This is a note to let you know that I've just added the patch titled
futex: Fix incorrect should_fail_futex() handling
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
futex-fix-incorrect-should_fail_futex-handling.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Mon Mar 29 07:48:09 AM CEST 2021
From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Date: Sun, 28 Mar 2021 22:43:10 +0200
Subject: futex: Fix incorrect should_fail_futex() handling
To: stable@xxxxxxxxxxxxxxx
Cc: Lee Jones <lee.jones@xxxxxxxxxx>, "Luis Claudio R. Goncalves" <lgoncalv@xxxxxxxxxx>, Florian Fainelli <f.fainelli@xxxxxxxxx>
Message-ID: <YGDqXlZ4Vb3r3Q8f@xxxxxxxxxxxxxxx>
Content-Disposition: inline
From: Mateusz Nosek <mateusznosek0@xxxxxxxxx>
commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 upstream.
If should_futex_fail() returns true in futex_wake_pi(), then the 'ret'
variable is set to -EFAULT and then immediately overwritten. So the failure
injection is non-functional.
Fix it by actually leaving the function and returning -EFAULT.
The Fixes tag is kinda blury because the initial commit which introduced
failure injection was already sloppy, but the below mentioned commit broke
it completely.
[ tglx: Massaged changelog ]
Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN")
Signed-off-by: Mateusz Nosek <mateusznosek0@xxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@xxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/futex.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1605,8 +1605,10 @@ static int wake_futex_pi(u32 __user *uad
*/
newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
- if (unlikely(should_fail_futex(true)))
+ if (unlikely(should_fail_futex(true))) {
ret = -EFAULT;
+ goto out_unlock;
+ }
ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
if (!ret && (curval != uval)) {
Patches currently in stable-queue which might be from ben@xxxxxxxxxxxxxxx are
queue-4.9/futex-drop-hb-lock-before-enqueueing-on-the-rtmutex.patch
queue-4.9/futex-rework-futex_lock_pi-to-use-rt_mutex_-_proxy_lock.patch
queue-4.9/futex-avoid-freeing-an-active-timer.patch
queue-4.9/futex-rt_mutex-introduce-rt_mutex_init_waiter.patch
queue-4.9/futex-fix-incorrect-should_fail_futex-handling.patch
queue-4.9/futex-rt_mutex-fix-rt_mutex_cleanup_proxy_lock.patch
queue-4.9/futex-use-smp_store_release-in-mark_wake_futex.patch
queue-4.9/futex-fix-possible-missed-wakeup.patch
queue-4.9/locking-futex-allow-low-level-atomic-operations-to-return-eagain.patch
queue-4.9/futex-prevent-robust-futex-exit-race.patch
queue-4.9/futex-handle-transient-ownerless-rtmutex-state-correctly.patch
queue-4.9/futex-handle-early-deadlock-return-correctly.patch
queue-4.9/arm64-futex-bound-number-of-ldxr-stxr-loops-in-futex_wake_op.patch
