* Linux 4.4.262
@ 2021-03-17 17:13 5% gregkh
0 siblings, 0 replies; 63+ results
From: gregkh @ 2021-03-17 17:13 UTC (permalink / raw)
To: linux-kernel, akpm, torvalds, stable; +Cc: lwn, jslaby, Greg Kroah-Hartman
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I'm announcing the release of the 4.4.262 kernel.
All users of the 4.4 kernel series must upgrade.
The updated 4.4.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2
arch/alpha/include/asm/Kbuild | 1
arch/alpha/include/asm/uaccess.h | 76 +-------
arch/alpha/kernel/Makefile | 2
arch/alpha/kernel/alpha_ksyms.c | 102 ----------
arch/alpha/kernel/machvec_impl.h | 6
arch/alpha/kernel/setup.c | 1
arch/alpha/lib/Makefile | 33 ++-
arch/alpha/lib/callback_srm.S | 5
arch/alpha/lib/checksum.c | 3
arch/alpha/lib/clear_page.S | 3
arch/alpha/lib/clear_user.S | 66 ++----
arch/alpha/lib/copy_page.S | 3
arch/alpha/lib/copy_user.S | 101 ++++------
arch/alpha/lib/csum_ipv6_magic.S | 2
arch/alpha/lib/csum_partial_copy.c | 2
arch/alpha/lib/dec_and_lock.c | 2
arch/alpha/lib/divide.S | 3
arch/alpha/lib/ev6-clear_page.S | 3
arch/alpha/lib/ev6-clear_user.S | 85 +++-----
arch/alpha/lib/ev6-copy_page.S | 3
arch/alpha/lib/ev6-copy_user.S | 130 +++++--------
arch/alpha/lib/ev6-csum_ipv6_magic.S | 2
arch/alpha/lib/ev6-divide.S | 3
arch/alpha/lib/ev6-memchr.S | 3
arch/alpha/lib/ev6-memcpy.S | 3
arch/alpha/lib/ev6-memset.S | 7
arch/alpha/lib/ev67-strcat.S | 3
arch/alpha/lib/ev67-strchr.S | 3
arch/alpha/lib/ev67-strlen.S | 3
arch/alpha/lib/ev67-strncat.S | 3
arch/alpha/lib/ev67-strrchr.S | 3
arch/alpha/lib/fpreg.c | 7
arch/alpha/lib/memchr.S | 3
arch/alpha/lib/memcpy.c | 5
arch/alpha/lib/memmove.S | 3
arch/alpha/lib/memset.S | 7
arch/alpha/lib/strcat.S | 2
arch/alpha/lib/strchr.S | 3
arch/alpha/lib/strcpy.S | 3
arch/alpha/lib/strlen.S | 3
arch/alpha/lib/strncat.S | 3
arch/alpha/lib/strncpy.S | 3
arch/alpha/lib/strrchr.S | 3
arch/arm/kvm/mmu.c | 2
arch/powerpc/include/asm/code-patching.h | 2
arch/powerpc/perf/core-book3s.c | 19 +-
arch/s390/kernel/smp.c | 2
drivers/block/floppy.c | 35 ++-
drivers/block/rsxx/core.c | 1
drivers/iio/imu/adis16400_buffer.c | 5
drivers/iio/imu/adis_buffer.c | 5
drivers/media/usb/hdpvr/hdpvr-core.c | 33 ++-
drivers/media/usb/usbtv/usbtv-audio.c | 2
drivers/mmc/core/mmc.c | 15 +
drivers/mmc/host/mtk-sd.c | 18 +
drivers/mmc/host/mxs-mmc.c | 2
drivers/net/can/flexcan.c | 12 -
drivers/net/ethernet/davicom/dm9000.c | 21 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2
drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1
drivers/net/wan/lapbether.c | 3
drivers/net/wireless/ath/ath9k/ath9k.h | 3
drivers/net/wireless/ath/ath9k/xmit.c | 6
drivers/net/wireless/libertas/if_sdio.c | 5
drivers/pci/host/pci-xgene-msi.c | 10 -
drivers/s390/block/dasd.c | 3
drivers/scsi/libiscsi.c | 11 -
drivers/staging/comedi/drivers/addi_apci_1032.c | 4
drivers/staging/comedi/drivers/addi_apci_1500.c | 18 -
drivers/staging/comedi/drivers/adv_pci1710.c | 10 -
drivers/staging/comedi/drivers/das6402.c | 2
drivers/staging/comedi/drivers/das800.c | 2
drivers/staging/comedi/drivers/dmm32at.c | 2
drivers/staging/comedi/drivers/me4000.c | 2
drivers/staging/comedi/drivers/pcl711.c | 2
drivers/staging/comedi/drivers/pcl818.c | 2
drivers/staging/rtl8188eu/core/rtw_ap.c | 5
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6
drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7
drivers/staging/rtl8192u/r8192U_wx.c | 6
drivers/staging/rtl8712/rtl871x_cmd.c | 6
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2
drivers/usb/class/cdc-acm.c | 5
drivers/usb/gadget/function/f_uac2.c | 2
drivers/usb/host/xhci.c | 16 +
drivers/usb/renesas_usbhs/pipe.c | 2
drivers/usb/serial/ch341.c | 1
drivers/usb/serial/cp210x.c | 3
drivers/usb/serial/io_edgeport.c | 26 +-
drivers/usb/usbip/stub_dev.c | 42 +++-
drivers/usb/usbip/vhci_sysfs.c | 10 -
drivers/xen/events/events_2l.c | 22 +-
drivers/xen/events/events_base.c | 130 ++++++++++---
drivers/xen/events/events_fifo.c | 7
drivers/xen/events/events_internal.h | 22 +-
fs/cifs/cifsfs.c | 2
fs/nfs/nfs4proc.c | 2
include/linux/can/skb.h | 8
include/uapi/linux/netfilter/nfnetlink_cthelper.h | 2
kernel/futex.c | 209 ++++++++++++++++++----
mm/slub.c | 2
net/ipv4/udp_offload.c | 2
net/netfilter/x_tables.c | 6
scripts/recordmcount.c | 2
scripts/recordmcount.pl | 13 +
sound/pci/hda/hda_bind.c | 4
sound/pci/hda/patch_hdmi.c | 13 +
sound/usb/quirks.c | 1
110 files changed, 893 insertions(+), 669 deletions(-)
Adrian Hunter (1):
mmc: core: Fix partition switch time for eMMC
Al Viro (3):
alpha: move exports to actual definitions
alpha: get rid of tail-zeroing in __copy_user()
alpha: switch __copy_user() and __do_clean_user() to normal calling conventions
Allen Pais (1):
libertas: fix a potential NULL pointer dereference
Arvind Yadav (1):
media: hdpvr: Fix an error handling path in hdpvr_probe()
Athira Rajeev (1):
powerpc/perf: Record counter overflow always if SAMPLE_IP is unset
Chaotian Jing (1):
mmc: mediatek: fix race condition between msdc_request_timeout and irq
Christophe JAILLET (1):
mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()'
Dan Carpenter (4):
staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
staging: rtl8712: unterminated string leads to read overflow
staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
Daniel Borkmann (1):
net: Fix gro aggregation for udp encaps with zero csum
Dmitry V. Levin (1):
uapi: nfnetlink_cthelper.h: fix userspace compilation error
Felix Fietkau (1):
ath9k: fix transmitting to stations in dynamic SMPS mode
Greg Kroah-Hartman (1):
Linux 4.4.262
Heiko Carstens (1):
s390/smp: __smp_rescan_cpus() - move cpumask away from stack
Ian Abbott (9):
staging: comedi: addi_apci_1032: Fix endian problem for COS sample
staging: comedi: addi_apci_1500: Fix endian problem for command sample
staging: comedi: adv_pci1710: Fix endian problem for AI command data
staging: comedi: das6402: Fix endian problem for AI command data
staging: comedi: das800: Fix endian problem for AI command data
staging: comedi: dmm32at: Fix endian problem for AI command data
staging: comedi: me4000: Fix endian problem for AI command data
staging: comedi: pcl711: Fix endian problem for AI command data
staging: comedi: pcl818: Fix endian problem for AI command data
Jia-Ju Bai (1):
block: rsxx: fix error return code of rsxx_pci_probe()
Jiri Kosina (1):
floppy: fix lock_fdc() signal handling
Joakim Zhang (2):
can: flexcan: assert FRZ bit in flexcan_chip_freeze()
can: flexcan: enable RX FIFO after FRZ/HALT valid
Joe Lawrence (1):
scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names
Juergen Gross (3):
xen/events: reset affinity of 2-level event when tearing it down
xen/events: don't unmask an event channel when an eoi is pending
xen/events: avoid handling the same event on two cpus at the same time
Karan Singhal (1):
USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
Kevin(Yudong) Yang (1):
net/mlx4_en: update moderation when config reset
Lee Gibson (2):
staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
Linus Torvalds (1):
Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
Marc Zyngier (1):
KVM: arm64: Fix exclusive limit for IPA size
Martin Kaiser (1):
PCI: xgene-msi: Fix race in installing chained irq handler
Masahiro Yamada (3):
alpha: add $(src)/ rather than $(obj)/ to make source file path
alpha: merge build rules of division routines
alpha: make short build log available for division routines
Mathias Nyman (1):
xhci: Improve detection of device initiated wake signal.
Maxim Mikityanskiy (1):
media: usbtv: Fix deadlock on suspend
Mike Christie (1):
scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
Naveen N. Rao (1):
powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
Navid Emamdoost (2):
iio: imu: adis16400: release allocated memory on failure
iio: imu: adis16400: fix memory leak
Niv Sardi (1):
USB: serial: ch341: add new Product ID
Oleksij Rempel (1):
can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
Ondrej Mosnacek (1):
NFSv4.2: fix return value of _nfs4_get_security_label()
Paul Cercueil (2):
net: davicom: Fix regulator not turned off on failed probe
net: davicom: Fix regulator not turned off on driver removal
Paulo Alcantara (1):
cifs: return proper error code in statfs(2)
Pavel Skripkin (1):
USB: serial: io_edgeport: fix memory leak in edge_startup
Peter Zijlstra (1):
futex: Change locking rules
Richard Henderson (1):
alpha: Package string routines together
Ruslan Bilovol (1):
usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
Sebastian Reichel (1):
USB: serial: cp210x: add some more GE USB IDs
Shuah Khan (3):
usbip: fix stub_dev to check for stream socket
usbip: fix vhci_hcd to check for stream socket
usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
Stefan Haberland (1):
s390/dasd: fix hanging DASD driver unbind
Takashi Iwai (3):
ALSA: hda/hdmi: Cancel pending works before suspend
ALSA: hda: Avoid spurious unsol event handling during S3/S4
ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
Thomas Gleixner (2):
futex: Cure exit race
futex: fix dead code in attach_to_pi_owner()
Vasily Averin (1):
netfilter: x_tables: gpf inside xt_find_revision()
Xie He (1):
net: lapbether: Remove netif_start_queue / netif_stop_queue
Yorick de Wid (1):
Goodix Fingerprint device is not a modem
Yoshihiro Shimoda (1):
usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
^ permalink raw reply [relevance 5%]
* [PATCH 4.4 13/75] futex: fix dead code in attach_to_pi_owner()
2021-03-15 13:51 5% [PATCH 4.4 00/75] 4.4.262-rc1 review gregkh
2021-03-15 13:51 6% ` [PATCH 4.4 12/75] futex: Cure exit race gregkh
@ 2021-03-15 13:51 9% ` gregkh
1 sibling, 0 replies; 63+ results
From: gregkh @ 2021-03-15 13:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xiaoming Ni, Lee Jones, Zheng Yejian
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Thomas Gleixner <tglx@linutronix.de>
This patch comes directly from an origin patch (commit
91509e84949fc97e7424521c32a9e227746e0b85) in v4.9.
And it is part of a full patch which was originally back-ported
to v4.14 as commit e6e00df182908f34360c3c9f2d13cc719362e9c0
The handle_exit_race() function is defined in commit 9c3f39860367
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Lee writes:
This commit takes the remaining functional snippet of:
ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
... and is the correct fix for this issue.
Fixes: 9c3f39860367 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # v4.9.258
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Reviewed-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1204,11 +1204,11 @@ static int handle_exit_race(u32 __user *
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
^ permalink raw reply [relevance 9%]
* [PATCH 4.4 12/75] futex: Cure exit race
2021-03-15 13:51 5% [PATCH 4.4 00/75] 4.4.262-rc1 review gregkh
@ 2021-03-15 13:51 6% ` gregkh
2021-03-15 13:51 9% ` [PATCH 4.4 13/75] futex: fix dead code in attach_to_pi_owner() gregkh
1 sibling, 0 replies; 63+ results
From: gregkh @ 2021-03-15 13:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefan Liebler, Thomas Gleixner,
Peter Zijlstra, Heiko Carstens, Darren Hart, Ingo Molnar,
Sasha Levin, Sudip Mukherjee, Lee Jones, Zheng Yejian
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
This patch comes directly from an origin patch (commit
9c3f3986036760c48a92f04b36774aa9f63673f80) in v4.9.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Required to satisfy functional dependency from futex back-port.
Re-add the missing handle_exit_race() parts from:
3d4775df0a89 ("futex: Replace PF_EXITPIDONE with a state")]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 65 insertions(+), 6 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1198,11 +1198,67 @@ static void wait_for_owner_exiting(int r
put_task_struct(exiting);
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
+ * for it to finish.
+ */
+ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->futex_state = } else {
+ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
+ * FUTEX_STATE_DEAD)
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps,
struct task_struct **exiting)
{
@@ -1213,12 +1269,15 @@ static int attach_to_pi_owner(u32 uval,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = futex_find_get_task(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1237,7 +1296,7 @@ static int attach_to_pi_owner(u32 uval,
* FUTEX_STATE_DEAD, we know that the task has finished
* the cleanup:
*/
- int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
/*
@@ -1303,7 +1362,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1419,7 +1478,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
}
/**
^ permalink raw reply [relevance 6%]
* [PATCH 4.4 00/75] 4.4.262-rc1 review
@ 2021-03-15 13:51 5% gregkh
2021-03-15 13:51 6% ` [PATCH 4.4 12/75] futex: Cure exit race gregkh
2021-03-15 13:51 9% ` [PATCH 4.4 13/75] futex: fix dead code in attach_to_pi_owner() gregkh
0 siblings, 2 replies; 63+ results
From: gregkh @ 2021-03-15 13:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is the start of the stable review cycle for the 4.4.262 release.
There are 75 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 17 Mar 2021 13:51:52 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.262-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.262-rc1
Juergen Gross <jgross@suse.com>
xen/events: avoid handling the same event on two cpus at the same time
Juergen Gross <jgross@suse.com>
xen/events: don't unmask an event channel when an eoi is pending
Juergen Gross <jgross@suse.com>
xen/events: reset affinity of 2-level event when tearing it down
Navid Emamdoost <navid.emamdoost@gmail.com>
iio: imu: adis16400: fix memory leak
Navid Emamdoost <navid.emamdoost@gmail.com>
iio: imu: adis16400: release allocated memory on failure
Marc Zyngier <maz@kernel.org>
KVM: arm64: Fix exclusive limit for IPA size
Arvind Yadav <arvind.yadav.cs@gmail.com>
media: hdpvr: Fix an error handling path in hdpvr_probe()
Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
Al Viro <viro@zeniv.linux.org.uk>
alpha: switch __copy_user() and __do_clean_user() to normal calling conventions
Al Viro <viro@zeniv.linux.org.uk>
alpha: get rid of tail-zeroing in __copy_user()
Al Viro <viro@zeniv.linux.org.uk>
alpha: move exports to actual definitions
Richard Henderson <rth@twiddle.net>
alpha: Package string routines together
Masahiro Yamada <yamada.masahiro@socionext.com>
alpha: make short build log available for division routines
Masahiro Yamada <yamada.masahiro@socionext.com>
alpha: merge build rules of division routines
Masahiro Yamada <yamada.masahiro@socionext.com>
alpha: add $(src)/ rather than $(obj)/ to make source file path
Alexey Dobriyan <adobriyan@gmail.com>
prctl: fix PR_SET_MM_AUXV kernel stack leak
Jia-Ju Bai <baijiaju1990@gmail.com>
block: rsxx: fix error return code of rsxx_pci_probe()
Ondrej Mosnacek <omosnace@redhat.com>
NFSv4.2: fix return value of _nfs4_get_security_label()
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: pcl818: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: pcl711: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: me4000: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: dmm32at: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: das800: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: das6402: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: adv_pci1710: Fix endian problem for AI command data
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: addi_apci_1500: Fix endian problem for command sample
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: addi_apci_1032: Fix endian problem for COS sample
Lee Gibson <leegib@gmail.com>
staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
Lee Gibson <leegib@gmail.com>
staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8712: unterminated string leads to read overflow
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
Shuah Khan <skhan@linuxfoundation.org>
usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
Shuah Khan <skhan@linuxfoundation.org>
usbip: fix vhci_hcd to check for stream socket
Shuah Khan <skhan@linuxfoundation.org>
usbip: fix stub_dev to check for stream socket
Sebastian Reichel <sebastian.reichel@collabora.com>
USB: serial: cp210x: add some more GE USB IDs
Karan Singhal <karan.singhal@acuitybrands.com>
USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
Niv Sardi <xaiki@evilgiggle.com>
USB: serial: ch341: add new Product ID
Pavel Skripkin <paskripkin@gmail.com>
USB: serial: io_edgeport: fix memory leak in edge_startup
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Improve detection of device initiated wake signal.
