if (ret > 0) {
196 + WARN_ON(pi_state);
197 + drop_count++;
198 + task_count++;
199 +- ret = get_futex_value_locked(&curval2, uaddr2);
200 +- if (!ret)
201 +- ret = lookup_pi_state(curval2, hb2, &key2,
202 +- &pi_state);
203 ++ /*
204 ++ * If we acquired the lock, then the user
205 ++ * space value of uaddr2 should be vpid. It
206 ++ * cannot be changed by the top waiter as it
207 ++ * is blocked on hb2 lock if it tries to do
208 ++ * so. If something fiddled with it behind our
209 ++ * back the pi state lookup might unearth
210 ++ * it. So we rather use the known value than
211 ++ * rereading and handing potential crap to
212 ++ * lookup_pi_state.
213 ++ */
214 ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
215 + }
216 +
217 + switch (ret) {
218
219 Added: genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch
220 ===================================================================
221 --- genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0)
222 +++ genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-06 06:50:22 UTC (rev 2812)
223 @@ -0,0 +1,52 @@
224 +From: Thomas Gleixner <tglx@××××××××××.de>
225 +Date: Mon, 12 May 2014 20:45:35 +0000
226 +Subject: futex: Prevent attaching to kernel threads
227 +Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
228 +
229 +We happily allow userspace to declare a random kernel thread to be the
230 +owner of a user space PI futex.
231 +
232 +Found while analysing the fallout of Dave Jones syscall fuzzer.
233 +
234 +We also should validate the thread group for private futexes and find
235 +some fast way to validate whether the "alleged" owner has RW access on
236 +the file which backs the SHM, but that's a separate issue.
237 +
238 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
239 +Cc: Dave Jones <davej@××××××.com>
240 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
241 +Cc: Peter Zijlstra <peterz@×××××××××.org>
242 +Cc: Darren Hart <darren@××××××.com>
243 +Cc: Davidlohr Bueso <davidlohr@××.com>
244 +Cc: Steven Rostedt <rostedt@×××××××.org>
245 +Cc: Clark Williams <williams@××××××.com>
246 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
247 +Cc: Lai Jiangshan <laijs@××××××××××.com>
248 +Cc: Roland McGrath <roland@×××××××××.com>
249 +Cc: Carlos ODonell <carlos@××××××.com>
250 +Cc: Jakub Jelinek <jakub@××××××.com>
251 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
252 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
253 +Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de
254 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
255 +Cc: stable@×××××××××××.org
256 +---
257 + kernel/futex.c | 5 +++++
258 + 1 file changed, 5 insertions(+)
259 +
260 +Index: linux-3.4/kernel/futex.c
261 +===================================================================
262 +--- linux-3.4.orig/kernel/futex.c
263 ++++ linux-3.4/kernel/futex.c
264 +@@ -662,6 +662,11 @@ lookup_pi_state(u32 uval, struct futex_h
265 + if (!p)
266 + return -ESRCH;
267 +
268 ++ if (!p->mm) {
269 ++ put_task_struct(p);
270 ++ return -EPERM;
271 ++ }
272 ++
273 + /*
274 + * We need to look at the task state flags to figure out,
275 + * whether the task is exiting. To protect against the do_exit
276
277 Added: genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
278 ===================================================================
279 --- genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0)
280 +++ genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-06 06:50:22 UTC (rev 2812)
281 @@ -0,0 +1,81 @@
282 +From: Thomas Gleixner <tglx@××××××××××.de>
283 +Date: Tue, 3 Jun 2014 12:27:06 +0000
284 +Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
285 + uaddr2 in futex_requeue(..., requeue_pi=1)
286 +Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8
287 +
288 +If uaddr == uaddr2, then we have broken the rule of only requeueing from
289 +a non-pi futex to a pi futex with this call. If we attempt this, then
290 +dangling pointers may be left for rt_waiter resulting in an exploitable
291 +condition.
292 +
293 +This change brings futex_requeue() in line with futex_wait_requeue_pi()
294 +which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
295 +uaddr == uaddr2 in futex_wait_requeue_pi()")
296 +
297 +[ tglx: Compare the resulting keys as well, as uaddrs might be
298 + different depending on the mapping ]
299 +
300 +Fixes CVE-2014-3153.
