From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Chen Jie <chenjie6@huawei.com>,
Thomas Gleixner <tglx@linutronix.de>,
dvhart@infradead.org, peterz@infradead.org,
zengweilin@huawei.com
Subject: [PATCH 3.18 02/50] futex: Ensure that futex address is aligned in handle_futex_death()
Date: Mon, 1 Apr 2019 19:02:45 +0200 [thread overview]
Message-ID: <20190401170041.474419222@linuxfoundation.org> (raw)
In-Reply-To: <20190401170041.257273804@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Jie <chenjie6@huawei.com>
commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream.
The futex code requires that the user space addresses of futexes are 32bit
aligned. sys_futex() checks this in futex_get_keys() but the robust list
code has no alignment check in place.
As a consequence the kernel crashes on architectures with strict alignment
requirements in handle_futex_death() when trying to cmpxchg() on an
unaligned futex address which was retrieved from the robust list.
[ tglx: Rewrote changelog, proper sizeof() based alignement check and add
comment ]
Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Chen Jie <chenjie6@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <dvhart@infradead.org>
Cc: <peterz@infradead.org>
Cc: <zengweilin@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2897,6 +2897,10 @@ int handle_futex_death(u32 __user *uaddr
{
u32 uval, uninitialized_var(nval), mval;
+ /* Futex address must be 32bit aligned */
+ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
+ return -1;
+
retry:
if (get_user(uval, uaddr))
return -1;
next prev parent reply other threads:[~2019-04-01 17:37 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-01 17:02 [PATCH 3.18 00/50] 3.18.138-stable review Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 01/50] udf: Fix crash on IO error during truncate Greg Kroah-Hartman
2019-04-01 17:02 ` Greg Kroah-Hartman [this message]
2019-04-01 17:02 ` [PATCH 3.18 03/50] ext4: fix NULL pointer dereference while journal is aborted Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 04/50] ext4: fix data corruption caused by unaligned direct AIO Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 05/50] ext4: brelse all indirect buffer in ext4_ind_remove_space() Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 06/50] mmc: tmio_mmc_core: dont claim spurious interrupts Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 07/50] media: v4l2-ctrls.c/uvc: zero v4l2_event Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 08/50] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 09/50] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 10/50] mmc: block: Allow more than 8 partitions per card Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 11/50] arm64: fix COMPAT_SHMLBA definition for large pages Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 12/50] ARM: 8458/1: bL_switcher: add GIC dependency Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 13/50] android: unconditionally remove callbacks in sync_fence_free() Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 14/50] asm-generic: Fix local variable shadow in __set_fixmap_offset Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 15/50] staging: ashmem: Avoid deadlock with mmap/shrink Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 3.18 16/50] staging: ashmem: Add missing include Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 17/50] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 18/50] staging: goldfish: audio: fix compiliation on arm Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 19/50] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 20/50] arm64/kernel: fix incorrect EL0 check in inv_entry macro Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 21/50] arm64: kernel: Include _AC definition in page.h Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 22/50] ipv6: fix endianness error in icmpv6_err Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 23/50] usb: gadget: configfs: add mutex lock before unregister gadget Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 24/50] video: fbdev: Set pixclock = 0 in goldfishfb Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 25/50] arm64: kconfig: drop CONFIG_RTC_LIB dependency Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 26/50] mmc: mmc: fix switch timeout issue caused by jiffies precision Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 27/50] cfg80211: size various nl80211 messages correctly Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 28/50] dccp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 29/50] mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 30/50] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 31/50] net: rose: fix a possible stack overflow Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 32/50] Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 33/50] packets: Always register packet sk in the same order Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 34/50] tcp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 35/50] sctp: get sctphdr by offset in sctp_compute_cksum Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 36/50] mac8390: Fix mmio access size probe Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 37/50] ALSA: pcm: Fix possible OOB access in PCM oss plugins Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 38/50] ALSA: pcm: Dont suspend stream in unrecoverable PCM state Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 39/50] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 40/50] serial: max310x: Fix to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 41/50] USB: serial: cp210x: add new device id Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 42/50] USB: serial: ftdi_sio: add additional NovaTech products Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 43/50] USB: serial: mos7720: fix mos_parport refcount imbalance on error path Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 44/50] Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 45/50] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 46/50] gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 47/50] KVM: Reject device ioctls from processes other than the VMs creator Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 48/50] xhci: Fix port resume done detection for SS ports with LPM enabled Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 49/50] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time Greg Kroah-Hartman
2019-04-01 17:03 ` [PATCH 3.18 50/50] arm64: support keyctl() system call in 32-bit mode Greg Kroah-Hartman
2019-04-01 21:23 ` [PATCH 3.18 00/50] 3.18.138-stable review kernelci.org bot
2019-04-02 19:03 ` Guenter Roeck
2019-04-03 0:05 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190401170041.474419222@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chenjie6@huawei.com \
--cc=dvhart@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=zengweilin@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).