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
Ruslan Bilovol <ruslan.bilovol@gmail.com>
usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
Yorick de Wid <ydewid@gmail.com>
Goodix Fingerprint device is not a modem
Allen Pais <allen.pais@oracle.com>
libertas: fix a potential NULL pointer dereference
Joe Lawrence <joe.lawrence@redhat.com>
scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names
Adrian Hunter <adrian.hunter@intel.com>
mmc: core: Fix partition switch time for eMMC
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: fix hanging DASD driver unbind
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Avoid spurious unsol event handling during S3/S4
Takashi Iwai <tiwai@suse.de>
ALSA: hda/hdmi: Cancel pending works before suspend
Mike Christie <michael.christie@oracle.com>
scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
Heiko Carstens <hca@linux.ibm.com>
s390/smp: __smp_rescan_cpus() - move cpumask away from stack
Martin Kaiser <martin@kaiser.cx>
PCI: xgene-msi: Fix race in installing chained irq handler
Athira Rajeev <atrajeev@linux.vnet.ibm.com>
powerpc/perf: Record counter overflow always if SAMPLE_IP is unset
Chaotian Jing <chaotian.jing@mediatek.com>
mmc: mediatek: fix race condition between msdc_request_timeout and irq
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()'
Maxim Mikityanskiy <maxtram95@gmail.com>
media: usbtv: Fix deadlock on suspend
Paul Cercueil <paul@crapouillou.net>
net: davicom: Fix regulator not turned off on driver removal
Paul Cercueil <paul@crapouillou.net>
net: davicom: Fix regulator not turned off on failed probe
Xie He <xie.he.0141@gmail.com>
net: lapbether: Remove netif_start_queue / netif_stop_queue
Kevin(Yudong) Yang <yyd@google.com>
net/mlx4_en: update moderation when config reset
Thomas Gleixner <tglx@linutronix.de>
futex: fix dead code in attach_to_pi_owner()
Thomas Gleixner <tglx@linutronix.de>
futex: Cure exit race
Peter Zijlstra <peterz@infradead.org>
futex: Change locking rules
Linus Torvalds <torvalds@linux-foundation.org>
Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
Jiri Kosina <jkosina@suse.cz>
floppy: fix lock_fdc() signal handling
Paulo Alcantara <pc@cjr.nz>
cifs: return proper error code in statfs(2)
Vasily Averin <vvs@virtuozzo.com>
netfilter: x_tables: gpf inside xt_find_revision()
Joakim Zhang <qiangqing.zhang@nxp.com>
can: flexcan: enable RX FIFO after FRZ/HALT valid
Joakim Zhang <qiangqing.zhang@nxp.com>
can: flexcan: assert FRZ bit in flexcan_chip_freeze()
Oleksij Rempel <o.rempel@pengutronix.de>
can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
Daniel Borkmann <daniel@iogearbox.net>
net: Fix gro aggregation for udp encaps with zero csum
Felix Fietkau <nbd@nbd.name>
ath9k: fix transmitting to stations in dynamic SMPS mode
Dmitry V. Levin <ldv@altlinux.org>
uapi: nfnetlink_cthelper.h: fix userspace compilation error
-------------
Diffstat:
Makefile | 4 +-
arch/alpha/include/asm/Kbuild | 1 +
arch/alpha/include/asm/uaccess.h | 76 ++------
arch/alpha/kernel/Makefile | 2 +-
arch/alpha/kernel/alpha_ksyms.c | 102 -----------
arch/alpha/kernel/machvec_impl.h | 6 +-
arch/alpha/kernel/setup.c | 1 +
arch/alpha/lib/Makefile | 33 ++--
arch/alpha/lib/callback_srm.S | 5 +
arch/alpha/lib/checksum.c | 3 +
arch/alpha/lib/clear_page.S | 3 +-
arch/alpha/lib/clear_user.S | 66 +++----
arch/alpha/lib/copy_page.S | 3 +-
arch/alpha/lib/copy_user.S | 101 ++++-------
arch/alpha/lib/csum_ipv6_magic.S | 2 +
arch/alpha/lib/csum_partial_copy.c | 2 +
arch/alpha/lib/dec_and_lock.c | 2 +
arch/alpha/lib/divide.S | 3 +
arch/alpha/lib/ev6-clear_page.S | 3 +-
arch/alpha/lib/ev6-clear_user.S | 85 ++++-----
arch/alpha/lib/ev6-copy_page.S | 3 +-
arch/alpha/lib/ev6-copy_user.S | 130 +++++---------
arch/alpha/lib/ev6-csum_ipv6_magic.S | 2 +
arch/alpha/lib/ev6-divide.S | 3 +
arch/alpha/lib/ev6-memchr.S | 3 +-
arch/alpha/lib/ev6-memcpy.S | 3 +-
arch/alpha/lib/ev6-memset.S | 7 +-
arch/alpha/lib/ev67-strcat.S | 3 +-
arch/alpha/lib/ev67-strchr.S | 3 +-
arch/alpha/lib/ev67-strlen.S | 3 +-
arch/alpha/lib/ev67-strncat.S | 3 +-
arch/alpha/lib/ev67-strrchr.S | 3 +-
arch/alpha/lib/fpreg.c | 7 +
arch/alpha/lib/memchr.S | 3 +-
arch/alpha/lib/memcpy.c | 5 +-
arch/alpha/lib/memmove.S | 3 +-
arch/alpha/lib/memset.S | 7 +-
arch/alpha/lib/strcat.S | 2 +
arch/alpha/lib/strchr.S | 3 +-
arch/alpha/lib/strcpy.S | 3 +-
arch/alpha/lib/strlen.S | 3 +-
arch/alpha/lib/strncat.S | 3 +-
arch/alpha/lib/strncpy.S | 3 +-
arch/alpha/lib/strrchr.S | 3 +-
arch/arm/kvm/mmu.c | 2 +-
arch/powerpc/include/asm/code-patching.h | 2 +-
arch/powerpc/perf/core-book3s.c | 19 +-
arch/s390/kernel/smp.c | 2 +-
drivers/block/floppy.c | 35 ++--
drivers/block/rsxx/core.c | 1 +
drivers/iio/imu/adis16400_buffer.c | 5 +-
drivers/iio/imu/adis_buffer.c | 5 +-
drivers/media/usb/hdpvr/hdpvr-core.c | 33 ++--
drivers/media/usb/usbtv/usbtv-audio.c | 2 +-
drivers/mmc/core/mmc.c | 15 +-
drivers/mmc/host/mtk-sd.c | 18 +-
drivers/mmc/host/mxs-mmc.c | 2 +-
drivers/net/can/flexcan.c | 12 +-
drivers/net/ethernet/davicom/dm9000.c | 21 ++-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +
drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 +
drivers/net/wan/lapbether.c | 3 -
drivers/net/wireless/ath/ath9k/ath9k.h | 3 +-
drivers/net/wireless/ath/ath9k/xmit.c | 6 +
drivers/net/wireless/libertas/if_sdio.c | 5 +
drivers/pci/host/pci-xgene-msi.c | 10 +-
drivers/s390/block/dasd.c | 3 +-
drivers/scsi/libiscsi.c | 11 +-
drivers/staging/comedi/drivers/addi_apci_1032.c | 4 +-
drivers/staging/comedi/drivers/addi_apci_1500.c | 18 +-
drivers/staging/comedi/drivers/adv_pci1710.c | 10 +-
drivers/staging/comedi/drivers/das6402.c | 2 +-
drivers/staging/comedi/drivers/das800.c | 2 +-
drivers/staging/comedi/drivers/dmm32at.c | 2 +-
drivers/staging/comedi/drivers/me4000.c | 2 +-
drivers/staging/comedi/drivers/pcl711.c | 2 +-
drivers/staging/comedi/drivers/pcl818.c | 2 +-
drivers/staging/rtl8188eu/core/rtw_ap.c | 5 +
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6 +-
drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7 +-
drivers/staging/rtl8192u/r8192U_wx.c | 6 +-
drivers/staging/rtl8712/rtl871x_cmd.c | 6 +-
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 +-
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/gadget/function/f_uac2.c | 2 +-
drivers/usb/host/xhci.c | 16 +-
drivers/usb/renesas_usbhs/pipe.c | 2 +
drivers/usb/serial/ch341.c | 1 +
drivers/usb/serial/cp210x.c | 3 +
drivers/usb/serial/io_edgeport.c | 26 +--
drivers/usb/usbip/stub_dev.c | 42 ++++-
drivers/usb/usbip/vhci_sysfs.c | 10 +-
drivers/xen/events/events_2l.c | 22 ++-
drivers/xen/events/events_base.c | 130 ++++++++++----
drivers/xen/events/events_fifo.c | 7 -
drivers/xen/events/events_internal.h | 22 ++-
fs/cifs/cifsfs.c | 2 +-
fs/nfs/nfs4proc.c | 2 +-
include/linux/can/skb.h | 8 +-
include/uapi/linux/netfilter/nfnetlink_cthelper.h | 2 +-
kernel/futex.c | 209 ++++++++++++++++++----
kernel/sys.c | 2 +-
mm/slub.c | 2 +-
net/ipv4/udp_offload.c | 2 +-
net/netfilter/x_tables.c | 6 +-
scripts/recordmcount.c | 2 +-
scripts/recordmcount.pl | 13 ++
sound/pci/hda/hda_bind.c | 4 +
sound/pci/hda/patch_hdmi.c | 13 ++
sound/usb/quirks.c | 1 +
111 files changed, 895 insertions(+), 671 deletions(-)
^ permalink raw reply [relevance 5%]
* Re: [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9
2021-03-11 3:25 7% [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
2021-03-11 3:25 6% ` [PATCH 4.4 v2 2/3] futex: Cure exit race Zheng Yejian
2021-03-11 3:26 9% ` [PATCH 4.4 v2 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
@ 2021-03-12 13:26 0% ` Greg KH
2 siblings, 0 replies; 63+ results
From: Greg KH @ 2021-03-12 13:26 UTC (permalink / raw)
To: Zheng Yejian
Cc: lee.jones, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On Thu, Mar 11, 2021 at 11:25:57AM +0800, Zheng Yejian wrote:
> Changelog for 'v2':
> Complete commit messages with needed git commit ids as Greg and Lee suggested.
>
> Lee sent a patchset to update Futex for v4.9, see https://www.spinics.net/lists/stable/msg443081.html,
> Then Xiaoming sent a follow-up patch for it, see https://lore.kernel.org/lkml/20210225093120.GD641347@dell/.
>
> These 3 patches is directly picked from v4.9,
> and they may also resolve following issues in 4.4.260 which have been reported in v4.9,
> see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/?h=linux-4.4.y&id=319f66f08de1083c1fe271261665c209009dd65a
> > /*
> > * The task is on the way out. When the futex state is
> > * FUTEX_STATE_DEAD, we know that the task has finished
> > * the cleanup:
> > */
> > int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
>
> Here may be:
> int ret = (p->futex_state == FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
>
> > raw_spin_unlock_irq(&p->pi_lock);
> > /*
> > * If the owner task is between FUTEX_STATE_EXITING and
> > * FUTEX_STATE_DEAD then store the task pointer and keep
> > * the reference on the task struct. The calling code will
> > * drop all locks, wait for the task to reach
> > * FUTEX_STATE_DEAD and then drop the refcount. This is
> > * required to prevent a live lock when the current task
> > * preempted the exiting task between the two states.
> > */
> > if (ret == -EBUSY)
>
> And here, the variable "ret" may only be "-ESRCH" or "-EAGAIN", but not "-EBUSY".
>
> > *exiting = p;
> > else
> > put_task_struct(p);
>
> Since 074e7d515783 ("futex: Ensure the correct return value from futex_lock_pi()") has
> been merged in 4.4.260, I send the remain 3 patches.
>
> Peter Zijlstra (1):
> futex: Change locking rules
>
> Thomas Gleixner (2):
> futex: Cure exit race
> futex: fix dead code in attach_to_pi_owner()
>
> kernel/futex.c | 209 +++++++++++++++++++++++++++++++++++++++++--------
> 1 file changed, 177 insertions(+), 32 deletions(-)
All now queued up, thanks.
greg k-h
^ permalink raw reply [relevance 0%]
* [PATCH 4.4 v2 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-11 3:25 7% [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
2021-03-11 3:25 6% ` [PATCH 4.4 v2 2/3] futex: Cure exit race Zheng Yejian
@ 2021-03-11 3:26 9% ` Zheng Yejian
2021-03-12 13:26 0% ` [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Greg KH
2 siblings, 0 replies; 63+ results
From: Zheng Yejian @ 2021-03-11 3:26 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
From: Thomas Gleixner <tglx@linutronix.de>
This patch comes directly from an origin patch (commit
91509e84949fc97e7424521c32a9e227746e0b85) in v4.9.
And it is part of a full patch which was originally back-ported
to v4.14 as commit e6e00df182908f34360c3c9f2d13cc719362e9c0
The handle_exit_race() function is defined in commit 9c3f39860367
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Lee writes:
This commit takes the remaining functional snippet of:
ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
... and is the correct fix for this issue.
Fixes: 9c3f39860367 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # v4.9.258
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Reviewed-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index 116766ef7de6..98c65b3c3a00 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1202,11 +1202,11 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
--
2.25.4
^ permalink raw reply related [relevance 9%]
* [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9
@ 2021-03-11 3:25 7% Zheng Yejian
2021-03-11 3:25 6% ` [PATCH 4.4 v2 2/3] futex: Cure exit race Zheng Yejian
` (2 more replies)
0 siblings, 3 replies; 63+ results
From: Zheng Yejian @ 2021-03-11 3:25 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
Changelog for 'v2':
Complete commit messages with needed git commit ids as Greg and Lee suggested.
Lee sent a patchset to update Futex for v4.9, see https://www.spinics.net/lists/stable/msg443081.html,
Then Xiaoming sent a follow-up patch for it, see https://lore.kernel.org/lkml/20210225093120.GD641347@dell/.
These 3 patches is directly picked from v4.9,
and they may also resolve following issues in 4.4.260 which have been reported in v4.9,
see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/?h=linux-4.4.y&id=319f66f08de1083c1fe271261665c209009dd65a
> /*
> * The task is on the way out. When the futex state is
> * FUTEX_STATE_DEAD, we know that the task has finished
> * the cleanup:
> */
> int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
Here may be:
int ret = (p->futex_state == FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
> raw_spin_unlock_irq(&p->pi_lock);
> /*
> * If the owner task is between FUTEX_STATE_EXITING and
> * FUTEX_STATE_DEAD then store the task pointer and keep
> * the reference on the task struct. The calling code will
> * drop all locks, wait for the task to reach
> * FUTEX_STATE_DEAD and then drop the refcount. This is
> * required to prevent a live lock when the current task
> * preempted the exiting task between the two states.
> */
> if (ret == -EBUSY)
And here, the variable "ret" may only be "-ESRCH" or "-EAGAIN", but not "-EBUSY".
> *exiting = p;
> else
> put_task_struct(p);
Since 074e7d515783 ("futex: Ensure the correct return value from futex_lock_pi()") has
been merged in 4.4.260, I send the remain 3 patches.
Peter Zijlstra (1):
futex: Change locking rules
Thomas Gleixner (2):
futex: Cure exit race
futex: fix dead code in attach_to_pi_owner()
kernel/futex.c | 209 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 177 insertions(+), 32 deletions(-)
--
2.25.4
^ permalink raw reply [relevance 7%]
* [PATCH 4.4 v2 2/3] futex: Cure exit race
2021-03-11 3:25 7% [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
@ 2021-03-11 3:25 6% ` Zheng Yejian
2021-03-11 3:26 9% ` [PATCH 4.4 v2 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
2021-03-12 13:26 0% ` [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Greg KH
2 siblings, 0 replies; 63+ results
From: Zheng Yejian @ 2021-03-11 3:25 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
This patch comes directly from an origin patch (commit
9c3f3986036760c48a92f04b36774aa9f63673f80) in v4.9.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Required to satisfy functional dependency from futex back-port.
Re-add the missing handle_exit_race() parts from:
3d4775df0a89 ("futex: Replace PF_EXITPIDONE with a state")]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/futex.c | 71 +++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 65 insertions(+), 6 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index b410752f5ad1..116766ef7de6 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1196,11 +1196,67 @@ static void wait_for_owner_exiting(int ret, struct task_struct *exiting)
put_task_struct(exiting);
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
+ * for it to finish.
+ */
+ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->futex_state = } else {
+ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
+ * FUTEX_STATE_DEAD)
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps,
struct task_struct **exiting)
{
@@ -1211,12 +1267,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = futex_find_get_task(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1235,7 +1294,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* FUTEX_STATE_DEAD, we know that the task has finished
* the cleanup:
*/
- int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
/*
@@ -1301,7 +1360,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1417,7 +1476,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
}
/**
--
2.25.4
^ permalink raw reply related [relevance 6%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-10 14:10 0% ` Greg KH
@ 2021-03-11 1:39 0% ` Zhengyejian (Zetta)
0 siblings, 0 replies; 63+ results
From: Zhengyejian (Zetta) @ 2021-03-11 1:39 UTC (permalink / raw)
To: Greg KH, Lee Jones, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On 2021/3/10 22:10, Greg KH wrote:
> On Wed, Mar 10, 2021 at 01:28:02PM +0000, Lee Jones wrote:
>> On Wed, 10 Mar 2021, Greg KH wrote:
>>
>>> On Tue, Mar 09, 2021 at 06:14:37PM +0000, Lee Jones wrote:
>>>> On Tue, 09 Mar 2021, Greg KH wrote:
>>>>
>>>>> On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
>>>>>> From: Thomas Gleixner <tglx@linutronix.de>
>>>>>>
>>>>>> The handle_exit_race() function is defined in commit 9c3f39860367
>>>>>> ("futex: Cure exit race"), which never returns -EBUSY. This results
>>>>>> in a small piece of dead code in the attach_to_pi_owner() function:
>>>>>>
>>>>>> int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
>>>>>> ...
>>>>>> if (ret == -EBUSY)
>>>>>> *exiting = p; /* dead code */
>>>>>>
>>>>>> The return value -EBUSY is added to handle_exit_race() in upsteam
>>>>>> commit ac31c7ff8624409 ("futex: Provide distinct return value when
>>>>>> owner is exiting"). This commit was incorporated into v4.9.255, before
>>>>>> the function handle_exit_race() was introduced, whitout Modify
>>>>>> handle_exit_race().
>>>>>>
>>>>>> To fix dead code, extract the change of handle_exit_race() from
>>>>>> commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
>>>>>> is exiting"), re-incorporated.
>>>>>>
>>>>>> Lee writes:
>>>>>>
>>>>>> This commit takes the remaining functional snippet of:
>>>>>>
>>>>>> ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
>>>>>>
>>>>>> ... and is the correct fix for this issue.
>>>>>>
>>>>>> Fixes: 9c3f39860367 ("futex: Cure exit race")
>>>>>> Cc: stable@vger.kernel.org # v4.9.258
>>>>>> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
>>>>>> Reviewed-by: Lee Jones <lee.jones@linaro.org>
>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
>>>>>> ---
>>>>>> kernel/futex.c | 6 +++---
>>>>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>>>
>>>>> Same here, what is the upstream git id?
>>>>
>>>> It doesn't have one as such - it's a part-patch:
>>>>
>>>>>> This commit takes the remaining functional snippet of:
>>>>>>
>>>>>> ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
>>>
>>> That wasn't obvious :(
>>
>> This was also my thinking, which is why I replied to the original
>> patch in an attempt to clarify what I thought was happening.
>>
>>> Is this a backport of another patch in the stable tree somewhere?
>>
>> Yes, it looks like it.
>>
>> The full patch was back-ported to v4.14 as:
>>
>> e6e00df182908f34360c3c9f2d13cc719362e9c0
>
> Ok, Zheng, can you put this information in the patch and resend the
> whole series?
>
Sure, I'll send a "v2" patchset soon.
Thanks for your suggestions,
Zheng Yejian
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-10 13:28 0% ` Lee Jones
@ 2021-03-10 14:10 0% ` Greg KH
2021-03-11 1:39 0% ` Zhengyejian (Zetta)
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-03-10 14:10 UTC (permalink / raw)
To: Lee Jones, Zheng Yejian, stable, linux-kernel, tglx,
cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
On Wed, Mar 10, 2021 at 01:28:02PM +0000, Lee Jones wrote:
> On Wed, 10 Mar 2021, Greg KH wrote:
>
> > On Tue, Mar 09, 2021 at 06:14:37PM +0000, Lee Jones wrote:
> > > On Tue, 09 Mar 2021, Greg KH wrote:
> > >
> > > > On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
> > > > > From: Thomas Gleixner <tglx@linutronix.de>
> > > > >
> > > > > The handle_exit_race() function is defined in commit 9c3f39860367
> > > > > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > > > > in a small piece of dead code in the attach_to_pi_owner() function:
> > > > >
> > > > > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > > > > ...
> > > > > if (ret == -EBUSY)
> > > > > *exiting = p; /* dead code */
> > > > >
> > > > > The return value -EBUSY is added to handle_exit_race() in upsteam
> > > > > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > > > > owner is exiting"). This commit was incorporated into v4.9.255, before
> > > > > the function handle_exit_race() was introduced, whitout Modify
> > > > > handle_exit_race().
> > > > >
> > > > > To fix dead code, extract the change of handle_exit_race() from
> > > > > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > > > > is exiting"), re-incorporated.
> > > > >
> > > > > Lee writes:
> > > > >
> > > > > This commit takes the remaining functional snippet of:
> > > > >
> > > > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
> > > > >
> > > > > ... and is the correct fix for this issue.
> > > > >
> > > > > Fixes: 9c3f39860367 ("futex: Cure exit race")
> > > > > Cc: stable@vger.kernel.org # v4.9.258
> > > > > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > > > > Reviewed-by: Lee Jones <lee.jones@linaro.org>
> > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > > > > ---
> > > > > kernel/futex.c | 6 +++---
> > > > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > Same here, what is the upstream git id?
> > >
> > > It doesn't have one as such - it's a part-patch:
> > >
> > > > > This commit takes the remaining functional snippet of:
> > > > >
> > > > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
> >
> > That wasn't obvious :(
>
> This was also my thinking, which is why I replied to the original
> patch in an attempt to clarify what I thought was happening.
>
> > Is this a backport of another patch in the stable tree somewhere?
>
> Yes, it looks like it.
>
> The full patch was back-ported to v4.14 as:
>
> e6e00df182908f34360c3c9f2d13cc719362e9c0
Ok, Zheng, can you put this information in the patch and resend the
whole series?
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-10 12:00 0% ` Greg KH
@ 2021-03-10 13:28 0% ` Lee Jones
2021-03-10 14:10 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Lee Jones @ 2021-03-10 13:28 UTC (permalink / raw)
To: Greg KH
Cc: Zheng Yejian, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On Wed, 10 Mar 2021, Greg KH wrote:
> On Tue, Mar 09, 2021 at 06:14:37PM +0000, Lee Jones wrote:
> > On Tue, 09 Mar 2021, Greg KH wrote:
> >
> > > On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
> > > > From: Thomas Gleixner <tglx@linutronix.de>
> > > >
> > > > The handle_exit_race() function is defined in commit 9c3f39860367
> > > > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > > > in a small piece of dead code in the attach_to_pi_owner() function:
> > > >
> > > > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > > > ...
> > > > if (ret == -EBUSY)
> > > > *exiting = p; /* dead code */
> > > >
> > > > The return value -EBUSY is added to handle_exit_race() in upsteam
> > > > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > > > owner is exiting"). This commit was incorporated into v4.9.255, before
> > > > the function handle_exit_race() was introduced, whitout Modify
> > > > handle_exit_race().
> > > >
> > > > To fix dead code, extract the change of handle_exit_race() from
> > > > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > > > is exiting"), re-incorporated.