301 +
302 +Reported-by: Pinkie Pie
303 +Signed-off-by: Will Drewry <wad@××××××××.org>
304 +Signed-off-by: Kees Cook <keescook@××××××××.org>
305 +Cc: stable@×××××××××××.org
306 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
307 +Reviewed-by: Darren Hart <dvhart@×××××××××××.com>
308 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
309 +---
310 + kernel/futex.c | 25 +++++++++++++++++++++++++
311 + 1 file changed, 25 insertions(+)
312 +
313 +Index: linux-3.4/kernel/futex.c
314 +===================================================================
315 +--- linux-3.4.orig/kernel/futex.c
316 ++++ linux-3.4/kernel/futex.c
317 +@@ -1289,6 +1289,13 @@ static int futex_requeue(u32 __user *uad
318 +
319 + if (requeue_pi) {
320 + /*
321 ++ * Requeue PI only works on two distinct uaddrs. This
322 ++ * check is only valid for private futexes. See below.
323 ++ */
324 ++ if (uaddr1 == uaddr2)
325 ++ return -EINVAL;
326 ++
327 ++ /*
328 + * requeue_pi requires a pi_state, try to allocate it now
329 + * without any locks in case it fails.
330 + */
331 +@@ -1326,6 +1333,15 @@ retry:
332 + if (unlikely(ret != 0))
333 + goto out_put_key1;
334 +
335 ++ /*
336 ++ * The check above which compares uaddrs is not sufficient for
337 ++ * shared futexes. We need to compare the keys:
338 ++ */
339 ++ if (requeue_pi && match_futex(&key1, &key2)) {
340 ++ ret = -EINVAL;
341 ++ goto out_put_keys;
342 ++ }
343 ++
344 + hb1 = hash_futex(&key1);
345 + hb2 = hash_futex(&key2);
346 +
347 +@@ -2357,6 +2373,15 @@ static int futex_wait_requeue_pi(u32 __u
348 + if (ret)
349 + goto out_key2;
350 +
351 ++ /*
352 ++ * The check above which compares uaddrs is not sufficient for
353 ++ * shared futexes. We need to compare the keys:
354 ++ */
355 ++ if (match_futex(&q.key, &key2)) {
356 ++ ret = -EINVAL;
357 ++ goto out_put_keys;
358 ++ }
359 ++
360 + /* Queue the futex_q, drop the hb lock, wait for wakeup. */
361 + futex_wait_queue_me(hb, &q, to);
362 +
363
364 Added: genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
365 ===================================================================
366 --- genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0)
367 +++ genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-06 06:50:22 UTC (rev 2812)
368 @@ -0,0 +1,53 @@
369 +From: Thomas Gleixner <tglx@××××××××××.de>
370 +Date: Tue, 3 Jun 2014 12:27:06 +0000
371 +Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
372 +Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
373 +
374 +We need to protect the atomic acquisition in the kernel against rogue
375 +user space which sets the user space futex to 0, so the kernel side
376 +acquisition succeeds while there is existing state in the kernel
377 +associated to the real owner.
378 +
379 +Verify whether the futex has waiters associated with kernel state. If
380 +it has, return -EINVAL. The state is corrupted already, so no point in
381 +cleaning it up. Subsequent calls will fail as well. Not our problem.
382 +
383 +[ tglx: Use futex_top_waiter() and explain why we do not need to try
384 + restoring the already corrupted user space state. ]
385 +
386 +Signed-off-by: Darren Hart <dvhart@×××××××××××.com>
387 +Cc: Kees Cook <keescook@××××××××.org>
388 +Cc: Will Drewry <wad@××××××××.org>
389 +Cc: stable@×××××××××××.org
390 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
391 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
392 +---
393 + kernel/futex.c | 14 +++++++++++---
394 + 1 file changed, 11 insertions(+), 3 deletions(-)
395 +
396 +Index: linux-3.4/kernel/futex.c
397 +===================================================================
398 +--- linux-3.4.orig/kernel/futex.c
399 ++++ linux-3.4/kernel/futex.c
400 +@@ -758,10 +758,18 @@ retry:
401 + return -EDEADLK;
402 +
403 + /*
404 +- * Surprise - we got the lock. Just return to userspace:
405 ++ * Surprise - we got the lock, but we do not trust user space at all.
406 + */
407 +- if (unlikely(!curval))
408 +- return 1;
409 ++ if (unlikely(!curval)) {
410 ++ /*
411 ++ * We verify whether there is kernel state for this
412 ++ * futex. If not, we can safely assume, that the 0 ->
413 ++ * TID transition is correct. If state exists, we do
414 ++ * not bother to fixup the user space state as it was
415 ++ * corrupted already.
