This is a note to let you know that I've just added the patch titled futex: Fix incorrect should_fail_futex() handling to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: futex-fix-incorrect-should_fail_futex-handling.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Mon Mar 29 07:48:09 AM CEST 2021 From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Date: Sun, 28 Mar 2021 22:43:10 +0200 Subject: futex: Fix incorrect should_fail_futex() handling To: stable@xxxxxxxxxxxxxxx Cc: Lee Jones <lee.jones@xxxxxxxxxx>, "Luis Claudio R. Goncalves" <lgoncalv@xxxxxxxxxx>, Florian Fainelli <f.fainelli@xxxxxxxxx> Message-ID: <YGDqXlZ4Vb3r3Q8f@xxxxxxxxxxxxxxx> Content-Disposition: inline From: Mateusz Nosek <mateusznosek0@xxxxxxxxx> commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 upstream. If should_futex_fail() returns true in futex_wake_pi(), then the 'ret' variable is set to -EFAULT and then immediately overwritten. So the failure injection is non-functional. Fix it by actually leaving the function and returning -EFAULT. The Fixes tag is kinda blury because the initial commit which introduced failure injection was already sloppy, but the below mentioned commit broke it completely. [ tglx: Massaged changelog ] Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN") Signed-off-by: Mateusz Nosek <mateusznosek0@xxxxxxxxx> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@xxxxxxxxx Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/futex.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1605,8 +1605,10 @@ static int wake_futex_pi(u32 __user *uad */ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); - if (unlikely(should_fail_futex(true))) + if (unlikely(should_fail_futex(true))) { ret = -EFAULT; + goto out_unlock; + } ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval); if (!ret && (curval != uval)) { Patches currently in stable-queue which might be from ben@xxxxxxxxxxxxxxx are queue-4.9/futex-drop-hb-lock-before-enqueueing-on-the-rtmutex.patch queue-4.9/futex-rework-futex_lock_pi-to-use-rt_mutex_-_proxy_lock.patch queue-4.9/futex-avoid-freeing-an-active-timer.patch queue-4.9/futex-rt_mutex-introduce-rt_mutex_init_waiter.patch queue-4.9/futex-fix-incorrect-should_fail_futex-handling.patch queue-4.9/futex-rt_mutex-fix-rt_mutex_cleanup_proxy_lock.patch queue-4.9/futex-use-smp_store_release-in-mark_wake_futex.patch queue-4.9/futex-fix-possible-missed-wakeup.patch queue-4.9/locking-futex-allow-low-level-atomic-operations-to-return-eagain.patch queue-4.9/futex-prevent-robust-futex-exit-race.patch queue-4.9/futex-handle-transient-ownerless-rtmutex-state-correctly.patch queue-4.9/futex-handle-early-deadlock-return-correctly.patch queue-4.9/arm64-futex-bound-number-of-ldxr-stxr-loops-in-futex_wake_op.patch