> > > >
> > > > Lee writes:
> > > >
> > > > This commit takes the remaining functional snippet of:
> > > >
> > > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
> > > >
> > > > ... and is the correct fix for this issue.
> > > >
> > > > Fixes: 9c3f39860367 ("futex: Cure exit race")
> > > > Cc: stable@vger.kernel.org # v4.9.258
> > > > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > > > Reviewed-by: Lee Jones <lee.jones@linaro.org>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > > > ---
> > > > kernel/futex.c | 6 +++---
> > > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > Same here, what is the upstream git id?
> >
> > It doesn't have one as such - it's a part-patch:
> >
> > > > This commit takes the remaining functional snippet of:
> > > >
> > > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
>
> That wasn't obvious :(
This was also my thinking, which is why I replied to the original
patch in an attempt to clarify what I thought was happening.
> Is this a backport of another patch in the stable tree somewhere?
Yes, it looks like it.
The full patch was back-ported to v4.14 as:
e6e00df182908f34360c3c9f2d13cc719362e9c0
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-09 18:14 0% ` Lee Jones
@ 2021-03-10 12:00 0% ` Greg KH
2021-03-10 13:28 0% ` Lee Jones
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-03-10 12:00 UTC (permalink / raw)
To: Lee Jones
Cc: Zheng Yejian, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On Tue, Mar 09, 2021 at 06:14:37PM +0000, Lee Jones wrote:
> On Tue, 09 Mar 2021, Greg KH wrote:
>
> > On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
> > > From: Thomas Gleixner <tglx@linutronix.de>
> > >
> > > The handle_exit_race() function is defined in commit 9c3f39860367
> > > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > > in a small piece of dead code in the attach_to_pi_owner() function:
> > >
> > > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > > ...
> > > if (ret == -EBUSY)
> > > *exiting = p; /* dead code */
> > >
> > > The return value -EBUSY is added to handle_exit_race() in upsteam
> > > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > > owner is exiting"). This commit was incorporated into v4.9.255, before
> > > the function handle_exit_race() was introduced, whitout Modify
> > > handle_exit_race().
> > >
> > > To fix dead code, extract the change of handle_exit_race() from
> > > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > > is exiting"), re-incorporated.
> > >
> > > Lee writes:
> > >
> > > This commit takes the remaining functional snippet of:
> > >
> > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
> > >
> > > ... and is the correct fix for this issue.
> > >
> > > Fixes: 9c3f39860367 ("futex: Cure exit race")
> > > Cc: stable@vger.kernel.org # v4.9.258
> > > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > > Reviewed-by: Lee Jones <lee.jones@linaro.org>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > > ---
> > > kernel/futex.c | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > Same here, what is the upstream git id?
>
> It doesn't have one as such - it's a part-patch:
>
> > > This commit takes the remaining functional snippet of:
> > >
> > > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
That wasn't obvious :(
Is this a backport of another patch in the stable tree somewhere?
confused,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-09 10:40 0% ` Greg KH
@ 2021-03-09 18:14 0% ` Lee Jones
2021-03-10 12:00 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Lee Jones @ 2021-03-09 18:14 UTC (permalink / raw)
To: Greg KH
Cc: Zheng Yejian, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On Tue, 09 Mar 2021, Greg KH wrote:
> On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
> > From: Thomas Gleixner <tglx@linutronix.de>
> >
> > The handle_exit_race() function is defined in commit 9c3f39860367
> > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > in a small piece of dead code in the attach_to_pi_owner() function:
> >
> > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > ...
> > if (ret == -EBUSY)
> > *exiting = p; /* dead code */
> >
> > The return value -EBUSY is added to handle_exit_race() in upsteam
> > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > owner is exiting"). This commit was incorporated into v4.9.255, before
> > the function handle_exit_race() was introduced, whitout Modify
> > handle_exit_race().
> >
> > To fix dead code, extract the change of handle_exit_race() from
> > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > is exiting"), re-incorporated.
> >
> > Lee writes:
> >
> > This commit takes the remaining functional snippet of:
> >
> > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
> >
> > ... and is the correct fix for this issue.
> >
> > Fixes: 9c3f39860367 ("futex: Cure exit race")
> > Cc: stable@vger.kernel.org # v4.9.258
> > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > Reviewed-by: Lee Jones <lee.jones@linaro.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > ---
> > kernel/futex.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
>
> Same here, what is the upstream git id?
It doesn't have one as such - it's a part-patch:
> > This commit takes the remaining functional snippet of:
> >
> > ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-09 3:06 9% ` [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
@ 2021-03-09 10:40 0% ` Greg KH
2021-03-09 18:14 0% ` Lee Jones
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-03-09 10:40 UTC (permalink / raw)
To: Zheng Yejian
Cc: lee.jones, stable, linux-kernel, tglx, cj.chengjian,
judy.chenhui, zhangjinhao2, nixiaoming
On Tue, Mar 09, 2021 at 11:06:05AM +0800, Zheng Yejian wrote:
> From: Thomas Gleixner <tglx@linutronix.de>
>
> The handle_exit_race() function is defined in commit 9c3f39860367
> ("futex: Cure exit race"), which never returns -EBUSY. This results
> in a small piece of dead code in the attach_to_pi_owner() function:
>
> int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> ...
> if (ret == -EBUSY)
> *exiting = p; /* dead code */
>
> The return value -EBUSY is added to handle_exit_race() in upsteam
> commit ac31c7ff8624409 ("futex: Provide distinct return value when
> owner is exiting"). This commit was incorporated into v4.9.255, before
> the function handle_exit_race() was introduced, whitout Modify
> handle_exit_race().
>
> To fix dead code, extract the change of handle_exit_race() from
> commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> is exiting"), re-incorporated.
>
> Lee writes:
>
> This commit takes the remaining functional snippet of:
>
> ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
>
> ... and is the correct fix for this issue.
>
> Fixes: 9c3f39860367 ("futex: Cure exit race")
> Cc: stable@vger.kernel.org # v4.9.258
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> Reviewed-by: Lee Jones <lee.jones@linaro.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
> kernel/futex.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Same here, what is the upstream git id?
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner()
2021-03-09 3:06 8% [PATCH 4.4 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
2021-03-09 3:06 6% ` [PATCH 4.4 2/3] futex: Cure exit race Zheng Yejian
@ 2021-03-09 3:06 9% ` Zheng Yejian
2021-03-09 10:40 0% ` Greg KH
1 sibling, 1 reply; 63+ results
From: Zheng Yejian @ 2021-03-09 3:06 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
From: Thomas Gleixner <tglx@linutronix.de>
The handle_exit_race() function is defined in commit 9c3f39860367
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Lee writes:
This commit takes the remaining functional snippet of:
ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
... and is the correct fix for this issue.
Fixes: 9c3f39860367 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # v4.9.258
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Reviewed-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index 116766ef7de6..98c65b3c3a00 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1202,11 +1202,11 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
--
2.25.4
^ permalink raw reply related [relevance 9%]
* [PATCH 4.4 0/3] Backport patch series to update Futex from 4.9
@ 2021-03-09 3:06 8% Zheng Yejian
2021-03-09 3:06 6% ` [PATCH 4.4 2/3] futex: Cure exit race Zheng Yejian
2021-03-09 3:06 9% ` [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
0 siblings, 2 replies; 63+ results
From: Zheng Yejian @ 2021-03-09 3:06 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
Lee sent a patchset to update Futex for 4.9, see https://www.spinics.net/lists/stable/msg443081.html,
Then Xiaoming sent a follow-up patch for it, see https://lore.kernel.org/lkml/20210225093120.GD641347@dell/.
These patchsets may also resolve following issues in 4.4.260 which have been reported in 4.9,
see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/?h=linux-4.4.y&id=319f66f08de1083c1fe271261665c209009dd65a
> /*
> * The task is on the way out. When the futex state is
> * FUTEX_STATE_DEAD, we know that the task has finished
> * the cleanup:
> */
> int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
Here may be:
int ret = (p->futex_state == FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
> raw_spin_unlock_irq(&p->pi_lock);
> /*
> * If the owner task is between FUTEX_STATE_EXITING and
> * FUTEX_STATE_DEAD then store the task pointer and keep
> * the reference on the task struct. The calling code will
> * drop all locks, wait for the task to reach
> * FUTEX_STATE_DEAD and then drop the refcount. This is
> * required to prevent a live lock when the current task
> * preempted the exiting task between the two states.
> */
> if (ret == -EBUSY)
And here, the variable "ret" may only be "-ESRCH" or "-EAGAIN", but not "-EBUSY".
> *exiting = p;
> else
> put_task_struct(p);
Since 074e7d515783 ("futex: Ensure the correct return value from futex_lock_pi()") has
been merged in 4.4.260, I send the remain 3 patches.
Peter Zijlstra (1):
futex: Change locking rules
Thomas Gleixner (2):
futex: Cure exit race
futex: fix dead code in attach_to_pi_owner()
kernel/futex.c | 209 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 177 insertions(+), 32 deletions(-)
--
2.25.4
^ permalink raw reply [relevance 8%]
* [PATCH 4.4 2/3] futex: Cure exit race
2021-03-09 3:06 8% [PATCH 4.4 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
@ 2021-03-09 3:06 6% ` Zheng Yejian
2021-03-09 3:06 9% ` [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
1 sibling, 0 replies; 63+ results
From: Zheng Yejian @ 2021-03-09 3:06 UTC (permalink / raw)
To: gregkh, lee.jones, stable, linux-kernel
Cc: tglx, cj.chengjian, judy.chenhui, zhangjinhao2, nixiaoming
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Required to satisfy functional dependency from futex back-port.
Re-add the missing handle_exit_race() parts from:
3d4775df0a89 ("futex: Replace PF_EXITPIDONE with a state")]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/futex.c | 71 +++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 65 insertions(+), 6 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index b410752f5ad1..116766ef7de6 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1196,11 +1196,67 @@ static void wait_for_owner_exiting(int ret, struct task_struct *exiting)
put_task_struct(exiting);
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
+ * for it to finish.
+ */
+ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->futex_state = } else {
+ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
+ * FUTEX_STATE_DEAD)
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps,
struct task_struct **exiting)
{
@@ -1211,12 +1267,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = futex_find_get_task(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1235,7 +1294,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* FUTEX_STATE_DEAD, we know that the task has finished
* the cleanup:
*/
- int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
/*
@@ -1301,7 +1360,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1417,7 +1476,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
}
/**
--
2.25.4
^ permalink raw reply related [relevance 6%]
* [PATCH 4.9 127/134] futex: fix dead code in attach_to_pi_owner()
@ 2021-03-01 16:13 9% ` Greg Kroah-Hartman
0 siblings, 0 replies; 63+ results
From: Greg Kroah-Hartman @ 2021-03-01 16:13 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiaoming Ni, Lee Jones
From: Thomas Gleixner <tglx@linutronix.de>
The handle_exit_race() function is defined in commit 9c3f39860367
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Lee writes:
This commit takes the remaining functional snippet of:
ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
... and is the correct fix for this issue.
Fixes: 9c3f39860367 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # v4.9.258
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Reviewed-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1207,11 +1207,11 @@ static int handle_exit_race(u32 __user *
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
^ permalink raw reply [relevance 9%]
* Re: [PATCH 4.9.258] futex: fix dead code in attach_to_pi_owner()
2021-02-25 9:17 0% ` Lee Jones
@ 2021-03-01 14:19 0% ` Greg KH
0 siblings, 0 replies; 63+ results
From: Greg KH @ 2021-03-01 14:19 UTC (permalink / raw)
To: Lee Jones
Cc: Xiaoming Ni, linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On Thu, Feb 25, 2021 at 09:17:38AM +0000, Lee Jones wrote:
> On Wed, 24 Feb 2021, Xiaoming Ni wrote:
>
> > The handle_exit_race() function is defined in commit 9c3f39860367
> > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > in a small piece of dead code in the attach_to_pi_owner() function:
> >
> > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > ...
> > if (ret == -EBUSY)
> > *exiting = p; /* dead code */
> >
> > The return value -EBUSY is added to handle_exit_race() in upsteam
> > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > owner is exiting"). This commit was incorporated into v4.9.255, before
> > the function handle_exit_race() was introduced, whitout Modify
> > handle_exit_race().
> >
> > To fix dead code, extract the change of handle_exit_race() from
> > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > is exiting"), re-incorporated.
> >
> > Fixes: 9c3f39860367 ("futex: Cure exit race")
> > Cc: stable@vger.kernel.org # v4.9.258
> > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > ---
> > kernel/futex.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
>
> To clarify, this is not a wholesale back-port from Mainline.
>
> It takes the remaining functional snippet of:
>
> ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
>
> ... and is the correct fix for this issue.
>
> Reviewed-by: Lee Jones <lee.jones@linaro.org>
Thanks, now queued up.
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH] futex: fix dead code in attach_to_pi_owner()
2021-02-25 8:56 8% ` Xiaoming Ni
@ 2021-02-25 9:31 0% ` Lee Jones
0 siblings, 0 replies; 63+ results
From: Lee Jones @ 2021-02-25 9:31 UTC (permalink / raw)
To: Xiaoming Ni
Cc: Greg KH, linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On Thu, 25 Feb 2021, Xiaoming Ni wrote:
> On 2021/2/25 16:25, Greg KH wrote:
> > On Mon, Feb 22, 2021 at 08:53:52PM +0800, Xiaoming Ni wrote:
> > > From: Thomas Gleixner <tglx@linutronix.de>
> > >
> > > The handle_exit_race() function is defined in commit c158b461306df82
> > > ("futex: Cure exit race"), which never returns -EBUSY. This results
> > > in a small piece of dead code in the attach_to_pi_owner() function:
> > >
> > > int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> > > ...
> > > if (ret == -EBUSY)
> > > *exiting = p; /* dead code */
> > >
> > > The return value -EBUSY is added to handle_exit_race() in upsteam
> > > commit ac31c7ff8624409 ("futex: Provide distinct return value when
> > > owner is exiting"). This commit was incorporated into v4.9.255, before
> > > the function handle_exit_race() was introduced, whitout Modify
> > > handle_exit_race().
> > >
> > > To fix dead code, extract the change of handle_exit_race() from
> > > commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> > > is exiting"), re-incorporated.
> mainline:
> ac31c7ff8624 futex: Provide distinct return value when owner is exiting
>
> > >
> > > Fixes: c158b461306df82 ("futex: Cure exit race")
>
> stable linux-4.9.y
> 9c3f39860367 futex: Cure exit race
> c27f392040e2 futex: Provide distinct return value when owner is exiting
>
> > > Cc: stable@vger.kernel.org # 4.9.258-rc1
> > > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> > > ---
> > > kernel/futex.c | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > What is the git commit id of this patch in Linus's tree?
> >
> > Also, what kernel tree(s) is this supposed to go to?
> >
> > thanks,
> >
> > greg k-h
> > .
> >
> Sorry, the commit id c158b461306df82 in the patch does not exist in the
> linux-stable repository.
> The commit ID is from linux-stable-rc.
>
> I corrected the commit id in a subsequent email, and added a branch label.
> https://lore.kernel.org/lkml/20210224100923.51315-1-nixiaoming@huawei.com/
Replied to the follow-up.
> Sorry, I forgot to use "--in-reply-to=" when I sent the update patch.
>
> This issue occurs only in the linux-4.9.y branch v4.9.258
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
^ permalink raw reply [relevance 0%]
* Re: [PATCH 4.9.258] futex: fix dead code in attach_to_pi_owner()
2021-02-24 10:09 9% [PATCH 4.9.258] futex: fix dead code in attach_to_pi_owner() Xiaoming Ni
@ 2021-02-25 9:17 0% ` Lee Jones
2021-03-01 14:19 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Lee Jones @ 2021-02-25 9:17 UTC (permalink / raw)
To: Xiaoming Ni
Cc: linux-kernel, stable, gregkh, sashal, tglx, wangle6, zhengyejian1
On Wed, 24 Feb 2021, Xiaoming Ni wrote:
> The handle_exit_race() function is defined in commit 9c3f39860367
> ("futex: Cure exit race"), which never returns -EBUSY. This results
> in a small piece of dead code in the attach_to_pi_owner() function:
>
> int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> ...
> if (ret == -EBUSY)
> *exiting = p; /* dead code */
>
> The return value -EBUSY is added to handle_exit_race() in upsteam
> commit ac31c7ff8624409 ("futex: Provide distinct return value when
> owner is exiting"). This commit was incorporated into v4.9.255, before
> the function handle_exit_race() was introduced, whitout Modify
> handle_exit_race().
>
> To fix dead code, extract the change of handle_exit_race() from
> commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> is exiting"), re-incorporated.
>
> Fixes: 9c3f39860367 ("futex: Cure exit race")
> Cc: stable@vger.kernel.org # v4.9.258
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> ---
> kernel/futex.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
To clarify, this is not a wholesale back-port from Mainline.
It takes the remaining functional snippet of:
ac31c7ff8624409 ("futex: Provide distinct return value when owner is exiting")
... and is the correct fix for this issue.
Reviewed-by: Lee Jones <lee.jones@linaro.org>
> diff --git a/kernel/futex.c b/kernel/futex.c
> index b65dbb5d60bb..0fd785410150 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1207,11 +1207,11 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
> u32 uval2;
>
> /*
> - * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
> - * for it to finish.
> + * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
> + * caller that the alleged owner is busy.
> */
> if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
> - return -EAGAIN;
> + return -EBUSY;
>
> /*
> * Reread the user space value to handle the following situation:
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
^ permalink raw reply [relevance 0%]
* Re: [PATCH] futex: fix dead code in attach_to_pi_owner()
2021-02-25 8:25 0% ` Greg KH
@ 2021-02-25 8:56 8% ` Xiaoming Ni
2021-02-25 9:31 0% ` Lee Jones
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-25 8:56 UTC (permalink / raw)
To: Greg KH
Cc: linux-kernel, stable, sashal, tglx, lee.jones, wangle6, zhengyejian1
On 2021/2/25 16:25, Greg KH wrote:
> On Mon, Feb 22, 2021 at 08:53:52PM +0800, Xiaoming Ni wrote:
>> From: Thomas Gleixner <tglx@linutronix.de>
>>
>> The handle_exit_race() function is defined in commit c158b461306df82
>> ("futex: Cure exit race"), which never returns -EBUSY. This results
>> in a small piece of dead code in the attach_to_pi_owner() function:
>>
>> int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
>> ...
>> if (ret == -EBUSY)
>> *exiting = p; /* dead code */
>>
>> The return value -EBUSY is added to handle_exit_race() in upsteam
>> commit ac31c7ff8624409 ("futex: Provide distinct return value when
>> owner is exiting"). This commit was incorporated into v4.9.255, before
>> the function handle_exit_race() was introduced, whitout Modify
>> handle_exit_race().
>>
>> To fix dead code, extract the change of handle_exit_race() from
>> commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
>> is exiting"), re-incorporated.
mainline:
ac31c7ff8624 futex: Provide distinct return value when owner is exiting
>>
>> Fixes: c158b461306df82 ("futex: Cure exit race")
stable linux-4.9.y
9c3f39860367 futex: Cure exit race
c27f392040e2 futex: Provide distinct return value when owner is exiting
>> Cc: stable@vger.kernel.org # 4.9.258-rc1
>> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
>> ---
>> kernel/futex.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> What is the git commit id of this patch in Linus's tree?
>
> Also, what kernel tree(s) is this supposed to go to?
>
> thanks,
>
> greg k-h
> .
>
Sorry, the commit id c158b461306df82 in the patch does not exist in the
linux-stable repository.
The commit ID is from linux-stable-rc.
I corrected the commit id in a subsequent email, and added a branch
label.
https://lore.kernel.org/lkml/20210224100923.51315-1-nixiaoming@huawei.com/
Sorry, I forgot to use "--in-reply-to=" when I sent the update patch.
This issue occurs only in the linux-4.9.y branch v4.9.258
Thanks
xiaoming Ni
^ permalink raw reply [relevance 8%]
* Re: [PATCH] futex: fix dead code in attach_to_pi_owner()
2021-02-22 12:53 9% [PATCH] futex: fix dead code in attach_to_pi_owner() Xiaoming Ni
@ 2021-02-25 8:25 0% ` Greg KH
2021-02-25 8:56 8% ` Xiaoming Ni
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-02-25 8:25 UTC (permalink / raw)
To: Xiaoming Ni
Cc: linux-kernel, stable, sashal, tglx, lee.jones, wangle6, zhengyejian1
On Mon, Feb 22, 2021 at 08:53:52PM +0800, Xiaoming Ni wrote:
> From: Thomas Gleixner <tglx@linutronix.de>
>
> The handle_exit_race() function is defined in commit c158b461306df82
> ("futex: Cure exit race"), which never returns -EBUSY. This results
> in a small piece of dead code in the attach_to_pi_owner() function:
>
> int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
> ...
