[PATCH 4.9.y 0/1] Bugfix for 781691c797de ("futex: Avoid violating the 10th rule of futex")

[PATCH 4.9.y 0/1] Bugfix for 781691c797de ("futex: Avoid violating the 10th rule of futex")

[Zheng Yejian]

This patch may fix the following bug:

Link:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/?h=linux-4.9.y&id=5b1d078507bd33ebf6c2083fa363cf5832809c19

    > static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
    > 				  struct task_struct *argowner)
    > {
    > 	struct futex_pi_state *pi_state = q->pi_state;
    > 	struct task_struct *oldowner, *newowner;
    > 	u32 uval, curval, newval, newtid;
    > 	int err = 0;
    > 
    > 	oldowner = pi_state->owner;
    > 
    > 	/* Owner died? */
    > 	if (!pi_state->owner)
    > 		newtid |= FUTEX_OWNER_DIED;
Variable "newtid" is used without initialized.

Peter Zijlstra (1):
  futex: Fix OWNER_DEAD fixup

 kernel/futex.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

-- 
2.25.4

[PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Zheng Yejian]

From: Peter Zijlstra <peterz@infradead.org>

commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.

Both Geert and DaveJ reported that the recent futex commit:

  c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")

introduced a problem with setting OWNER_DEAD. We set the bit on an
uninitialized variable and then entirely optimize it away as a
dead-store.

Move the setting of the bit to where it is more useful.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@us.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
 kernel/futex.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index b65dbb5d60bb..604d1cb9839d 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2424,9 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
 	int err = 0;
 
 	oldowner = pi_state->owner;
-	/* Owner died? */
-	if (!pi_state->owner)
-		newtid |= FUTEX_OWNER_DIED;
 
 	/*
 	 * We are here because either:
@@ -2484,6 +2481,9 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
 	}
 
 	newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
+	/* Owner died? */
+	if (!pi_state->owner)
+		newtid |= FUTEX_OWNER_DIED;
 
 	if (get_futex_value_locked(&uval, uaddr))
 		goto handle_fault;
-- 
2.25.4

Re: [PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Lee Jones]

On Tue, 23 Feb 2021, Zheng Yejian wrote:

> From: Peter Zijlstra <peterz@infradead.org>
> 
> commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.
> 
> Both Geert and DaveJ reported that the recent futex commit:
> 
>   c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> 
> introduced a problem with setting OWNER_DEAD. We set the bit on an
> uninitialized variable and then entirely optimize it away as a
> dead-store.
> 
> Move the setting of the bit to where it is more useful.
> 
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Reported-by: Dave Jones <davej@codemonkey.org.uk>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Paul E. McKenney <paulmck@us.ibm.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>

Why have you dropped my Reviewed-by?

> ---
>  kernel/futex.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index b65dbb5d60bb..604d1cb9839d 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -2424,9 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>  	int err = 0;
>  
>  	oldowner = pi_state->owner;
> -	/* Owner died? */
> -	if (!pi_state->owner)
> -		newtid |= FUTEX_OWNER_DIED;
>  
>  	/*
>  	 * We are here because either:
> @@ -2484,6 +2481,9 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>  	}
>  
>  	newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
> +	/* Owner died? */
> +	if (!pi_state->owner)
> +		newtid |= FUTEX_OWNER_DIED;
>  
>  	if (get_futex_value_locked(&uval, uaddr))
>  		goto handle_fault;

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Zhengyejian (Zetta)]

On 2021/2/24 19:19, Lee Jones wrote:
> On Tue, 23 Feb 2021, Zheng Yejian wrote:
> 
>> From: Peter Zijlstra <peterz@infradead.org>
>>
>> commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.
>>
>> Both Geert and DaveJ reported that the recent futex commit:
>>
>>    c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
>>
>> introduced a problem with setting OWNER_DEAD. We set the bit on an
>> uninitialized variable and then entirely optimize it away as a
>> dead-store.
>>
>> Move the setting of the bit to where it is more useful.
>>
>> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
>> Reported-by: Dave Jones <davej@codemonkey.org.uk>
>> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Linus Torvalds <torvalds@linux-foundation.org>
>> Cc: Paul E. McKenney <paulmck@us.ibm.com>
>> Cc: Peter Zijlstra <peterz@infradead.org>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
>> Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
>> Signed-off-by: Ingo Molnar <mingo@kernel.org>
>> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> 
> Why have you dropped my Reviewed-by?
> 
Really sorry. I thought that a changed patchset needs another review.
Then I do need to append your Reviewed-by and send a "V2" patchset, Do I?