416 ++ */
417 ++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
418 ++ }
419 +
420 + uval = curval;
421 +
422
423 Added: genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
424 ===================================================================
425 --- genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0)
426 +++ genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-06 06:50:22 UTC (rev 2812)
427 @@ -0,0 +1,99 @@
428 +From: Thomas Gleixner <tglx@××××××××××.de>
429 +Date: Tue, 3 Jun 2014 12:27:07 +0000
430 +Subject: futex: Always cleanup owner tid in unlock_pi
431 +Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
432 +
433 +If the owner died bit is set at futex_unlock_pi, we currently do not
434 +cleanup the user space futex. So the owner TID of the current owner
435 +(the unlocker) persists. That's observable inconsistant state,
436 +especially when the ownership of the pi state got transferred.
437 +
438 +Clean it up unconditionally.
439 +
440 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
441 +Cc: Kees Cook <keescook@××××××××.org>
442 +Cc: Will Drewry <wad@××××××××.org>
443 +Cc: Darren Hart <dvhart@×××××××××××.com>
444 +Cc: stable@×××××××××××.org
445 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
446 +---
447 + kernel/futex.c | 40 ++++++++++++++++++----------------------
448 + 1 file changed, 18 insertions(+), 22 deletions(-)
449 +
450 +Index: linux-3.4/kernel/futex.c
451 +===================================================================
452 +--- linux-3.4.orig/kernel/futex.c
453 ++++ linux-3.4/kernel/futex.c
454 +@@ -899,6 +899,7 @@ static int wake_futex_pi(u32 __user *uad
455 + struct task_struct *new_owner;
456 + struct futex_pi_state *pi_state = this->pi_state;
457 + u32 uninitialized_var(curval), newval;
458 ++ int ret = 0;
459 +
460 + if (!pi_state)
461 + return -EINVAL;
462 +@@ -922,23 +923,19 @@ static int wake_futex_pi(u32 __user *uad
463 + new_owner = this->task;
464 +
465 + /*
466 +- * We pass it to the next owner. (The WAITERS bit is always
467 +- * kept enabled while there is PI state around. We must also
468 +- * preserve the owner died bit.)
469 +- */
470 +- if (!(uval & FUTEX_OWNER_DIED)) {
471 +- int ret = 0;
472 +-
473 +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
474 +-
475 +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
476 +- ret = -EFAULT;
477 +- else if (curval != uval)
478 +- ret = -EINVAL;
479 +- if (ret) {
480 +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
481 +- return ret;
482 +- }
483 ++ * We pass it to the next owner. The WAITERS bit is always
484 ++ * kept enabled while there is PI state around. We cleanup the
485 ++ * owner died bit, because we are the owner.
486 ++ */
487 ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
488 ++
489 ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
490 ++ ret = -EFAULT;
491 ++ else if (curval != uval)
492 ++ ret = -EINVAL;
493 ++ if (ret) {
494 ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
495 ++ return ret;
496 + }
497 +
498 + raw_spin_lock_irq(&pi_state->owner->pi_lock);
499 +@@ -2183,9 +2180,10 @@ retry:
500 + /*
501 + * To avoid races, try to do the TID -> 0 atomic transition
502 + * again. If it succeeds then we can return without waking
503 +- * anyone else up:
504 ++ * anyone else up. We only try this if neither the waiters nor
505 ++ * the owner died bit are set.
506 + */
507 +- if (!(uval & FUTEX_OWNER_DIED) &&
508 ++ if (!(uval & ~FUTEX_TID_MASK) &&
509 + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
510 + goto pi_faulted;
511 + /*
512 +@@ -2217,11 +2215,9 @@ retry:
513 + /*
514 + * No waiters - kernel unlocks the futex:
515 + */
516 +- if (!(uval & FUTEX_OWNER_DIED)) {
517 +- ret = unlock_futex_pi(uaddr, uval);
518 +- if (ret == -EFAULT)
519 +- goto pi_faulted;
520 +- }
521 ++ ret = unlock_futex_pi(uaddr, uval);
522 ++ if (ret == -EFAULT)
523 ++ goto pi_faulted;
524 +
525 + out_unlock:
526 + spin_unlock(&hb->lock);
527
528 Added: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
529 ===================================================================
530 (Binary files differ)
531
532 Index: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
533 ===================================================================
534 --- genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-06 06:45:59 UTC (rev 2811)
535 +++ genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-06 06:50:22 UTC (rev 2812)
536
537 Property changes on: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
538 ___________________________________________________________________
539 Added: svn:mime-type
540 ## -0,0 +1 ##
541 +message/rfc822
542 \ No newline at end of property
Report Message
Find on MARC Find on Google Groups