> if (ret == -EBUSY)
> *exiting = p; /* dead code */
>
> The return value -EBUSY is added to handle_exit_race() in upsteam
> commit ac31c7ff8624409 ("futex: Provide distinct return value when
> owner is exiting"). This commit was incorporated into v4.9.255, before
> the function handle_exit_race() was introduced, whitout Modify
> handle_exit_race().
>
> To fix dead code, extract the change of handle_exit_race() from
> commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
> is exiting"), re-incorporated.
>
> Fixes: c158b461306df82 ("futex: Cure exit race")
> Cc: stable@vger.kernel.org # 4.9.258-rc1
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> ---
> kernel/futex.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
What is the git commit id of this patch in Linus's tree?
Also, what kernel tree(s) is this supposed to go to?
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-24 7:47 0% ` Greg KH
@ 2021-02-24 12:40 0% ` Xiaoming Ni
0 siblings, 0 replies; 63+ results
From: Xiaoming Ni @ 2021-02-24 12:40 UTC (permalink / raw)
To: Greg KH; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On 2021/2/24 15:47, Greg KH wrote:
> On Wed, Feb 24, 2021 at 09:41:01AM +0800, Xiaoming Ni wrote:
>> On 2021/2/23 21:00, Greg KH wrote:
>>> On Mon, Feb 22, 2021 at 10:11:37PM +0800, Xiaoming Ni wrote:
>>>> On 2021/2/22 20:09, Greg KH wrote:
>>>>> On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
>>>>>> On 2021/2/22 18:16, Greg KH wrote:
>>>>>>> On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
>>>>>>>> From: Thomas Gleixner<tglx@linutronix.de>
>>>>>>>>
>>>>>>>> commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
>>>>>>> This commit is already in the 4.9 tree. If the backport was incorrect,
>>>>>>> say that here, and describe what went wrong and why this commit fixes
>>>>>>> it.
>>>>>>>
>>>>>>> Also state what commit this fixes as well, otherwise this changelog just
>>>>>>> looks like it is being applied again to the tree, which doesn't make
>>>>>>> much sense.
>>>>>>>
>>>>>>> thanks,
>>>>>>>
>>>>>>> greg k-h
>>>>>>> .
>>>>>>
>>>>>> I wrote a cover for it. but forgot to adjust the title of the cover:
>>>>>>
>>>>>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>>>>>>
>>>>>>
>>>>>> I found a dead code in the queue/4.9 branch of the stable-rc repository.
>>>>>>
>>>>>> 2021-02-03:
>>>>>> commit c27f392040e2f6 ("futex: Provide distinct return value when
>>>>>> owner is exiting")
>>>>>> The function handle_exit_race does not exist. Therefore, the
>>>>>> change in handle_exit_race() is ignored in the patch round.
>>>>>>
>>>>>> 2021-02-22:
>>>>>> commit e55cb811e612 ("futex: Cure exit race")
>>>>>> Define the handle_exit_race() function,
>>>>>> but no branch in the function returns EBUSY.
>>>>>> As a result, dead code occurs in the attach_to_pi_owner():
>>>>>>
>>>>>> int ret = handle_exit_race(uaddr, uval, p);
>>>>>> ...
>>>>>> if (ret == -EBUSY)
>>>>>> *exiting = p; /* dead code */
>>>>>>
>>>>>> To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
>>>>>> race"),
>>>>>> or install a patch to incorporate the changes in handle_exit_race().
>>>>>>
>>>>>> I am unfamiliar with the processing of the stable-rc queue branch,
>>>>>> and I cannot find the patch mail of the current branch in
>>>>>> https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
>>>>>> Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
>>>>>> return value when owner is exiting").
>>>>>> And wrote a cover (but forgot to adjust the title of the cover):
>>>>>>
>>>>>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>>>>>
>>>>> So this is a "fixup" patch, right?
>>>>>
>>>>> Please clearly label it as such in your patch description and resend
>>>>> this as what is here I can not apply at all.
>>>>>
>>>>> thanks,
>>>>>
>>>>> greg k-h
>>>>> .
>>>>>
>>>> Thank you for your guidance.
>>>> I have updated the patch description and resent the patch based on
>>>> v4.9.258-rc1
>>>> https://lore.kernel.org/lkml/20210222125352.110124-1-nixiaoming@huawei.com/
>>>
>>> Can you please try 4.9.258 and let me know if this is still needed or
>>> not?
>>>
>>> thanks,
>>>
>>> greg k-h
>>> .
>>>
>> The dead code problem still exists in V4.9.258. No conflict occurs during my
>> patch integration. Do I need to correct the version number marked in the cc
>> table in the patch and resend the patch?
>
> Please do.
>
> thanks,
>
> greg k-h
> .
>
I have resend the patch based on v4.9.258.
link:
https://lore.kernel.org/lkml/20210224100923.51315-1-nixiaoming@huawei.com/
Thanks
Xiaoming Ni
^ permalink raw reply [relevance 0%]
* [PATCH 4.9.258] futex: fix dead code in attach_to_pi_owner()
@ 2021-02-24 10:09 9% Xiaoming Ni
2021-02-25 9:17 0% ` Lee Jones
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-24 10:09 UTC (permalink / raw)
To: linux-kernel, stable, gregkh, sashal, tglx, lee.jones
Cc: nixiaoming, wangle6, zhengyejian1
The handle_exit_race() function is defined in commit 9c3f39860367
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Fixes: 9c3f39860367 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # v4.9.258
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index b65dbb5d60bb..0fd785410150 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1207,11 +1207,11 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
--
2.27.0
^ permalink raw reply related [relevance 9%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-24 1:41 0% ` Xiaoming Ni
@ 2021-02-24 7:47 0% ` Greg KH
2021-02-24 12:40 0% ` Xiaoming Ni
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-02-24 7:47 UTC (permalink / raw)
To: Xiaoming Ni; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On Wed, Feb 24, 2021 at 09:41:01AM +0800, Xiaoming Ni wrote:
> On 2021/2/23 21:00, Greg KH wrote:
> > On Mon, Feb 22, 2021 at 10:11:37PM +0800, Xiaoming Ni wrote:
> > > On 2021/2/22 20:09, Greg KH wrote:
> > > > On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
> > > > > On 2021/2/22 18:16, Greg KH wrote:
> > > > > > On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
> > > > > > > From: Thomas Gleixner<tglx@linutronix.de>
> > > > > > >
> > > > > > > commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
> > > > > > This commit is already in the 4.9 tree. If the backport was incorrect,
> > > > > > say that here, and describe what went wrong and why this commit fixes
> > > > > > it.
> > > > > >
> > > > > > Also state what commit this fixes as well, otherwise this changelog just
> > > > > > looks like it is being applied again to the tree, which doesn't make
> > > > > > much sense.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > > > .
> > > > >
> > > > > I wrote a cover for it. but forgot to adjust the title of the cover:
> > > > >
> > > > > https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
> > > > >
> > > > >
> > > > > I found a dead code in the queue/4.9 branch of the stable-rc repository.
> > > > >
> > > > > 2021-02-03:
> > > > > commit c27f392040e2f6 ("futex: Provide distinct return value when
> > > > > owner is exiting")
> > > > > The function handle_exit_race does not exist. Therefore, the
> > > > > change in handle_exit_race() is ignored in the patch round.
> > > > >
> > > > > 2021-02-22:
> > > > > commit e55cb811e612 ("futex: Cure exit race")
> > > > > Define the handle_exit_race() function,
> > > > > but no branch in the function returns EBUSY.
> > > > > As a result, dead code occurs in the attach_to_pi_owner():
> > > > >
> > > > > int ret = handle_exit_race(uaddr, uval, p);
> > > > > ...
> > > > > if (ret == -EBUSY)
> > > > > *exiting = p; /* dead code */
> > > > >
> > > > > To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
> > > > > race"),
> > > > > or install a patch to incorporate the changes in handle_exit_race().
> > > > >
> > > > > I am unfamiliar with the processing of the stable-rc queue branch,
> > > > > and I cannot find the patch mail of the current branch in
> > > > > https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
> > > > > Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
> > > > > return value when owner is exiting").
> > > > > And wrote a cover (but forgot to adjust the title of the cover):
> > > > >
> > > > > https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
> > > >
> > > > So this is a "fixup" patch, right?
> > > >
> > > > Please clearly label it as such in your patch description and resend
> > > > this as what is here I can not apply at all.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > > .
> > > >
> > > Thank you for your guidance.
> > > I have updated the patch description and resent the patch based on
> > > v4.9.258-rc1
> > > https://lore.kernel.org/lkml/20210222125352.110124-1-nixiaoming@huawei.com/
> >
> > Can you please try 4.9.258 and let me know if this is still needed or
> > not?
> >
> > thanks,
> >
> > greg k-h
> > .
> >
> The dead code problem still exists in V4.9.258. No conflict occurs during my
> patch integration. Do I need to correct the version number marked in the cc
> table in the patch and resend the patch?
Please do.
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-23 13:00 0% ` Greg KH
@ 2021-02-24 1:41 0% ` Xiaoming Ni
2021-02-24 7:47 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-24 1:41 UTC (permalink / raw)
To: Greg KH; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On 2021/2/23 21:00, Greg KH wrote:
> On Mon, Feb 22, 2021 at 10:11:37PM +0800, Xiaoming Ni wrote:
>> On 2021/2/22 20:09, Greg KH wrote:
>>> On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
>>>> On 2021/2/22 18:16, Greg KH wrote:
>>>>> On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
>>>>>> From: Thomas Gleixner<tglx@linutronix.de>
>>>>>>
>>>>>> commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
>>>>> This commit is already in the 4.9 tree. If the backport was incorrect,
>>>>> say that here, and describe what went wrong and why this commit fixes
>>>>> it.
>>>>>
>>>>> Also state what commit this fixes as well, otherwise this changelog just
>>>>> looks like it is being applied again to the tree, which doesn't make
>>>>> much sense.
>>>>>
>>>>> thanks,
>>>>>
>>>>> greg k-h
>>>>> .
>>>>
>>>> I wrote a cover for it. but forgot to adjust the title of the cover:
>>>>
>>>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>>>>
>>>>
>>>> I found a dead code in the queue/4.9 branch of the stable-rc repository.
>>>>
>>>> 2021-02-03:
>>>> commit c27f392040e2f6 ("futex: Provide distinct return value when
>>>> owner is exiting")
>>>> The function handle_exit_race does not exist. Therefore, the
>>>> change in handle_exit_race() is ignored in the patch round.
>>>>
>>>> 2021-02-22:
>>>> commit e55cb811e612 ("futex: Cure exit race")
>>>> Define the handle_exit_race() function,
>>>> but no branch in the function returns EBUSY.
>>>> As a result, dead code occurs in the attach_to_pi_owner():
>>>>
>>>> int ret = handle_exit_race(uaddr, uval, p);
>>>> ...
>>>> if (ret == -EBUSY)
>>>> *exiting = p; /* dead code */
>>>>
>>>> To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
>>>> race"),
>>>> or install a patch to incorporate the changes in handle_exit_race().
>>>>
>>>> I am unfamiliar with the processing of the stable-rc queue branch,
>>>> and I cannot find the patch mail of the current branch in
>>>> https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
>>>> Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
>>>> return value when owner is exiting").
>>>> And wrote a cover (but forgot to adjust the title of the cover):
>>>>
>>>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>>>
>>> So this is a "fixup" patch, right?
>>>
>>> Please clearly label it as such in your patch description and resend
>>> this as what is here I can not apply at all.
>>>
>>> thanks,
>>>
>>> greg k-h
>>> .
>>>
>> Thank you for your guidance.
>> I have updated the patch description and resent the patch based on
>> v4.9.258-rc1
>> https://lore.kernel.org/lkml/20210222125352.110124-1-nixiaoming@huawei.com/
>
> Can you please try 4.9.258 and let me know if this is still needed or
> not?
>
> thanks,
>
> greg k-h
> .
>
The dead code problem still exists in V4.9.258. No conflict occurs
during my patch integration. Do I need to correct the version number
marked in the cc table in the patch and resend the patch?
Thanks
Xiaoming Ni
^ permalink raw reply [relevance 0%]
* Linux 4.9.258
@ 2021-02-23 14:00 6% Greg Kroah-Hartman
0 siblings, 0 replies; 63+ results
From: Greg Kroah-Hartman @ 2021-02-23 14:00 UTC (permalink / raw)
To: linux-kernel, akpm, torvalds, stable; +Cc: lwn, jslaby, Greg Kroah-Hartman
I'm announcing the release of the 4.9.258 kernel.
All users of the 4.9 kernel series must upgrade.
The updated 4.9.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 9
arch/arm/boot/dts/lpc32xx.dtsi | 3
arch/arm/xen/p2m.c | 6
arch/h8300/kernel/asm-offsets.c | 3
arch/x86/Makefile | 6
arch/x86/xen/p2m.c | 15 -
drivers/block/xen-blkback/blkback.c | 30 +-
drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c | 3
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3
drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 5
drivers/net/xen-netback/netback.c | 4
drivers/net/xen-netback/rx.c | 9
drivers/remoteproc/qcom_q6v5_pil.c | 6
drivers/scsi/qla2xxx/qla_tmpl.c | 9
drivers/scsi/qla2xxx/qla_tmpl.h | 2
drivers/usb/dwc3/ulpi.c | 20 +
drivers/xen/gntdev.c | 33 +-
drivers/xen/xen-scsiback.c | 4
fs/fs-writeback.c | 2
fs/overlayfs/copy_up.c | 15 -
fs/squashfs/export.c | 41 ++-
fs/squashfs/id.c | 40 ++-
fs/squashfs/squashfs_fs_sb.h | 1
fs/squashfs/super.c | 6
fs/squashfs/xattr.h | 10
fs/squashfs/xattr_id.c | 66 ++++-
include/linux/backing-dev.h | 10
include/linux/ftrace.h | 4
include/linux/memcontrol.h | 33 ++
include/linux/netdevice.h | 2
include/linux/string.h | 4
include/linux/sunrpc/xdr.h | 3
include/trace/events/writeback.h | 35 +-
include/xen/grant_table.h | 1
kernel/bpf/stackmap.c | 2
kernel/futex.c | 233 +++++++++++++++----
kernel/trace/ftrace.c | 2
kernel/trace/trace.c | 2
kernel/trace/trace_events.c | 3
lib/string.c | 47 +++
mm/backing-dev.c | 1
mm/memblock.c | 48 ---
mm/memcontrol.c | 43 ++-
mm/page-writeback.c | 14 -
net/key/af_key.c | 6
net/netfilter/nf_conntrack_core.c | 3
net/netfilter/xt_recent.c | 12
net/sunrpc/auth_gss/auth_gss.c | 30 --
net/sunrpc/auth_gss/auth_gss_internal.h | 45 +++
net/sunrpc/auth_gss/gss_krb5_mech.c | 31 --
net/vmw_vsock/af_vsock.c | 13 -
net/vmw_vsock/virtio_transport_common.c | 4
scripts/Makefile.build | 3
virt/kvm/kvm_main.c | 3
54 files changed, 680 insertions(+), 308 deletions(-)
Alexandre Belloni (1):
ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
Amir Goldstein (1):
ovl: skip getxattr of security labels
Andi Kleen (1):
trace: Use -mcount-record for dynamic ftrace
Arun Easi (1):
scsi: qla2xxx: Fix crash during driver load on big endian machines
Borislav Petkov (1):
x86/build: Disable CET instrumentation in the kernel for 32-bit too
Bui Quang Minh (1):
bpf: Check for integer overflow when using roundup_pow_of_two()
Cong Wang (1):
af_key: relax availability checks for skb size calculation
Dave Wysochanski (2):
SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
SUNRPC: Handle 0 length opaque XDR object data properly
Edwin Peer (1):
net: watchdog: hold device global xmit lock during tx disable
Emmanuel Grumbach (1):
iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
Felipe Balbi (1):
usb: dwc3: ulpi: fix checkpatch warning
Florian Westphal (1):
netfilter: conntrack: skip identical origin tuple in same zone only
Greg Kroah-Hartman (1):
Linux 4.9.258
Greg Thelen (1):
tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-mcount
Jan Beulich (8):
Xen/x86: don't bail early from clear_foreign_p2m_mapping()
Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
Xen/gntdev: correct error checking in gntdev_map_grant_pages()
xen-blkback: don't "handle" error by BUG()
xen-netback: don't "handle" error by BUG()
xen-scsiback: don't "handle" error by BUG()
xen-blkback: fix error handling in xen_blkbk_map()
Johannes Berg (2):
iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
iwlwifi: mvm: guard against device removal in reprobe
Johannes Weiner (1):
mm: memcontrol: fix NULL pointer crash in test_clear_page_writeback()
Jozsef Kadlecsik (1):
netfilter: xt_recent: Fix attempt to update deleted entry
Juergen Gross (1):
xen/netback: avoid race in xenvif_rx_ring_slots_available()
Lai Jiangshan (1):
kvm: check tlbs_dirty directly
Norbert Slusarek (1):
net/vmw_vsock: improve locking in vsock_connect_timeout()
Peter Zijlstra (1):
futex: Change locking rules
Phillip Lougher (3):
squashfs: add more sanity checks in id lookup
squashfs: add more sanity checks in inode lookup
squashfs: add more sanity checks in xattr id lookup
Qian Cai (1):
include/trace/events/writeback.h: fix -Wstringop-truncation warnings
Randy Dunlap (1):
h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
Roman Gushchin (1):
memblock: do not start bottom-up allocations with kernel_end
Serge Semin (1):
usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
Sibi Sankar (1):
remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
Stefano Garzarella (2):
vsock/virtio: update credit only if socket is not closed
vsock: fix locking in vsock_shutdown()
Stefano Stabellini (1):
xen/arm: don't ignore return errors from set_phys_to_machine
Steven Rostedt (VMware) (3):
fgraph: Initialize tracing_graph_pause at task creation
tracing: Do not count ftrace events in top level enable output
tracing: Check length before giving out the filter buffer
Theodore Ts'o (1):
memcg: fix a crash in wb_workfn when a device disappears
Thomas Gleixner (2):
futex: Ensure the correct return value from futex_lock_pi()
futex: Cure exit race
Tobin C. Harding (1):
lib/string: Add strscpy_pad() function
Vasily Gorbik (1):
tracing: Avoid calling cc-option -mrecord-mcount for every Makefile
^ permalink raw reply [relevance 6%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-22 14:11 0% ` Xiaoming Ni
@ 2021-02-23 13:00 0% ` Greg KH
2021-02-24 1:41 0% ` Xiaoming Ni
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-02-23 13:00 UTC (permalink / raw)
To: Xiaoming Ni; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On Mon, Feb 22, 2021 at 10:11:37PM +0800, Xiaoming Ni wrote:
> On 2021/2/22 20:09, Greg KH wrote:
> > On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
> > > On 2021/2/22 18:16, Greg KH wrote:
> > > > On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
> > > > > From: Thomas Gleixner<tglx@linutronix.de>
> > > > >
> > > > > commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
> > > > This commit is already in the 4.9 tree. If the backport was incorrect,
> > > > say that here, and describe what went wrong and why this commit fixes
> > > > it.
> > > >
> > > > Also state what commit this fixes as well, otherwise this changelog just
> > > > looks like it is being applied again to the tree, which doesn't make
> > > > much sense.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > > .
> > >
> > > I wrote a cover for it. but forgot to adjust the title of the cover:
> > >
> > > https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
> > >
> > >
> > > I found a dead code in the queue/4.9 branch of the stable-rc repository.
> > >
> > > 2021-02-03:
> > > commit c27f392040e2f6 ("futex: Provide distinct return value when
> > > owner is exiting")
> > > The function handle_exit_race does not exist. Therefore, the
> > > change in handle_exit_race() is ignored in the patch round.
> > >
> > > 2021-02-22:
> > > commit e55cb811e612 ("futex: Cure exit race")
> > > Define the handle_exit_race() function,
> > > but no branch in the function returns EBUSY.
> > > As a result, dead code occurs in the attach_to_pi_owner():
> > >
> > > int ret = handle_exit_race(uaddr, uval, p);
> > > ...
> > > if (ret == -EBUSY)
> > > *exiting = p; /* dead code */
> > >
> > > To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
> > > race"),
> > > or install a patch to incorporate the changes in handle_exit_race().
> > >
> > > I am unfamiliar with the processing of the stable-rc queue branch,
> > > and I cannot find the patch mail of the current branch in
> > > https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
> > > Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
> > > return value when owner is exiting").
> > > And wrote a cover (but forgot to adjust the title of the cover):
> > >
> > > https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
> >
> > So this is a "fixup" patch, right?