>> ---
>>   kernel/futex.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/kernel/futex.c b/kernel/futex.c
>> index b65dbb5d60bb..604d1cb9839d 100644
>> --- a/kernel/futex.c
>> +++ b/kernel/futex.c
>> @@ -2424,9 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>>   	int err = 0;
>>   
>>   	oldowner = pi_state->owner;
>> -	/* Owner died? */
>> -	if (!pi_state->owner)
>> -		newtid |= FUTEX_OWNER_DIED;
>>   
>>   	/*
>>   	 * We are here because either:
>> @@ -2484,6 +2481,9 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>>   	}
>>   
>>   	newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
>> +	/* Owner died? */
>> +	if (!pi_state->owner)
>> +		newtid |= FUTEX_OWNER_DIED;
>>   
>>   	if (get_futex_value_locked(&uval, uaddr))
>>   		goto handle_fault;
> 

Re: [PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Lee Jones]

On Thu, 25 Feb 2021, Zhengyejian (Zetta) wrote:

> 
> 
> On 2021/2/24 19:19, Lee Jones wrote:
> > On Tue, 23 Feb 2021, Zheng Yejian wrote:
> > 
> > > From: Peter Zijlstra <peterz@infradead.org>
> > > 
> > > commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.
> > > 
> > > Both Geert and DaveJ reported that the recent futex commit:
> > > 
> > >    c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> > > 
> > > introduced a problem with setting OWNER_DEAD. We set the bit on an
> > > uninitialized variable and then entirely optimize it away as a
> > > dead-store.
> > > 
> > > Move the setting of the bit to where it is more useful.
> > > 
> > > Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> > > Reported-by: Dave Jones <davej@codemonkey.org.uk>
> > > Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> > > Cc: Andrew Morton <akpm@linux-foundation.org>
> > > Cc: Linus Torvalds <torvalds@linux-foundation.org>
> > > Cc: Paul E. McKenney <paulmck@us.ibm.com>
> > > Cc: Peter Zijlstra <peterz@infradead.org>
> > > Cc: Thomas Gleixner <tglx@linutronix.de>
> > > Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> > > Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
> > > Signed-off-by: Ingo Molnar <mingo@kernel.org>
> > > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > 
> > Why have you dropped my Reviewed-by?
> > 
> Really sorry. I thought that a changed patchset needs another review.
> Then I do need to append your Reviewed-by and send a "V2" patchset, Do I?

No need.  I won't hold up merging just for that.

Just bear in mind that you should apply and carry forward *-by tags
unless there have been significant/functional changes.

Reviewed-by: Lee Jones <lee.jones@linaro.org>

> > > ---
> > >   kernel/futex.c | 6 +++---
> > >   1 file changed, 3 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/kernel/futex.c b/kernel/futex.c
> > > index b65dbb5d60bb..604d1cb9839d 100644
> > > --- a/kernel/futex.c
> > > +++ b/kernel/futex.c
> > > @@ -2424,9 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
> > >   	int err = 0;
> > >   	oldowner = pi_state->owner;
> > > -	/* Owner died? */
> > > -	if (!pi_state->owner)
> > > -		newtid |= FUTEX_OWNER_DIED;
> > >   	/*
> > >   	 * We are here because either:
> > > @@ -2484,6 +2481,9 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
> > >   	}
> > >   	newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
> > > +	/* Owner died? */
> > > +	if (!pi_state->owner)
> > > +		newtid |= FUTEX_OWNER_DIED;
> > >   	if (get_futex_value_locked(&uval, uaddr))
> > >   		goto handle_fault;
> > 