> >
> > Please clearly label it as such in your patch description and resend
> > this as what is here I can not apply at all.
> >
> > thanks,
> >
> > greg k-h
> > .
> >
> Thank you for your guidance.
> I have updated the patch description and resent the patch based on
> v4.9.258-rc1
> https://lore.kernel.org/lkml/20210222125352.110124-1-nixiaoming@huawei.com/
Can you please try 4.9.258 and let me know if this is still needed or
not?
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-22 12:09 0% ` Greg KH
@ 2021-02-22 14:11 0% ` Xiaoming Ni
2021-02-23 13:00 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-22 14:11 UTC (permalink / raw)
To: Greg KH; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On 2021/2/22 20:09, Greg KH wrote:
> On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
>> On 2021/2/22 18:16, Greg KH wrote:
>>> On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
>>>> From: Thomas Gleixner<tglx@linutronix.de>
>>>>
>>>> commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
>>> This commit is already in the 4.9 tree. If the backport was incorrect,
>>> say that here, and describe what went wrong and why this commit fixes
>>> it.
>>>
>>> Also state what commit this fixes as well, otherwise this changelog just
>>> looks like it is being applied again to the tree, which doesn't make
>>> much sense.
>>>
>>> thanks,
>>>
>>> greg k-h
>>> .
>>
>> I wrote a cover for it. but forgot to adjust the title of the cover:
>>
>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>>
>>
>> I found a dead code in the queue/4.9 branch of the stable-rc repository.
>>
>> 2021-02-03:
>> commit c27f392040e2f6 ("futex: Provide distinct return value when
>> owner is exiting")
>> The function handle_exit_race does not exist. Therefore, the
>> change in handle_exit_race() is ignored in the patch round.
>>
>> 2021-02-22:
>> commit e55cb811e612 ("futex: Cure exit race")
>> Define the handle_exit_race() function,
>> but no branch in the function returns EBUSY.
>> As a result, dead code occurs in the attach_to_pi_owner():
>>
>> int ret = handle_exit_race(uaddr, uval, p);
>> ...
>> if (ret == -EBUSY)
>> *exiting = p; /* dead code */
>>
>> To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
>> race"),
>> or install a patch to incorporate the changes in handle_exit_race().
>>
>> I am unfamiliar with the processing of the stable-rc queue branch,
>> and I cannot find the patch mail of the current branch in
>> https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
>> Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
>> return value when owner is exiting").
>> And wrote a cover (but forgot to adjust the title of the cover):
>>
>> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>
> So this is a "fixup" patch, right?
>
> Please clearly label it as such in your patch description and resend
> this as what is here I can not apply at all.
>
> thanks,
>
> greg k-h
> .
>
Thank you for your guidance.
I have updated the patch description and resent the patch based on
v4.9.258-rc1
https://lore.kernel.org/lkml/20210222125352.110124-1-nixiaoming@huawei.com/
Thanks
Xiaoming Ni
^ permalink raw reply [relevance 0%]
* [PATCH] futex: fix dead code in attach_to_pi_owner()
@ 2021-02-22 12:53 9% Xiaoming Ni
2021-02-25 8:25 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-22 12:53 UTC (permalink / raw)
To: linux-kernel, stable, gregkh, sashal, tglx, lee.jones
Cc: nixiaoming, wangle6, zhengyejian1
From: Thomas Gleixner <tglx@linutronix.de>
The handle_exit_race() function is defined in commit c158b461306df82
("futex: Cure exit race"), which never returns -EBUSY. This results
in a small piece of dead code in the attach_to_pi_owner() function:
int ret = handle_exit_race(uaddr, uval, p); /* Never return -EBUSY */
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
The return value -EBUSY is added to handle_exit_race() in upsteam
commit ac31c7ff8624409 ("futex: Provide distinct return value when
owner is exiting"). This commit was incorporated into v4.9.255, before
the function handle_exit_race() was introduced, whitout Modify
handle_exit_race().
To fix dead code, extract the change of handle_exit_race() from
commit ac31c7ff8624409 ("futex: Provide distinct return value when owner
is exiting"), re-incorporated.
Fixes: c158b461306df82 ("futex: Cure exit race")
Cc: stable@vger.kernel.org # 4.9.258-rc1
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index b65dbb5d60bb..0fd785410150 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1207,11 +1207,11 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
u32 uval2;
/*
- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
- * for it to finish.
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
+ * caller that the alleged owner is busy.
*/
if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
+ return -EBUSY;
/*
* Reread the user space value to handle the following situation:
--
2.27.0
^ permalink raw reply related [relevance 9%]
* [PATCH 4.9 15/49] futex: Cure exit race
2021-02-22 12:35 6% [PATCH 4.9 00/49] 4.9.258-rc1 review Greg Kroah-Hartman
@ 2021-02-22 12:36 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 63+ results
From: Greg Kroah-Hartman @ 2021-02-22 12:36 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Greg Kroah-Hartman, Stefan Liebler, Thomas Gleixner,
Peter Zijlstra, Heiko Carstens, Darren Hart, Ingo Molnar,
Sasha Levin, Sudip Mukherjee, Lee Jones
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Required to satisfy functional dependency from futex back-port.
Re-add the missing handle_exit_race() parts from:
3d4775df0a89 ("futex: Replace PF_EXITPIDONE with a state")]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 65 insertions(+), 6 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1201,11 +1201,67 @@ static void wait_for_owner_exiting(int r
put_task_struct(exiting);
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
+ * for it to finish.
+ */
+ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->futex_state = } else {
+ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
+ * FUTEX_STATE_DEAD)
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps,
struct task_struct **exiting)
{
@@ -1216,12 +1272,15 @@ static int attach_to_pi_owner(u32 uval,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = futex_find_get_task(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1240,7 +1299,7 @@ static int attach_to_pi_owner(u32 uval,
* FUTEX_STATE_DEAD, we know that the task has finished
* the cleanup:
*/
- int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
/*
@@ -1306,7 +1365,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1422,7 +1481,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps, exiting);
+ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
}
/**
^ permalink raw reply [relevance 6%]
* [PATCH 4.9 00/49] 4.9.258-rc1 review
@ 2021-02-22 12:35 6% Greg Kroah-Hartman
2021-02-22 12:36 6% ` [PATCH 4.9 15/49] futex: Cure exit race Greg Kroah-Hartman
0 siblings, 1 reply; 63+ results
From: Greg Kroah-Hartman @ 2021-02-22 12:35 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, stable
This is the start of the stable review cycle for the 4.9.258 release.
There are 49 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 24 Feb 2021 12:07:46 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.258-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.9.258-rc1
Lai Jiangshan <laijs@linux.alibaba.com>
kvm: check tlbs_dirty directly
Arun Easi <aeasi@marvell.com>
scsi: qla2xxx: Fix crash during driver load on big endian machines
Jan Beulich <jbeulich@suse.com>
xen-blkback: fix error handling in xen_blkbk_map()
Jan Beulich <jbeulich@suse.com>
xen-scsiback: don't "handle" error by BUG()
Jan Beulich <jbeulich@suse.com>
xen-netback: don't "handle" error by BUG()
Jan Beulich <jbeulich@suse.com>
xen-blkback: don't "handle" error by BUG()
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen/arm: don't ignore return errors from set_phys_to_machine
Jan Beulich <jbeulich@suse.com>
Xen/gntdev: correct error checking in gntdev_map_grant_pages()
Jan Beulich <jbeulich@suse.com>
Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
Jan Beulich <jbeulich@suse.com>
Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
Jan Beulich <jbeulich@suse.com>
Xen/x86: don't bail early from clear_foreign_p2m_mapping()
Vasily Gorbik <gor@linux.ibm.com>
tracing: Avoid calling cc-option -mrecord-mcount for every Makefile
Greg Thelen <gthelen@google.com>
tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-mcount
Andi Kleen <ak@linux.intel.com>
trace: Use -mcount-record for dynamic ftrace
Borislav Petkov <bp@suse.de>
x86/build: Disable CET instrumentation in the kernel for 32-bit too
Stefano Garzarella <sgarzare@redhat.com>
vsock: fix locking in vsock_shutdown()
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: update credit only if socket is not closed
Edwin Peer <edwin.peer@broadcom.com>
net: watchdog: hold device global xmit lock during tx disable
Norbert Slusarek <nslusarek@gmx.net>
net/vmw_vsock: improve locking in vsock_connect_timeout()
Serge Semin <Sergey.Semin@baikalelectronics.ru>
usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
Felipe Balbi <balbi@kernel.org>
usb: dwc3: ulpi: fix checkpatch warning
Randy Dunlap <rdunlap@infradead.org>
h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
Florian Westphal <fw@strlen.de>
netfilter: conntrack: skip identical origin tuple in same zone only
Juergen Gross <jgross@suse.com>
xen/netback: avoid race in xenvif_rx_ring_slots_available()
Jozsef Kadlecsik <kadlec@mail.kfki.hu>
netfilter: xt_recent: Fix attempt to update deleted entry
Bui Quang Minh <minhquangbui99@gmail.com>
bpf: Check for integer overflow when using roundup_pow_of_two()
Roman Gushchin <guro@fb.com>
memblock: do not start bottom-up allocations with kernel_end
Alexandre Belloni <alexandre.belloni@bootlin.com>
ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
Amir Goldstein <amir73il@gmail.com>
ovl: skip getxattr of security labels
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Check length before giving out the filter buffer
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Do not count ftrace events in top level enable output
Phillip Lougher <phillip@squashfs.org.uk>
squashfs: add more sanity checks in xattr id lookup
Phillip Lougher <phillip@squashfs.org.uk>
squashfs: add more sanity checks in inode lookup
Phillip Lougher <phillip@squashfs.org.uk>
squashfs: add more sanity checks in id lookup
Thomas Gleixner <tglx@linutronix.de>
futex: Cure exit race
Peter Zijlstra <peterz@infradead.org>
futex: Change locking rules
Thomas Gleixner <tglx@linutronix.de>
futex: Ensure the correct return value from futex_lock_pi()
Theodore Ts'o <tytso@mit.edu>
memcg: fix a crash in wb_workfn when a device disappears
Qian Cai <cai@lca.pw>
include/trace/events/writeback.h: fix -Wstringop-truncation warnings
Tobin C. Harding <tobin@kernel.org>
lib/string: Add strscpy_pad() function
Dave Wysochanski <dwysocha@redhat.com>
SUNRPC: Handle 0 length opaque XDR object data properly
Dave Wysochanski <dwysocha@redhat.com>
SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
Johannes Berg <johannes.berg@intel.com>
iwlwifi: mvm: guard against device removal in reprobe
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
Johannes Berg <johannes.berg@intel.com>
iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
Cong Wang <cong.wang@bytedance.com>
af_key: relax availability checks for skb size calculation
Sibi Sankar <sibis@codeaurora.org>
remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
Steven Rostedt (VMware) <rostedt@goodmis.org>
fgraph: Initialize tracing_graph_pause at task creation
Johannes Weiner <hannes@cmpxchg.org>
mm: memcontrol: fix NULL pointer crash in test_clear_page_writeback()
-------------
Diffstat:
Makefile | 11 +-
arch/arm/boot/dts/lpc32xx.dtsi | 3 -
arch/arm/xen/p2m.c | 6 +-
arch/h8300/kernel/asm-offsets.c | 3 +
arch/x86/Makefile | 6 +-
arch/x86/xen/p2m.c | 15 +-
drivers/block/xen-blkback/blkback.c | 30 +--
.../net/wireless/intel/iwlwifi/mvm/debugfs-vif.c | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +-
drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 5 +
drivers/net/xen-netback/netback.c | 4 +-
drivers/net/xen-netback/rx.c | 9 +-
drivers/remoteproc/qcom_q6v5_pil.c | 6 +
drivers/scsi/qla2xxx/qla_tmpl.c | 9 +-
drivers/scsi/qla2xxx/qla_tmpl.h | 2 +-
drivers/usb/dwc3/ulpi.c | 20 +-
drivers/xen/gntdev.c | 33 ++-
drivers/xen/xen-scsiback.c | 4 +-
fs/fs-writeback.c | 2 +-
fs/overlayfs/copy_up.c | 15 +-
fs/squashfs/export.c | 41 +++-
fs/squashfs/id.c | 40 +++-
fs/squashfs/squashfs_fs_sb.h | 1 +
fs/squashfs/super.c | 6 +-
fs/squashfs/xattr.h | 10 +-
fs/squashfs/xattr_id.c | 66 +++++-
include/linux/backing-dev.h | 10 +
include/linux/ftrace.h | 4 +-
include/linux/memcontrol.h | 33 ++-
include/linux/netdevice.h | 2 +
include/linux/string.h | 4 +
include/linux/sunrpc/xdr.h | 3 +-
include/trace/events/writeback.h | 35 ++--
include/xen/grant_table.h | 1 +
kernel/bpf/stackmap.c | 2 +
kernel/futex.c | 233 +++++++++++++++++----
kernel/trace/ftrace.c | 2 -
kernel/trace/trace.c | 2 +-
kernel/trace/trace_events.c | 3 +-
lib/string.c | 47 ++++-
mm/backing-dev.c | 1 +
mm/memblock.c | 48 +----
mm/memcontrol.c | 43 ++--
mm/page-writeback.c | 14 +-
net/key/af_key.c | 6 +-
net/netfilter/nf_conntrack_core.c | 3 +-
net/netfilter/xt_recent.c | 12 +-
net/sunrpc/auth_gss/auth_gss.c | 30 +--
net/sunrpc/auth_gss/auth_gss_internal.h | 45 ++++
net/sunrpc/auth_gss/gss_krb5_mech.c | 31 +--
net/vmw_vsock/af_vsock.c | 13 +-
net/vmw_vsock/virtio_transport_common.c | 4 +-
scripts/Makefile.build | 3 +
virt/kvm/kvm_main.c | 3 +-
54 files changed, 681 insertions(+), 309 deletions(-)
^ permalink raw reply [relevance 6%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
2021-02-22 10:54 10% ` Xiaoming Ni
@ 2021-02-22 12:09 0% ` Greg KH
2021-02-22 14:11 0% ` Xiaoming Ni
0 siblings, 1 reply; 63+ results
From: Greg KH @ 2021-02-22 12:09 UTC (permalink / raw)
To: Xiaoming Ni; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On Mon, Feb 22, 2021 at 06:54:06PM +0800, Xiaoming Ni wrote:
> On 2021/2/22 18:16, Greg KH wrote:
> > On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
> > > From: Thomas Gleixner<tglx@linutronix.de>
> > >
> > > commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
> > This commit is already in the 4.9 tree. If the backport was incorrect,
> > say that here, and describe what went wrong and why this commit fixes
> > it.
> >
> > Also state what commit this fixes as well, otherwise this changelog just
> > looks like it is being applied again to the tree, which doesn't make
> > much sense.
> >
> > thanks,
> >
> > greg k-h
> > .
>
> I wrote a cover for it. but forgot to adjust the title of the cover:
>
> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
>
>
> I found a dead code in the queue/4.9 branch of the stable-rc repository.
>
> 2021-02-03:
> commit c27f392040e2f6 ("futex: Provide distinct return value when
> owner is exiting")
> The function handle_exit_race does not exist. Therefore, the
> change in handle_exit_race() is ignored in the patch round.
>
> 2021-02-22:
> commit e55cb811e612 ("futex: Cure exit race")
> Define the handle_exit_race() function,
> but no branch in the function returns EBUSY.
> As a result, dead code occurs in the attach_to_pi_owner():
>
> int ret = handle_exit_race(uaddr, uval, p);
> ...
> if (ret == -EBUSY)
> *exiting = p; /* dead code */
>
> To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
> race"),
> or install a patch to incorporate the changes in handle_exit_race().
>
> I am unfamiliar with the processing of the stable-rc queue branch,
> and I cannot find the patch mail of the current branch in
> https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
> Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
> return value when owner is exiting").
> And wrote a cover (but forgot to adjust the title of the cover):
>
> https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
So this is a "fixup" patch, right?
Please clearly label it as such in your patch description and resend
this as what is here I can not apply at all.
thanks,
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting
@ 2021-02-22 10:54 10% ` Xiaoming Ni
2021-02-22 12:09 0% ` Greg KH
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-22 10:54 UTC (permalink / raw)
To: Greg KH; +Cc: linux-kernel, stable, sashal, tglx, wangle6, zhengyejian1
On 2021/2/22 18:16, Greg KH wrote:
> On Mon, Feb 22, 2021 at 03:03:28PM +0800, Xiaoming Ni wrote:
>> From: Thomas Gleixner<tglx@linutronix.de>
>>
>> commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
> This commit is already in the 4.9 tree. If the backport was incorrect,
> say that here, and describe what went wrong and why this commit fixes
> it.
>
> Also state what commit this fixes as well, otherwise this changelog just
> looks like it is being applied again to the tree, which doesn't make
> much sense.
>
> thanks,
>
> greg k-h
> .
I wrote a cover for it. but forgot to adjust the title of the cover:
https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
I found a dead code in the queue/4.9 branch of the stable-rc repository.
2021-02-03:
commit c27f392040e2f6 ("futex: Provide distinct return value when
owner is exiting")
The function handle_exit_race does not exist. Therefore, the
change in handle_exit_race() is ignored in the patch round.
2021-02-22:
commit e55cb811e612 ("futex: Cure exit race")
Define the handle_exit_race() function,
but no branch in the function returns EBUSY.
As a result, dead code occurs in the attach_to_pi_owner():
int ret = handle_exit_race(uaddr, uval, p);
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit
race"),
or install a patch to incorporate the changes in handle_exit_race().
I am unfamiliar with the processing of the stable-rc queue branch,
and I cannot find the patch mail of the current branch in
https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
return value when owner is exiting").
And wrote a cover (but forgot to adjust the title of the cover):
https://lore.kernel.org/lkml/20210222070328.102384-1-nixiaoming@huawei.com/
Thanks
Xiaoming Ni
^ permalink raw reply [relevance 10%]
* [PATCH stable-rc queue/4.9 0/1] repatch
@ 2021-02-22 7:03 10% Xiaoming Ni
0 siblings, 1 reply; 63+ results
From: Xiaoming Ni @ 2021-02-22 7:03 UTC (permalink / raw)
To: linux-kernel, stable, gregkh, sashal, tglx
Cc: nixiaoming, wangle6, zhengyejian1
I found a dead code in the queue/4.9 branch of the stable-rc repository.
2021-02-03:
commit c27f392040e2f6 ("futex: Provide distinct return value when
owner is exiting")
The function handle_exit_race does not exist. Therefore, the
change in handle_exit_race() is ignored in the patch round.
2021-02-22:
commit e55cb811e612 ("futex: Cure exit race")
Define the handle_exit_race() function,
but no branch in the function returns EBUSY.
As a result, dead code occurs in the attach_to_pi_owner():
int ret = handle_exit_race(uaddr, uval, p);
...
if (ret == -EBUSY)
*exiting = p; /* dead code */
To fix the dead code, modify the commit e55cb811e612 ("futex: Cure exit race"),
or install a patch to incorporate the changes in handle_exit_race().
I am unfamiliar with the processing of the stable-rc queue branch,
and I cannot find the patch mail of the current branch in
https://lore.kernel.org/lkml/?q=%22futex%3A+Cure+exit+race%22
Therefore, I re-integrated commit ac31c7ff8624 ("futex: Provide distinct
return value when owner is exiting").
-----
Thomas Gleixner (1):
futex: Provide distinct return value when owner is exiting
kernel/futex.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--
2.27.0
^ permalink raw reply [relevance 10%]
* Re: handle_exit_race && PF_EXITING
2019-11-06 10:35 0% ` Oleg Nesterov
@ 2019-11-06 11:07 0% ` Thomas Gleixner
0 siblings, 0 replies; 63+ results
From: Thomas Gleixner @ 2019-11-06 11:07 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Florian Weimer, Shawn Landden, libc-alpha, linux-api, LKML,
Arnd Bergmann, Deepa Dinamani, Andrew Morton, Catalin Marinas,
Keith Packard, Peter Zijlstra
On Wed, 6 Nov 2019, Oleg Nesterov wrote:
> On 11/06, Thomas Gleixner wrote:
> > > + if (unlikely(p->flags & PF_EXITPIDONE)) {
> > > + /* exit_pi_state_list() was already called */
> > > raw_spin_unlock_irq(&p->pi_lock);
> > > put_task_struct(p);
> > > - return ret;
> > > + return -ESRCH;
> >
> > But, this is incorrect because we'd return -ESRCH to user space while the
> > futex value still has the TID of the exiting task set which will
> > subsequently cleanout the futex and set the owner died bit.
>
> Heh. Of course this is not correct. As I said, this patch should be adapted
> to the current code. See below.
>
> > See da791a667536 ("futex: Cure exit race") for example.
>
> Thomas, I simply can't resist ;)
>
> I reported this race when I sent this patch in 2015,
>
> https://lore.kernel.org/lkml/20150205181014.GA20244@redhat.com/
>
> but somehow that discussion died with no result.
Yes. I was not paying attention for some reason. Don't ask me what happened
in Feb. 2015 :)
But even if we adapt that patch to the current code it won't solve the
-ESRCH issue I described above.
> > Guess why that code has more corner case handling than actual
> > functionality. :)
>
> I know why. To confuse me!
Of course. As Rusty said: "Futexes are also cursed"
Thanks,
tglx
^ permalink raw reply [relevance 0%]
* Re: handle_exit_race && PF_EXITING
2019-11-06 9:53 8% ` Thomas Gleixner
@ 2019-11-06 10:35 0% ` Oleg Nesterov
2019-11-06 11:07 0% ` Thomas Gleixner
0 siblings, 1 reply; 63+ results
From: Oleg Nesterov @ 2019-11-06 10:35 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Florian Weimer, Shawn Landden, libc-alpha, linux-api, LKML,
Arnd Bergmann, Deepa Dinamani, Andrew Morton, Catalin Marinas,
Keith Packard, Peter Zijlstra
On 11/06, Thomas Gleixner wrote:
>
> > @@ -716,11 +716,13 @@ void exit_pi_state_list(struct task_struct *curr)
> >
> > if (!futex_cmpxchg_enabled)
> > return;
> > +
> > /*
> > - * We are a ZOMBIE and nobody can enqueue itself on
> > - * pi_state_list anymore, but we have to be careful
> > - * versus waiters unqueueing themselves:
> > + * attach_to_pi_owner() can no longer add the new entry. But
> > + * we have to be careful versus waiters unqueueing themselves.
> > */
> > + curr->flags |= PF_EXITPIDONE;
>
> This obviously would need a barrier or would have to be moved inside of the
> pi_lock region.
probably yes,
> > + if (unlikely(p->flags & PF_EXITPIDONE)) {
> > + /* exit_pi_state_list() was already called */
> > raw_spin_unlock_irq(&p->pi_lock);
> > put_task_struct(p);
> > - return ret;
> > + return -ESRCH;
>
> But, this is incorrect because we'd return -ESRCH to user space while the
> futex value still has the TID of the exiting task set which will
> subsequently cleanout the futex and set the owner died bit.
Heh. Of course this is not correct. As I said, this patch should be adapted
to the current code. See below.
> See da791a667536 ("futex: Cure exit race") for example.
Thomas, I simply can't resist ;)
I reported this race when I sent this patch in 2015,
https://lore.kernel.org/lkml/20150205181014.GA20244@redhat.com/
but somehow that discussion died with no result.
> Guess why that code has more corner case handling than actual
> functionality. :)
I know why. To confuse me!
Oleg.
^ permalink raw reply [relevance 0%]
* Re: handle_exit_race && PF_EXITING
@ 2019-11-06 9:53 8% ` Thomas Gleixner
2019-11-06 10:35 0% ` Oleg Nesterov
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2019-11-06 9:53 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Florian Weimer, Shawn Landden, libc-alpha, linux-api, LKML,
Arnd Bergmann, Deepa Dinamani, Andrew Morton, Catalin Marinas,
Keith Packard, Peter Zijlstra
Oleg,
On Wed, 6 Nov 2019, Oleg Nesterov wrote:
> I have found the fix I sent in 2015, attached below. I forgot everything
> I knew about futex.c, so I need some time to adapt it to the current code.
>
> But I think it is clear what this patch tries to do, do you see any hole?
> @@ -716,11 +716,13 @@ void exit_pi_state_list(struct task_struct *curr)
>
> if (!futex_cmpxchg_enabled)
> return;
> +
> /*
> - * We are a ZOMBIE and nobody can enqueue itself on
> - * pi_state_list anymore, but we have to be careful
> - * versus waiters unqueueing themselves:
> + * attach_to_pi_owner() can no longer add the new entry. But
> + * we have to be careful versus waiters unqueueing themselves.
> */
> + curr->flags |= PF_EXITPIDONE;
This obviously would need a barrier or would have to be moved inside of the
pi_lock region.
> raw_spin_lock_irq(&curr->pi_lock);
> while (!list_empty(head)) {
>
> @@ -905,24 +907,12 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
> return -EPERM;
> }
>
> - /*
> - * We need to look at the task state flags to figure out,
> - * whether the task is exiting. To protect against the do_exit
> - * change of the task flags, we do this protected by
> - * p->pi_lock:
> - */
> raw_spin_lock_irq(&p->pi_lock);
> - if (unlikely(p->flags & PF_EXITING)) {
> - /*
> - * The task is on the way out. When PF_EXITPIDONE is
> - * set, we know that the task has finished the
> - * cleanup:
> - */
> - int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
> -
> + if (unlikely(p->flags & PF_EXITPIDONE)) {
> + /* exit_pi_state_list() was already called */
> raw_spin_unlock_irq(&p->pi_lock);
> put_task_struct(p);
> - return ret;
> + return -ESRCH;
But, this is incorrect because we'd return -ESRCH to user space while the
futex value still has the TID of the exiting task set which will
subsequently cleanout the futex and set the owner died bit.
The result is inconsistent state and will trigger the asserts in the futex
test suite and in the pthread_mutex implementation.
The only reason why -ESRCH can be returned is when the user space value of
the futex contains garbage. But in this case it does not contain garbage
and returning -ESRCH violates the implicit robustness guarantee of PI
futexes and causes unexpected havoc.
See da791a667536 ("futex: Cure exit race") for example.
The futex PI contract between kernel and user space relies on consistent
state. Guess why that code has more corner case handling than actual
functionality. :)
Thanks,
tglx
^ permalink raw reply [relevance 8%]
* Linux 4.14.102
@ 2019-02-20 9:56 5% Greg KH
0 siblings, 0 replies; 63+ results
From: Greg KH @ 2019-02-20 9:56 UTC (permalink / raw)
To: linux-kernel, Andrew Morton, torvalds, stable; +Cc: lwn, Jiri Slaby
[-- Attachment #1: Type: text/plain, Size: 9753 bytes --]
I'm announcing the release of the 4.14.102 kernel.
All users of the 4.14 kernel series must upgrade.
The updated 4.14.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y
and can be browsed at the normal kernel.org git web browser:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/devicetree/bindings/eeprom/eeprom.txt | 5 -
Makefile | 2
arch/alpha/include/asm/irq.h | 6 -
arch/alpha/mm/fault.c | 2
arch/arm/boot/dts/da850-evm.dts | 2
arch/arm/boot/dts/da850-lcdk.dts | 2
arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 -
arch/arm/include/asm/assembler.h | 11 ++
arch/arm/include/asm/cputype.h | 1
arch/arm/include/asm/proc-fns.h | 61 ++++++++++++---
arch/arm/include/asm/thread_info.h | 4 -
arch/arm/include/asm/uaccess.h | 49 ++++++++++--
arch/arm/kernel/bugs.c | 4 -
arch/arm/kernel/head-common.S | 6 -
arch/arm/kernel/setup.c | 40 ++++++----
arch/arm/kernel/signal.c | 80 +++++++++++---------
arch/arm/kernel/smp.c | 31 +++++++
arch/arm/kernel/sys_oabi-compat.c | 8 +-
arch/arm/lib/copy_from_user.S | 6 -
arch/arm/lib/copy_to_user.S | 6 +
arch/arm/lib/uaccess_with_memcpy.c | 3
arch/arm/mach-integrator/impd1.c | 6 +
arch/arm/mm/proc-macros.S | 10 ++
arch/arm/mm/proc-v7-bugs.c | 17 ----
arch/arm/vfp/vfpmodule.c | 20 ++---
arch/x86/events/core.c | 14 +++
arch/x86/events/intel/core.c | 9 ++
arch/x86/events/perf_event.h | 16 +++-
arch/x86/ia32/ia32_aout.c | 6 +
arch/x86/include/asm/uv/bios.h | 8 +-
arch/x86/kvm/vmx.c | 3
arch/x86/platform/uv/bios_uv.c | 23 +++++
block/blk-flush.c | 2
drivers/acpi/numa.c | 6 -
drivers/cpufreq/cpufreq.c | 12 +--
drivers/firmware/efi/runtime-wrappers.c | 7 +
drivers/gpu/drm/bridge/tc358767.c | 41 ++++++++--
drivers/gpu/drm/i915/i915_gem.c | 12 ++-
drivers/gpu/drm/nouveau/nvkm/engine/falcon.c | 7 +
drivers/gpu/drm/nouveau/nvkm/subdev/therm/base.c | 7 +
drivers/input/misc/bma150.c | 9 +-
drivers/input/mouse/elan_i2c_core.c | 2
drivers/input/mouse/elantech.c | 9 ++
drivers/md/dm-crypt.c | 2
drivers/md/dm-thin.c | 55 ++++++++++++-
drivers/md/raid1.c | 29 ++++---
drivers/misc/eeprom/Kconfig | 2
drivers/misc/eeprom/at24.c | 1
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++
drivers/nvme/host/pci.c | 10 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 23 ++++-
fs/cifs/file.c | 8 ++
fs/cifs/smb2file.c | 4 +
fs/proc/task_mmu.c | 22 +++--
include/linux/perf_event.h | 5 +
include/linux/skbuff.h | 16 ++++
include/trace/events/sched.h | 12 ++-
include/uapi/linux/if_ether.h | 7 +
kernel/events/core.c | 16 ++++
kernel/events/ring_buffer.c | 2
kernel/futex.c | 69 +++++++++++++++--
kernel/signal.c | 7 +
kernel/trace/trace_uprobe.c | 9 ++
net/core/skbuff.c | 63 ++++++++++++---
net/sched/sch_tbf.c | 10 --
sound/pci/hda/patch_conexant.c | 1
sound/usb/pcm.c | 9 ++
tools/perf/tests/shell/lib/probe_vfs_getname.sh | 3
68 files changed, 747 insertions(+), 235 deletions(-)
Adrian Bunk (2):
dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string
eeprom: at24: add support for 24c2048
Andreas Ziegler (1):
tracing/uprobes: Fix output for multiple string arguments
Arnaldo Carvalho de Melo (1):
perf test shell: Use a fallback to get the pathname in vfs_getname
Borislav Petkov (1):
x86/a.out: Clear the dump structure initially
Chao Fan (1):
ACPI: NUMA: Use correct type for printing addresses on i386-PAE
Christian Lamparter (1):
pinctrl: msm: fix gpio-hog related boot issues
Daniel Axtens (2):
net: create skb_gso_validate_mac_len()
bnx2x: disable GSO where gso_size is too big for hardware
Dmitry Torokhov (1):
Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
Eric W. Biederman (1):
signal: Restore the stop PTRACE_EVENT_EXIT
Greg Kroah-Hartman (1):
Linux 4.14.102
Hauke Mehrtens (2):
uapi/if_ether.h: prevent redefinition of struct ethhdr
uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
Hedi Berriche (1):
x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
Ilia Mirkin (1):
drm/nouveau/falcon: avoid touching registers if engine is off
Ingo Molnar (1):
perf/core: Fix impossible ring-buffer sizes warning
Jianchao Wang (1):
blk-mq: fix a hung issue when fsync
Jiri Olsa (1):
perf/x86: Add check_period PMU callback
Jonathan Bakker (1):
Input: bma150 - register input device after setting private data
Joonas Lahtinen (1):
drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
Julien Thierry (10):
ARM: 8789/1: signal: copy registers using __copy_to_user()
ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context
ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state
ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user()
ARM: 8793/1: signal: replace __put_user_error with __put_user
ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit
ARM: 8795/1: spectre-v1.1: use put_user() for __put_user()
ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization
ARM: 8797/1: spectre-v1.1: harden __copy_to_user
ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc
Jurica Vukadin (1):
ALSA: hda - Add quirk for HP EliteBook 840 G5
Linus Walleij (1):
ARM: dts: kirkwood: Fix polarity of GPIO fan lines
Liviu Dudau (1):
nvme-pci: use the same attributes when freeing host_mem_desc_bufs.
Manuel Reinhardt (1):
ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
Matti Kurkela (1):
Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
Mauro Ciancio (1):
Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
Meelis Roos (1):
alpha: Fix Eiger NR_IRQS to 128
Mikulas Patocka (1):
dm crypt: don't overallocate the integrity tag space
Nate Dailey (1):
md/raid1: don't clear bitmap bits on interrupted recovery.
Nicholas Mc Guire (1):
gpio: pl061: handle failed allocations
Nikos Tsironis (1):
dm thin: fix bug where bio that overwrites thin block ignores FUA
Pavankumar Kondeti (1):
sched, trace: Fix prev_state output in sched_switch tracepoint
Peter Ujfalusi (2):
ARM: dts: da850-evm: Correct the sound card name
ARM: dts: da850-lcdk: Correct the sound card name
Ross Lagerwall (1):
cifs: Limit memory used by lock request calls to a page
Russell King (7):
ARM: make lookup_processor_type() non-__init
ARM: split out processor lookup
ARM: clean up per-processor check_bugs method call
ARM: add PROC_VTABLE and PROC_TABLE macros
ARM: spectre-v2: per-CPU vtables to work around big.Little systems
ARM: ensure that processor vtables is not lost after boot
ARM: fix the cockup in the previous patch
Sandeep Patil (1):
mm: proc: smaps_rollup: fix pss_locked calculation
Sergei Trofimovich (1):
alpha: fix page fault handling for r16-r18 targets
Sudeep Holla (1):
cpufreq: check if policy is inactive early in __cpufreq_get()
Takashi Iwai (1):
drm/nouveau: Don't disable polling in fallback mode
Thomas Gleixner (1):
futex: Cure exit race
Tomi Valkeinen (5):
drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE
drm/bridge: tc358767: fix single lane configuration
drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value
drm/bridge: tc358767: reject modes which require too much BW
drm/bridge: tc358767: fix output H/V syncs
Xiaoyao Li (1):
kvm: vmx: Fix entry number check for add_atomic_switch_msr()
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [relevance 5%]
* [PATCH 4.14 61/62] futex: Cure exit race
2019-02-18 13:43 4% [PATCH 4.14 00/62] 4.14.102-stable review Greg Kroah-Hartman
@ 2019-02-18 13:44 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 63+ results
From: Greg Kroah-Hartman @ 2019-02-18 13:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefan Liebler, Thomas Gleixner,
Peter Zijlstra, Heiko Carstens, Darren Hart, Ingo Molnar,
Sasha Levin, Sudip Mukherjee
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 63 insertions(+), 6 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1166,11 +1166,65 @@ out_error:
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1180,12 +1234,15 @@ static int attach_to_pi_owner(u32 uval,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = futex_find_get_task(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1205,7 +1262,7 @@ static int attach_to_pi_owner(u32 uval,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1262,7 +1319,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1370,7 +1427,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply [relevance 6%]
* [PATCH 4.14 00/62] 4.14.102-stable review
@ 2019-02-18 13:43 4% Greg Kroah-Hartman
2019-02-18 13:44 6% ` [PATCH 4.14 61/62] futex: Cure exit race Greg Kroah-Hartman
0 siblings, 1 reply; 63+ results
From: Greg Kroah-Hartman @ 2019-02-18 13:43 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, stable
This is the start of the stable review cycle for the 4.14.102 release.
There are 62 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed Feb 20 13:34:36 UTC 2019.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.102-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.14.102-rc1
Christian Lamparter <chunkeey@gmail.com>
pinctrl: msm: fix gpio-hog related boot issues
Thomas Gleixner <tglx@linutronix.de>
futex: Cure exit race
Pavankumar Kondeti <pkondeti@codeaurora.org>
sched, trace: Fix prev_state output in sched_switch tracepoint
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
Nikos Tsironis <ntsironis@arrikto.com>
dm thin: fix bug where bio that overwrites thin block ignores FUA
Mikulas Patocka <mpatocka@redhat.com>
dm crypt: don't overallocate the integrity tag space
Borislav Petkov <bp@suse.de>
x86/a.out: Clear the dump structure initially
Nate Dailey <nate.dailey@stratus.com>
md/raid1: don't clear bitmap bits on interrupted recovery.
Eric W. Biederman <ebiederm@xmission.com>
signal: Restore the stop PTRACE_EVENT_EXIT
Hedi Berriche <hedi.berriche@hpe.com>
x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
Andreas Ziegler <andreas.ziegler@fau.de>
tracing/uprobes: Fix output for multiple string arguments
Meelis Roos <mroos@linux.ee>
alpha: Fix Eiger NR_IRQS to 128
Sergei Trofimovich <slyfox@gentoo.org>
alpha: fix page fault handling for r16-r18 targets
Sandeep Patil <sspatil@android.com>
mm: proc: smaps_rollup: fix pss_locked calculation
Matti Kurkela <Matti.Kurkela@iki.fi>
Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
Jonathan Bakker <xc-racer2@live.ca>
Input: bma150 - register input device after setting private data
Xiaoyao Li <xiaoyao.li@linux.intel.com>
kvm: vmx: Fix entry number check for add_atomic_switch_msr()
Manuel Reinhardt <manuel.rhdt@gmail.com>
ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
Jurica Vukadin <jurica.vukadin@rt-rk.com>
ALSA: hda - Add quirk for HP EliteBook 840 G5
Jiri Olsa <jolsa@redhat.com>
perf/x86: Add check_period PMU callback
Ingo Molnar <mingo@kernel.org>
perf/core: Fix impossible ring-buffer sizes warning
Mauro Ciancio <mauro@acadeu.com>
Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
Ross Lagerwall <ross.lagerwall@citrix.com>
cifs: Limit memory used by lock request calls to a page
Ilia Mirkin <imirkin@alum.mit.edu>
drm/nouveau/falcon: avoid touching registers if engine is off
Takashi Iwai <tiwai@suse.de>
drm/nouveau: Don't disable polling in fallback mode
Nicholas Mc Guire <hofrat@osadl.org>
gpio: pl061: handle failed allocations
Linus Walleij <linus.walleij@linaro.org>
ARM: dts: kirkwood: Fix polarity of GPIO fan lines
Peter Ujfalusi <peter.ujfalusi@ti.com>
ARM: dts: da850-lcdk: Correct the sound card name
Peter Ujfalusi <peter.ujfalusi@ti.com>
ARM: dts: da850-evm: Correct the sound card name
Liviu Dudau <liviu@dudau.co.uk>
nvme-pci: use the same attributes when freeing host_mem_desc_bufs.