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Zhengyejian (Zetta)]

On 2021/2/25 16:09, Lee Jones wrote:
> On Thu, 25 Feb 2021, Zhengyejian (Zetta) wrote:
> 
>>
>>
>> On 2021/2/24 19:19, Lee Jones wrote:
>>> On Tue, 23 Feb 2021, Zheng Yejian wrote:
>>>
>>>> From: Peter Zijlstra <peterz@infradead.org>
>>>>
>>>> commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.
>>>>
>>>> Both Geert and DaveJ reported that the recent futex commit:
>>>>
>>>>     c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
>>>>
>>>> introduced a problem with setting OWNER_DEAD. We set the bit on an
>>>> uninitialized variable and then entirely optimize it away as a
>>>> dead-store.
>>>>
>>>> Move the setting of the bit to where it is more useful.
>>>>
>>>> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
>>>> Reported-by: Dave Jones <davej@codemonkey.org.uk>
>>>> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>>>> Cc: Andrew Morton <akpm@linux-foundation.org>
>>>> Cc: Linus Torvalds <torvalds@linux-foundation.org>
>>>> Cc: Paul E. McKenney <paulmck@us.ibm.com>
>>>> Cc: Peter Zijlstra <peterz@infradead.org>
>>>> Cc: Thomas Gleixner <tglx@linutronix.de>
>>>> Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
>>>> Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
>>>> Signed-off-by: Ingo Molnar <mingo@kernel.org>
>>>> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
>>>
>>> Why have you dropped my Reviewed-by?
>>>
>> Really sorry. I thought that a changed patchset needs another review.
>> Then I do need to append your Reviewed-by and send a "V2" patchset, Do I?
> 
> No need.  I won't hold up merging just for that.
> 
> Just bear in mind that you should apply and carry forward *-by tags
> unless there have been significant/functional changes.
> 
> Reviewed-by: Lee Jones <lee.jones@linaro.org>
> 

I get it, thanks.

>>>> ---
>>>>    kernel/futex.c | 6 +++---
>>>>    1 file changed, 3 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/kernel/futex.c b/kernel/futex.c
>>>> index b65dbb5d60bb..604d1cb9839d 100644
>>>> --- a/kernel/futex.c
>>>> +++ b/kernel/futex.c
>>>> @@ -2424,9 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>>>>    	int err = 0;
>>>>    	oldowner = pi_state->owner;
>>>> -	/* Owner died? */
>>>> -	if (!pi_state->owner)
>>>> -		newtid |= FUTEX_OWNER_DIED;
>>>>    	/*
>>>>    	 * We are here because either:
>>>> @@ -2484,6 +2481,9 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
>>>>    	}
>>>>    	newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
>>>> +	/* Owner died? */
>>>> +	if (!pi_state->owner)
>>>> +		newtid |= FUTEX_OWNER_DIED;
>>>>    	if (get_futex_value_locked(&uval, uaddr))
>>>>    		goto handle_fault;
>>>
> 

Re: [PATCH 4.9.y 1/1] futex: Fix OWNER_DEAD fixup

[Greg KH]

On Tue, Feb 23, 2021 at 10:41:51PM +0800, Zheng Yejian wrote:
> From: Peter Zijlstra <peterz@infradead.org>
> 
> commit a97cb0e7b3f4c6297fd857055ae8e895f402f501 upstream.
> 
> Both Geert and DaveJ reported that the recent futex commit:
> 
>   c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> 
> introduced a problem with setting OWNER_DEAD. We set the bit on an
> uninitialized variable and then entirely optimize it away as a
> dead-store.
> 
> Move the setting of the bit to where it is more useful.
> 
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Reported-by: Dave Jones <davej@codemonkey.org.uk>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Paul E. McKenney <paulmck@us.ibm.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
> Link: http://lkml.kernel.org/r/20180122103947.GD2228@hirez.programming.kicks-ass.net
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
>  kernel/futex.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Now queued up, thanks.

greg k-h