Tomi Valkeinen <tomi.valkeinen@ti.com>
drm/bridge: tc358767: fix output H/V syncs
Tomi Valkeinen <tomi.valkeinen@ti.com>
drm/bridge: tc358767: reject modes which require too much BW
Tomi Valkeinen <tomi.valkeinen@ti.com>
drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value
Tomi Valkeinen <tomi.valkeinen@ti.com>
drm/bridge: tc358767: fix single lane configuration
Tomi Valkeinen <tomi.valkeinen@ti.com>
drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE
Sudeep Holla <sudeep.holla@arm.com>
cpufreq: check if policy is inactive early in __cpufreq_get()
Arnaldo Carvalho de Melo <acme@redhat.com>
perf test shell: Use a fallback to get the pathname in vfs_getname
Chao Fan <fanc.fnst@cn.fujitsu.com>
ACPI: NUMA: Use correct type for printing addresses on i386-PAE
Daniel Axtens <dja@axtens.net>
bnx2x: disable GSO where gso_size is too big for hardware
Daniel Axtens <dja@axtens.net>
net: create skb_gso_validate_mac_len()
Russell King <rmk+kernel@armlinux.org.uk>
ARM: fix the cockup in the previous patch
Russell King <rmk+kernel@armlinux.org.uk>
ARM: ensure that processor vtables is not lost after boot
Russell King <rmk+kernel@armlinux.org.uk>
ARM: spectre-v2: per-CPU vtables to work around big.Little systems
Russell King <rmk+kernel@armlinux.org.uk>
ARM: add PROC_VTABLE and PROC_TABLE macros
Russell King <rmk+kernel@armlinux.org.uk>
ARM: clean up per-processor check_bugs method call
Russell King <rmk+kernel@armlinux.org.uk>
ARM: split out processor lookup
Russell King <rmk+kernel@armlinux.org.uk>
ARM: make lookup_processor_type() non-__init
Julien Thierry <julien.thierry@arm.com>
ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc
Julien Thierry <julien.thierry@arm.com>
ARM: 8797/1: spectre-v1.1: harden __copy_to_user
Julien Thierry <julien.thierry@arm.com>
ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization
Julien Thierry <julien.thierry@arm.com>
ARM: 8795/1: spectre-v1.1: use put_user() for __put_user()
Julien Thierry <julien.thierry@arm.com>
ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit
Julien Thierry <julien.thierry@arm.com>
ARM: 8793/1: signal: replace __put_user_error with __put_user
Julien Thierry <julien.thierry@arm.com>
ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user()
Julien Thierry <julien.thierry@arm.com>
ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state
Julien Thierry <julien.thierry@arm.com>
ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context
Julien Thierry <julien.thierry@arm.com>
ARM: 8789/1: signal: copy registers using __copy_to_user()
Hauke Mehrtens <hauke@hauke-m.de>
uapi/if_ether.h: prevent redefinition of struct ethhdr
Jianchao Wang <jianchao.w.wang@oracle.com>
blk-mq: fix a hung issue when fsync
Adrian Bunk <bunk@kernel.org>
eeprom: at24: add support for 24c2048
Adrian Bunk <bunk@kernel.org>
dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string
-------------
Diffstat:
.../devicetree/bindings/eeprom/eeprom.txt | 5 +-
Makefile | 4 +-
arch/alpha/include/asm/irq.h | 6 +-
arch/alpha/mm/fault.c | 2 +-
arch/arm/boot/dts/da850-evm.dts | 2 +-
arch/arm/boot/dts/da850-lcdk.dts | 2 +-
arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 +-
arch/arm/include/asm/assembler.h | 11 +++
arch/arm/include/asm/cputype.h | 1 +
arch/arm/include/asm/proc-fns.h | 61 +++++++++++++----
arch/arm/include/asm/thread_info.h | 4 +-
arch/arm/include/asm/uaccess.h | 49 +++++++++++--
arch/arm/kernel/bugs.c | 4 +-
arch/arm/kernel/head-common.S | 6 +-
arch/arm/kernel/setup.c | 40 +++++++----
arch/arm/kernel/signal.c | 80 ++++++++++++----------
arch/arm/kernel/smp.c | 31 +++++++++
arch/arm/kernel/sys_oabi-compat.c | 8 ++-
arch/arm/lib/copy_from_user.S | 6 +-
arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/uaccess_with_memcpy.c | 3 +-
arch/arm/mach-integrator/impd1.c | 6 +-
arch/arm/mm/proc-macros.S | 10 +++
arch/arm/mm/proc-v7-bugs.c | 17 +----
arch/arm/vfp/vfpmodule.c | 20 +++---
arch/x86/events/core.c | 14 ++++
arch/x86/events/intel/core.c | 9 +++
arch/x86/events/perf_event.h | 16 ++++-
arch/x86/ia32/ia32_aout.c | 6 +-
arch/x86/include/asm/uv/bios.h | 8 ++-
arch/x86/kvm/vmx.c | 3 +-
arch/x86/platform/uv/bios_uv.c | 23 ++++++-
block/blk-flush.c | 2 +-
drivers/acpi/numa.c | 6 +-
drivers/cpufreq/cpufreq.c | 12 ++--
drivers/firmware/efi/runtime-wrappers.c | 7 ++
drivers/gpu/drm/bridge/tc358767.c | 41 ++++++++---
drivers/gpu/drm/i915/i915_gem.c | 12 +++-
drivers/gpu/drm/nouveau/nvkm/engine/falcon.c | 7 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/base.c | 7 +-
drivers/input/misc/bma150.c | 9 +--
drivers/input/mouse/elan_i2c_core.c | 2 +-
drivers/input/mouse/elantech.c | 9 +++
drivers/md/dm-crypt.c | 2 +-
drivers/md/dm-thin.c | 55 +++++++++++++--
drivers/md/raid1.c | 29 +++++---
drivers/misc/eeprom/Kconfig | 2 +-
drivers/misc/eeprom/at24.c | 1 +
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 +++++
drivers/nvme/host/pci.c | 10 +--
drivers/pinctrl/qcom/pinctrl-msm.c | 23 +++++--
fs/cifs/file.c | 8 +++
fs/cifs/smb2file.c | 4 ++
fs/proc/task_mmu.c | 22 +++---
include/linux/perf_event.h | 5 ++
include/linux/skbuff.h | 16 +++++
include/trace/events/sched.h | 12 +++-
include/uapi/linux/if_ether.h | 3 +
include/uapi/linux/libc-compat.h | 6 ++
kernel/events/core.c | 16 +++++
kernel/events/ring_buffer.c | 2 +-
kernel/futex.c | 69 +++++++++++++++++--
kernel/signal.c | 7 +-
kernel/trace/trace_uprobe.c | 9 ++-
net/core/skbuff.c | 63 +++++++++++++----
net/sched/sch_tbf.c | 10 ---
sound/pci/hda/patch_conexant.c | 1 +
sound/usb/pcm.c | 9 ++-
tools/perf/tests/shell/lib/probe_vfs_getname.sh | 3 +-
69 files changed, 750 insertions(+), 236 deletions(-)
^ permalink raw reply [relevance 4%]
* Re: WARN_ON_ONCE(!new_owner) within wake_futex_pi() triggered
@ 2019-01-29 10:35 7% ` Peter Zijlstra
0 siblings, 0 replies; 63+ results
From: Peter Zijlstra @ 2019-01-29 10:35 UTC (permalink / raw)
To: Heiko Carstens
Cc: Thomas Gleixner, Ingo Molnar, Martin Schwidefsky, LKML,
linux-s390, Stefan Liebler, Sebastian Sewior
On Tue, Jan 29, 2019 at 11:24:09AM +0100, Heiko Carstens wrote:
> Yes, sure. However ;) I reproduced the above with v5.0-rc4 + your
> patch. And now I am trying to reproduce with linux-next 20190129 +
> your patch and it doesn't trigger. Did I miss a patch which is only in
> linux-next which could fix this?
>
I'm forever confused on what patch is where; but -ESRCH makes me thing
maybe you lost this one:
---
commit da791a667536bf8322042e38ca85d55a78d3c273
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Mon Dec 10 14:35:14 2018 +0100
futex: Cure exit race
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
diff --git a/kernel/futex.c b/kernel/futex.c
index f423f9b6577e..5cc8083a4c89 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,65 @@ static int attach_to_pi_state(u32 __user *uaddr, u32 uval,
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = find_get_task_by_vpid(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply related [relevance 7%]
* Re: WARN_ON_ONCE(!new_owner) within wake_futex_pi() triggered
2019-01-22 21:14 7% ` Thomas Gleixner
@ 2019-01-23 9:24 0% ` Heiko Carstens
0 siblings, 0 replies; 63+ results
From: Heiko Carstens @ 2019-01-23 9:24 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Peter Zijlstra, Ingo Molnar, Martin Schwidefsky, linux-kernel,
linux-s390, Stefan Liebler
On Tue, Jan 22, 2019 at 10:14:00PM +0100, Thomas Gleixner wrote:
> On Mon, 21 Jan 2019, Thomas Gleixner wrote:
> > On Mon, 21 Jan 2019, Heiko Carstens wrote:
> >
> > > Hi Thomas,
> > >
> > > [full quote below]
> > >
> > > Did you have any time to look into this yet? :)
> > >
> > > The warning is still reproducible.
> >
> > Yeah, it's on my list of stuff which I need to take care of urgently. In
> > the next couple of days I hope...
>
> Hmm. Doesn't
>
> da791a667536 ("futex: Cure exit race")
>
> address that issue?
It doesn't look like it does. One occurrence was the one below when
using commit 7939f8beecf1 (which is post 5.0-rc2) for building the
kernel:
WARNING: CPU: 14 PID: 23505 at kernel/futex.c:1483 do_futex+0xa9a/0xc50
Kernel panic - not syncing: panic_on_warn set ...
CPU: 14 PID: 23505 Comm: ld.so.1 Not tainted 5.0.0-20190116.rc2.git0.7939f8beecf1.300.fc29.s390x+git #1
Hardware name: IBM 3906 M04 704 (LPAR)
Call Trace:
([<0000000000112e60>] show_stack+0x58/0x70)
[<0000000000a671fa>] dump_stack+0x7a/0xa8
[<0000000000143f52>] panic+0x11a/0x2d0
[<0000000000143db0>] __warn+0xf8/0x118
[<0000000000a662f8>] report_bug+0xd8/0x150
[<00000000001014ac>] do_report_trap+0xc4/0xe0
[<0000000000101680>] illegal_op+0x138/0x150
[<0000000000a87270>] pgm_check_handler+0x1c8/0x220
[<00000000001e9aea>] do_futex+0xa9a/0xc50
([<00000000001e9c4e>] do_futex+0xbfe/0xc50)
[<00000000001ea13c>] compat_sys_futex+0xe4/0x170
[<0000000000a86e84>] system_call+0xd8/0x2c8
^ permalink raw reply [relevance 0%]
* Re: WARN_ON_ONCE(!new_owner) within wake_futex_pi() triggered
@ 2019-01-22 21:14 7% ` Thomas Gleixner
2019-01-23 9:24 0% ` Heiko Carstens
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2019-01-22 21:14 UTC (permalink / raw)
To: Heiko Carstens
Cc: Peter Zijlstra, Ingo Molnar, Martin Schwidefsky, linux-kernel,
linux-s390, Stefan Liebler
On Mon, 21 Jan 2019, Thomas Gleixner wrote:
> On Mon, 21 Jan 2019, Heiko Carstens wrote:
>
> > Hi Thomas,
> >
> > [full quote below]
> >
> > Did you have any time to look into this yet? :)
> >
> > The warning is still reproducible.
>
> Yeah, it's on my list of stuff which I need to take care of urgently. In
> the next couple of days I hope...
Hmm. Doesn't
da791a667536 ("futex: Cure exit race")
address that issue?
Thanks,
tglx
^ permalink raw reply [relevance 7%]
* Linux 4.19.13
@ 2018-12-29 13:07 5% Greg KH
0 siblings, 0 replies; 63+ results
From: Greg KH @ 2018-12-29 13:07 UTC (permalink / raw)
To: linux-kernel, Andrew Morton, torvalds, stable; +Cc: lwn, Jiri Slaby
[-- Attachment #1: Type: text/plain, Size: 7853 bytes --]
I'm announcing the release of the 4.19.13 kernel.
All users of the 4.19 kernel series must upgrade.
The updated 4.19.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y
and can be browsed at the normal kernel.org git web browser:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2
arch/arm/include/asm/pgtable-2level.h | 2
arch/m68k/include/asm/pgtable_mm.h | 4
arch/microblaze/include/asm/pgtable.h | 2
arch/nds32/include/asm/pgtable.h | 2
arch/parisc/include/asm/pgtable.h | 2
arch/x86/entry/vdso/Makefile | 3
arch/x86/include/asm/msr-index.h | 1
arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c | 4
arch/x86/kernel/cpu/mtrr/if.c | 2
arch/x86/kvm/vmx.c | 2
arch/x86/kvm/x86.c | 4
arch/x86/mm/pat.c | 13 +
drivers/gpio/gpio-max7301.c | 12 -
drivers/gpio/gpiolib-acpi.c | 144 +++++++++++--------
drivers/gpu/drm/drm_ioctl.c | 10 +
drivers/hv/vmbus_drv.c | 20 ++
drivers/input/mouse/elantech.c | 18 ++
drivers/media/i2c/ov5640.c | 17 +-
drivers/mmc/core/mmc.c | 24 +--
drivers/mmc/host/omap_hsmmc.c | 12 +
drivers/net/usb/hso.c | 18 ++
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 ++++++
drivers/net/wireless/marvell/mwifiex/11n.c | 5
drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 96 ++++++------
drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 3
drivers/net/wireless/realtek/rtlwifi/base.c | 1
drivers/scsi/sd.c | 23 ++-
drivers/usb/host/xhci-hub.c | 3
drivers/usb/host/xhci.h | 4
drivers/usb/serial/option.c | 16 +-
fs/iomap.c | 7
fs/namei.c | 3
fs/proc/proc_sysctl.c | 13 -
fs/ubifs/replay.c | 37 ++++
include/asm-generic/4level-fixup.h | 2
include/asm-generic/5level-fixup.h | 2
include/asm-generic/pgtable-nop4d-hack.h | 2
include/asm-generic/pgtable-nop4d.h | 2
include/asm-generic/pgtable-nopmd.h | 2
include/asm-generic/pgtable-nopud.h | 2
include/asm-generic/pgtable.h | 16 ++
include/linux/math64.h | 3
include/linux/mm.h | 8 +
include/linux/t10-pi.h | 9 -
include/net/xfrm.h | 1
kernel/futex.c | 69 ++++++++-
kernel/panic.c | 6
kernel/time/posix-timers.c | 5
mm/huge_memory.c | 20 +-
mm/page_alloc.c | 19 ++
mm/vmscan.c | 6
net/xfrm/xfrm_state.c | 8 -
net/xfrm/xfrm_user.c | 4
55 files changed, 555 insertions(+), 219 deletions(-)
Alistair Strachan (1):
x86/vdso: Pass --eh-frame-hdr to the linker
Benjamin Tissoires (1):
Input: elantech - disable elan-i2c for P52 and P72
Brian Norris (1):
Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
Cfir Cohen (1):
KVM: Fix UAF in nested posted interrupt processing
Christian Brauner (1):
Revert "vfs: Allow userns root to call mknod on owned filesystems."
Christophe Leroy (1):
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
Colin Ian King (1):
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
Dan Williams (1):
x86/mm: Fix decoy address handling vs 32-bit builds
Dave Chinner (1):
iomap: Revert "fs/iomap.c: get/put the page in iomap_page_create/release()"
Dexuan Cui (1):
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
Eduardo Habkost (1):
kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
Emmanuel Grumbach (1):
iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
Greg Kroah-Hartman (1):
Linux 4.19.13
Gustavo A. R. Silva (1):
drm/ioctl: Fix Spectre v1 vulnerabilities
Hans de Goede (1):
gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
Hui Peng (1):
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
Ihab Zhaika (1):
iwlwifi: add new cards for 9560, 9462, 9461 and killer series
Ivan Delalande (1):
proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
Jacopo Mondi (1):
media: ov5640: Fix set format regression
Jens Axboe (1):
scsi: sd: use mempool for discard special page
Jörgen Storvist (4):
USB: serial: option: add GosunCn ZTE WeLink ME3630
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Telit LN940 series
Larry Finger (1):
rtlwifi: Fix leak of skb when processing C2H_BT_INFO
Martin K. Petersen (1):
scsi: t10-pi: Return correct ref tag when queue has no integrity profile
Martin Schwidefsky (3):
mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
mm: introduce mm_[p4d|pud|pmd]_folded
Mathias Krause (1):
xfrm_user: fix freeing of xfrm states on acquire
Mathias Nyman (1):
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
Mikhail Zaslonko (1):
mm, memory_hotplug: initialize struct pages for the full memory section
Nicolas Saenz Julienne (1):
USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
Oscar Salvador (1):
mm, page_alloc: fix has_unmovable_pages for HugePages
Peter Xu (1):
mm: thp: fix flags for pmd migration when split
Reinette Chatre (1):
x86/intel_rdt: Ensure a CPU remains online for the region's pseudo-locking sequence
Richard Weinberger (1):
ubifs: Handle re-linking of inodes correctly while recovery
Roman Gushchin (1):
mm: don't miss the last page because of round-off error
Russell King (1):
mmc: omap_hsmmc: fix DMA API warning
Sergey Senozhatsky (1):
panic: avoid deadlocks in re-entrant console drivers
Thomas Gleixner (2):
posix-timers: Fix division by zero bug
futex: Cure exit race
Tore Anderson (1):
USB: serial: option: add HP lt4132
Ulf Hansson (3):
mmc: core: Reset HPI enabled state during re-init and in case of errors
mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
Wanpeng Li (1):
KVM: X86: Fix NULL deref in vcpu_scan_ioapic
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [relevance 5%]
* [PATCH 4.19 00/46] 4.19.13-stable review
@ 2018-12-28 11:51 5% Greg Kroah-Hartman
2018-12-28 11:52 6% ` [PATCH 4.19 25/46] futex: Cure exit race Greg Kroah-Hartman
0 siblings, 1 reply; 63+ results
From: Greg Kroah-Hartman @ 2018-12-28 11:51 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, stable
This is the start of the stable review cycle for the 4.19.13 release.
There are 46 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun Dec 30 11:30:49 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.13-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.19.13-rc1
Gustavo A. R. Silva <gustavo@embeddedor.com>
drm/ioctl: Fix Spectre v1 vulnerabilities
Ivan Delalande <colona@arista.com>
proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
Benjamin Tissoires <benjamin.tissoires@redhat.com>
Input: elantech - disable elan-i2c for P52 and P72
Roman Gushchin <guro@fb.com>
mm: don't miss the last page because of round-off error
Oscar Salvador <osalvador@suse.de>
mm, page_alloc: fix has_unmovable_pages for HugePages
Peter Xu <peterx@redhat.com>
mm: thp: fix flags for pmd migration when split
Mikhail Zaslonko <zaslonko@linux.ibm.com>
mm, memory_hotplug: initialize struct pages for the full memory section
Jacopo Mondi <jacopo+renesas@jmondi.org>
media: ov5640: Fix set format regression
Ihab Zhaika <ihab.zhaika@intel.com>
iwlwifi: add new cards for 9560, 9462, 9461 and killer series
Brian Norris <briannorris@chromium.org>
Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
Larry Finger <Larry.Finger@lwfinger.net>
rtlwifi: Fix leak of skb when processing C2H_BT_INFO
Mathias Krause <minipli@googlemail.com>
xfrm_user: fix freeing of xfrm states on acquire
Martin Schwidefsky <schwidefsky@de.ibm.com>
mm: introduce mm_[p4d|pud|pmd]_folded
Martin Schwidefsky <schwidefsky@de.ibm.com>
mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
Martin Schwidefsky <schwidefsky@de.ibm.com>
mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
panic: avoid deadlocks in re-entrant console drivers
Reinette Chatre <reinette.chatre@intel.com>
x86/intel_rdt: Ensure a CPU remains online for the region's pseudo-locking sequence
Alistair Strachan <astrachan@google.com>
x86/vdso: Pass --eh-frame-hdr to the linker
Dan Williams <dan.j.williams@intel.com>
x86/mm: Fix decoy address handling vs 32-bit builds
Colin Ian King <colin.king@canonical.com>
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
Thomas Gleixner <tglx@linutronix.de>
futex: Cure exit race
Dexuan Cui <decui@microsoft.com>
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
Cfir Cohen <cfir@google.com>
KVM: Fix UAF in nested posted interrupt processing
Eduardo Habkost <ehabkost@redhat.com>
kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
Wanpeng Li <wanpengli@tencent.com>
KVM: X86: Fix NULL deref in vcpu_scan_ioapic
Thomas Gleixner <tglx@linutronix.de>
posix-timers: Fix division by zero bug
Hans de Goede <hdegoede@redhat.com>
gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
Christophe Leroy <christophe.leroy@c-s.fr>
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
Russell King <rmk+kernel@armlinux.org.uk>
mmc: omap_hsmmc: fix DMA API warning
Ulf Hansson <ulf.hansson@linaro.org>
mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
Ulf Hansson <ulf.hansson@linaro.org>
mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
Ulf Hansson <ulf.hansson@linaro.org>
mmc: core: Reset HPI enabled state during re-init and in case of errors
Jens Axboe <axboe@kernel.dk>
scsi: sd: use mempool for discard special page
Martin K. Petersen <martin.petersen@oracle.com>
scsi: t10-pi: Return correct ref tag when queue has no integrity profile
Richard Weinberger <richard@nod.at>
ubifs: Handle re-linking of inodes correctly while recovery
Jörgen Storvist <jorgen.storvist@gmail.com>
USB: serial: option: add Telit LN940 series
Jörgen Storvist <jorgen.storvist@gmail.com>
USB: serial: option: add Fibocom NL668 series
Jörgen Storvist <jorgen.storvist@gmail.com>
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
Tore Anderson <tore@fud.no>
USB: serial: option: add HP lt4132
Jörgen Storvist <jorgen.storvist@gmail.com>
USB: serial: option: add GosunCn ZTE WeLink ME3630
Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
Hui Peng <benquike@gmail.com>
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
Christian Brauner <christian@brauner.io>
Revert "vfs: Allow userns root to call mknod on owned filesystems."
Dave Chinner <dchinner@redhat.com>
iomap: Revert "fs/iomap.c: get/put the page in iomap_page_create/release()"
-------------
Diffstat:
Makefile | 4 +-
arch/arm/include/asm/pgtable-2level.h | 2 +-
arch/m68k/include/asm/pgtable_mm.h | 4 +-
arch/microblaze/include/asm/pgtable.h | 2 +-
arch/nds32/include/asm/pgtable.h | 2 +-
arch/parisc/include/asm/pgtable.h | 2 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c | 4 +
arch/x86/kernel/cpu/mtrr/if.c | 2 +
arch/x86/kvm/vmx.c | 2 +
arch/x86/kvm/x86.c | 4 +-
arch/x86/mm/pat.c | 13 +-
drivers/gpio/gpio-max7301.c | 12 +-
drivers/gpio/gpiolib-acpi.c | 144 ++++++++++++---------
drivers/gpu/drm/drm_ioctl.c | 10 +-
drivers/hv/vmbus_drv.c | 20 +++
drivers/input/mouse/elantech.c | 18 ++-
drivers/media/i2c/ov5640.c | 17 ++-
drivers/mmc/core/mmc.c | 24 ++--
drivers/mmc/host/omap_hsmmc.c | 12 +-
drivers/net/usb/hso.c | 18 ++-
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 ++
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 +++++++
drivers/net/wireless/marvell/mwifiex/11n.c | 5 +-
.../net/wireless/marvell/mwifiex/11n_rxreorder.c | 96 +++++++-------
drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 3 -
drivers/net/wireless/realtek/rtlwifi/base.c | 1 +
drivers/scsi/sd.c | 23 +++-
drivers/usb/host/xhci-hub.c | 3 +-
drivers/usb/host/xhci.h | 4 +-
drivers/usb/serial/option.c | 16 ++-
fs/iomap.c | 7 -
fs/namei.c | 3 +-
fs/proc/proc_sysctl.c | 13 +-
fs/ubifs/replay.c | 37 ++++++
include/asm-generic/4level-fixup.h | 2 +-
include/asm-generic/5level-fixup.h | 2 +-
include/asm-generic/pgtable-nop4d-hack.h | 2 +-
include/asm-generic/pgtable-nop4d.h | 2 +-
include/asm-generic/pgtable-nopmd.h | 2 +-
include/asm-generic/pgtable-nopud.h | 2 +-
include/asm-generic/pgtable.h | 16 +++
include/linux/math64.h | 3 +
include/linux/mm.h | 8 ++
include/linux/t10-pi.h | 9 +-
include/net/xfrm.h | 1 +
kernel/futex.c | 69 +++++++++-
kernel/panic.c | 6 +-
kernel/time/posix-timers.c | 5 +-
mm/huge_memory.c | 20 +--
mm/page_alloc.c | 19 ++-
mm/vmscan.c | 6 +-
net/xfrm/xfrm_state.c | 8 +-
net/xfrm/xfrm_user.c | 4 +-
55 files changed, 556 insertions(+), 220 deletions(-)
^ permalink raw reply [relevance 5%]
* [PATCH 4.19 25/46] futex: Cure exit race
2018-12-28 11:51 5% [PATCH 4.19 00/46] 4.19.13-stable review Greg Kroah-Hartman
@ 2018-12-28 11:52 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 63+ results
From: Greg Kroah-Hartman @ 2018-12-28 11:52 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefan Liebler, Thomas Gleixner,
Peter Zijlstra, Heiko Carstens, Darren Hart, Ingo Molnar,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit da791a667536bf8322042e38ca85d55a78d3c273 upstream.
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 63 insertions(+), 6 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,65 @@ out_error:
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = find_get_task_by_vpid(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply [relevance 6%]
* Linux 4.20 released..
@ 2018-12-24 0:21 4% Linus Torvalds
0 siblings, 0 replies; 63+ results
From: Linus Torvalds @ 2018-12-24 0:21 UTC (permalink / raw)
To: Linux List Kernel Mailing
Let's face it, last week wasn't quite as quiet as I would have hoped
for, but there really doesn't seem to be any point to delay 4.20
because everybody is already taking a break.
And it's not like there are any known issues, it's just that the
shortlog below is a bit longer than I would have wished for. Nothing
screams "oh, that's scary", though.
And as part of the "everybody is already taking a break", I can
happily report that I already have quite a few early pull requests in
my inbox. I encouraged people to get it over and done with, so that
people can just relax over the year-end holidays. In fact, I probably
won't start pulling for a couple of days, but otherwise let's just try
to keep to the normal merge window schedule, even if most people
hopefully won't even be back until over the merge window is over.
As to the details of this last week of 4.20 - most of it is networking
(drivers, core networking fixes, bpf). There's a few other non-network
driver updates too, and a revert series of some of the x86 inline asm
changes that were obviated by upcoming compiler support.
Details below.
Have a Merry Christmas or other holiday of your choice.
Linus
---
Alaa Hleihel (1):
net/mlx5e: Remove the false indication of software timestamping support
Alexander Aring (1):
ieee802154: hwsim: fix off-by-one in parse nested
Alistair Strachan (1):
x86/vdso: Pass --eh-frame-hdr to the linker
Allan W. Nielsen (1):
mscc: Configured MAC entries should be locked.
Anssi Hannula (3):
net: macb: fix random memory corruption on RX with 64-bit DMA
net: macb: fix dropped RX frames due to a race
net: macb: add missing barriers when reading descriptors
Antoine Tenart (2):
net: mvpp2: 10G modes aren't supported on all ports
net: mvpp2: fix the phylink mode validation
Arnd Bergmann (4):
i2c: nvidia-gpu: mark resume function as __maybe_unused
ubifs: replay: Fix high stack usage
ubifs: auth: Add CONFIG_KEYS dependency
w90p910_ether: remove incorrect __init annotation
Atul Gupta (5):
net/tls: Init routines in create_ctx
net/tls: sleeping function from invalid context
crypto/chelsio/chtls: listen fails with multiadapt
crypto/chelsio/chtls: macro correction in tx path
crypto/chelsio/chtls: send/recv window update
Benjamin Poirier (1):
xfrm: Fix bucket count reported to userspace
Benjamin Tissoires (1):
Input: elantech - disable elan-i2c for P52 and P72
Brian Norris (1):
Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
Bryan Whitehead (2):
lan743x: Expand phy search for LAN7431
lan743x: Remove MAC Reset from initialization
Cfir Cohen (1):
KVM: Fix UAF in nested posted interrupt processing
Chang S. Bae (1):
x86/fsgsbase/64: Fix the base write helper functions
Christian Brauner (1):
Revert "vfs: Allow userns root to call mknod on owned filesystems."
Christoph Hellwig (1):
dma-mapping: fix flags in dma_alloc_wc
Christophe Leroy (1):
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
Claudiu Beznea (1):
net: macb: restart tx after tx used bit read
Colin Ian King (2):
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
vxge: ensure data0 is initialized in when fetching firmware
version information
Cong Wang (6):
tipc: use lock_sock() in tipc_sk_reinit()
tipc: fix a double kfree_skb()
tipc: compare remote and local protocols in tipc_udp_enable()
tipc: check tsk->group in tipc_wait_for_cond()
tipc: check group dests after tipc_wait_for_cond()
ipv6: explicitly initialize udp6_addr in udp_sock_create6()
Corentin Labbe (1):
sparc: Set "ARCH: sunxx" information on the same line
Dan Carpenter (3):
scsi: bnx2fc: Fix NULL dereference in error handling
qed: Fix an error code qed_ll2_start_xmit()
net: stmmac: Fix an error code in probe()
Dan Williams (1):
x86/mm: Fix decoy address handling vs 32-bit builds
Daniel Borkmann (1):
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
Daniele Palmas (1):
qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup
Dave Chinner (1):
iomap: Revert "fs/iomap.c: get/put the page in
iomap_page_create/release()"
Dave Taht (1):
net: Allow class-e address assignment via ifconfig ioctl
David Ahern (1):
neighbor: NTF_PROXY is a valid ndm_flag for a dump request
David S. Miller (1):
rds: Fix warning.
Davide Caratti (1):
net: Use __kernel_clockid_t in uapi net_stamp.h
Dexuan Cui (1):
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
Dmitry V. Levin (1):
uapi: linux/blkzoned.h: fix BLKGETZONESZ and BLKGETNRZONES definitions
Eduardo Habkost (1):
kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
Emmanuel Grumbach (1):
iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
Eric Biggers (1):
KVM: fix unregistering coalesced mmio zone from wrong bus
Eric Dumazet (3):
net: clear skb->tstamp in forwarding paths
tcp: fix a race in inet_diag_dump_icsk()
ipv6: tunnels: fix two use-after-free
Florian Westphal (2):
netfilter: seqadj: re-load tcp header pointer after possible
head reallocation
netfilter: nat: can't use dst_hold on noref dst
Gabor Juhos (1):
ubifs: Fix default compression selection in ubifs
Ganesh Goudar (2):
net/tls: allocate tls context using GFP_ATOMIC
MAINTAINERS: update cxgb4 and cxgb3 maintainer
Garry McNulty (1):
ubifs: Fix memory leak on error condition
Gavi Teitz (1):
net/mlx5e: Fix default amount of channels for VF representors
Geert Uytterhoeven (2):
ubifs: CONFIG_UBIFS_FS_AUTHENTICATION should depend on UBIFS_FS
m68k: Fix memblock-related crashes
Gustavo A. R. Silva (3):
ipv4: Fix potential Spectre v1 vulnerability
ip6mr: Fix potential Spectre v1 vulnerability
drm/ioctl: Fix Spectre v1 vulnerabilities
Hans de Goede (1):
gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
Heiner Kallweit (1):
r8169: fix crash if CONFIG_DEBUG_SHIRQ is enabled
Herbert Xu (1):
ipv6: frags: Fix bogus skb->sk in reassembled packets
Himanshu Madhani (1):
Revert "scsi: qla2xxx: Fix NVMe Target discovery"
Hui Peng (1):
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
Ido Schimmel (2):
mlxsw: spectrum: Add trap for decapsulated ARP packets
mlxsw: spectrum_nve: Fix memory leak upon driver reload
Ingo Molnar (9):
Revert "x86/jump-labels: Macrofy inline assembly code to work
around GCC inlining bugs"
Revert "x86/cpufeature: Macrofy inline assembly code to work
around GCC inlining bugs"
Revert "x86/extable: Macrofy inline assembly code to work around
GCC inlining bugs"
Revert "x86/paravirt: Work around GCC inlining bugs when
compiling paravirt ops"
Revert "x86/bug: Macrofy the BUG table section handling, to work
around GCC inlining bugs"
Revert "x86/alternatives: Macrofy lock prefixes to work around
GCC inlining bugs"
Revert "x86/refcount: Work around GCC inlining bug"
Revert "x86/objtool: Use asm macros to work around GCC inlining bugs"
Revert "kbuild/Makefile: Prepare for using macros in inline
assembly code to work around asm() related GCC inlining bugs"
Ivan Delalande (1):
proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
Jakub Kicinski (2):
bpf: verifier: make sure callees don't prune with caller differences
net: netlink: rename NETLINK_DUMP_STRICT_CHK -> NETLINK_GET_STRICT_CHK
Jason Martinsen (1):
lan78xx: Resolve issue with changing MAC address
Jason Wang (3):
vhost: make sure used idx is seen before log in vhost_add_used_n()
vhost_net: switch to use mutex_trylock() in vhost_net_busy_poll()
Revert "net: vhost: lock the vqs one by one"
Jeff Moyer (1):
aio: fix spectre gadget in lookup_ioctx
Jens Axboe (1):
scsi: sd: use mempool for discard special page
Johannes Berg (1):
nl80211: fix memory leak if validate_pae_over_nl80211() fails
Jorgen Hansen (1):
VSOCK: Send reset control packet when socket is partially bound
Juergen Gross (1):
xen/netfront: tolerate frags with no data
Jörgen Storvist (7):
USB: serial: option: add GosunCn ZTE WeLink ME3630
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Telit LN940 series
qmi_wwan: Added support for Fibocom NL668 series
qmi_wwan: Added support for Telit LN940 series
qmi_wwan: Add support for Fibocom NL678 series
Kangjie Lu (1):
net: netxen: fix a missing check and an uninitialized use
Kirill A. Shutemov (2):
x86/mm: Fix guard hole handling
x86/dump_pagetables: Fix LDT remap address marker
Krzysztof Adamski (1):
MAINTAINERS: add entry for i2c-axxia driver
Kunihiko Hayashi (1):
net: phy: Fix the issue that netif always links up after resuming
Larry Finger (1):
rtlwifi: Fix leak of skb when processing C2H_BT_INFO
Lendacky, Thomas (1):
dma-direct: do not include SME mask in the DMA supported check
Lepton Wu (1):
VSOCK: bind to random port for VMADDR_PORT_ANY
Linus Torvalds (2):
security: don't use a negative Opt_err token index
Linux 4.20
Lorenzo Bianconi (3):
mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues
mt76: add entry in MAINTAINERS file
gro_cell: add napi_disable in gro_cells_destroy
Mans Rullgard (1):
auxdisplay: charlcd: fix x/y command parsing
Mantas Mikulėnas (1):
Input: synaptics - enable SMBus for HP EliteBook 840 G4
Marcin Wojtas (1):
net: mvneta: fix operation for 64K PAGE_SIZE
Mario Limonciello (1):
r8152: Add support for MAC address pass through on RTL8153-BND
Martin K. Petersen (1):
scsi: t10-pi: Return correct ref tag when queue has no integrity profile
Masahiro Yamada (2):
bpf: promote bpf_perf_event.h to mandatory UAPI header
kbuild: fix false positive warning/error about missing libelf
Mathias Krause (1):
xfrm_user: fix freeing of xfrm states on acquire
Mathias Nyman (1):
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
Michael Chan (1):
bnxt_en: Fix ethtool self-test loopback.
Michael S. Tsirkin (1):
virtio: fix test build after uio.h change
Michal Kubecek (1):
net: ipv4: do not handle duplicate fragments as overlapping
Michał Mirosław (2):
i40e: fix VLAN.TCI == 0 RX HW offload
i40e: DRY rx_ptype handling code
Mikhael Goikhman (1):
net/mlx5e: Remove unused UDP GSO remaining counter
Mikhail Zaslonko (1):
mm, memory_hotplug: initialize struct pages for the full memory section
Mimi Zohar (1):
ima: cleanup the match_token policy code
Moshe Shemesh (1):
net/mlx5e: RX, Verify MPWQE stride size is in range
Myungho Jung (1):
net/smc: fix TCP fallback socket release
Nathan Chancellor (1):
drivers: net: xgene: Remove unnecessary forward declarations
Nicolas Saenz Julienne (1):
USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
Or Gerlitz (4):
net/mlx5e: Err if asked to mirror a goto chain tc eswitch rule
net/mlx5e: Avoid overriding the user provided priority for
offloaded tc rules
net/mlx5e: Properly initialize flow attributes for slow path
eswitch rule deletion
net/mlx5e: Avoid encap flows deletion attempt the 1st time a
neigh is resolved
Oscar Salvador (1):
mm, page_alloc: fix has_unmovable_pages for HugePages
Pan Bian (3):
netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
ubi: Put MTD device after it is not used
ubi: Do not drop UBI device reference before using
Paul Burton (1):
Revert "serial: 8250: Fix clearing FIFOs in RS485 mode again"
Peter Xu (1):
mm: thp: fix flags for pmd migration when split
Peter Zijlstra (1):
x86/mm/cpa: Fix cpa_flush_array() TLB invalidation
Petr Machata (4):
vxlan: Unmark offloaded bit on replaced FDB entries
vxlan: Fix error path in __vxlan_dev_create()
vxlan: changelink: Fix handling of default remotes
selftests: net: Add test_vxlan_fdb_changelink.sh
Pieter Jansen van Vuuren (1):
nfp: flower: ensure TCP flags can be placed in IPv6 frame
Rakesh Pillai (1):
ath10k: skip sending quiet mode cmd for WCN3990
Reinette Chatre (1):
x86/intel_rdt: Ensure a CPU remains online for the region's
pseudo-locking sequence
Richard Weinberger (1):
ubifs: Handle re-linking of inodes correctly while recovery
Rik van Riel (1):
fork,memcg: fix crash in free_thread_stack on memcg charge fail
Robert P. J. Day (1):
mod_devicetable.h: correct kerneldoc typo, "PHYSID2" -> "MII_PHYSID2"
Roi Dayan (1):
net/sched: cls_flower: Remove old entries from rhashtable
Ronnie Sahlberg (1):
smb3: Fix rmdir compounding regression to strict servers
Ross Lagerwall (1):
ixgbe: Fix race when the VF driver does a reset
Russell King (1):
mmc: omap_hsmmc: fix DMA API warning
Sandipan Das (1):
bpf: powerpc: fix broken uapi for BPF_PROG_TYPE_PERF_EVENT
Sara Sharon (2):
mac80211: fix a kernel panic when TXing after TXQ teardown
mac80211: free skb fraglist before freeing the skb
Sasha Levin (1):
MAINTAINERS: Patch monkey for the Hyper-V code
Shalom Toledo (1):
mlxsw: core: Increase timeout during firmware flash process
Sinan Kaya (1):
x86, hyperv: remove PCI dependency
Sowjanya Komatineni (2):
mmc: sdhci: Fix sdhci_do_enable_v4_mode
mmc: tegra: Fix for SDMMC pads autocal parsing from dt
Stanislav Fomichev (4):
selftests/bpf: use thoff instead of nhoff in BPF flow dissector
net/flow_dissector: correctly cap nhoff and thoff in case of BPF
selftests/bpf: add missing pointer dereference for map stacktrace fixup
selftests/bpf: use proper type when passing prog_type
Stefan Assmann (1):
i40e: fix mac filter delete when setting mac address
Steffen Klassert (1):
xfrm: Fix NULL pointer dereference in xfrm_input when
skb_dst_force clears the dst_entry.
Stephen Hemminger (1):
uio_hv_generic: set callbacks on open
Sudarsana Reddy Kalluru (5):
bnx2x: Clear fip MAC when fcoe offload support is disabled
bnx2x: Remove configured vlans as part of unload sequence.
bnx2x: Enable PTP only on the PF that initializes the port
bnx2x: Send update-svid ramrod with retry/poll flags enabled
qed: Fix command number mismatch between driver and the mfw
Taehee Yoo (2):
netfilter: nf_tables: fix suspicious RCU usage in
nft_chain_stats_replace()
netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()
Tal Gilboa (1):
net/mlx5e: Cancel DIM work on close SQ
Tariq Toukan (1):
net/mlx5e: RX, Fix wrong early return in receive queue poll
Thomas Falcon (2):
ibmvnic: Convert reset work item mutex to spin lock
ibmvnic: Fix non-atomic memory allocation in IRQ context
Thomas Gleixner (2):
posix-timers: Fix division by zero bug
futex: Cure exit race
Tony Lindgren (2):
Input: omap-keypad - fix idle configuration to not block SoC idle states
gpio: gpio-omap: Revert deferred wakeup quirk handling for regressions
Tore Anderson (1):
USB: serial: option: add HP lt4132
Trond Myklebust (3):
SUNRPC: Fix disconnection races
SUNRPC: Fix a race with XPRT_CONNECTING
SUNRPC: Remove xprt_connect_status()
Ulf Hansson (3):
mmc: core: Reset HPI enabled state during re-init and in case of errors
mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
Uwe Kleine-König (1):
gpio: mvebu: only fail on missing clk if pwm is actually to be used
Vakul Garg (2):
Prevent overflow of sk_msg in sk_msg_clone()
tls: Do not call sk_memcopy_from_iter with zero length
Varun Prakash (2):
scsi: target: iscsi: cxgbit: fix csk leak
scsi: target: iscsi: cxgbit: add missing spin_lock_init()
Vitaly Kuznetsov (1):
KVM: x86: nSVM: fix switch to guest mmu
Vivien Didelot (2):
MAINTAINERS: change my email address
net: dsa: mv88e6xxx: set ethtool regs version
Vu Pham (1):
net/mlx5: E-Switch, Fix fdb cap bits swap
Wanpeng Li (1):
KVM: X86: Fix NULL deref in vcpu_scan_ioapic
Wei Yongjun (1):
xfrm: Fix error return code in xfrm_output_one()
Willem de Bruijn (3):
ipv6: add missing tx timestamping on IPPROTO_RAW
net: add missing SOF_TIMESTAMPING_OPT_ID support
packet: validate address length
Xiaozhou Liu (1):
include/linux/compiler_types.h: don't pollute userspace with
macro definitions
Xin Long (1):
sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
Yangtao Li (1):
serial/sunsu: fix refcount leak
Yanjiang Jin (1):
PCI/AER: Queue one GHES event, not several uninitialized ones
Yonglong Liu (10):
net: hns: Incorrect offset address used for some registers.
net: hns: All ports can not work when insmod hns ko after rmmod.
net: hns: Some registers use wrong address according to the datasheet.
net: hns: Fixed bug that netdev was opened twice
net: hns: Clean rx fbd when ae stopped.
net: hns: Free irq when exit from abnormal branch
net: hns: Avoid net reset caused by pause frames storm
net: hns: Fix ntuple-filters status error.
net: hns: Add mac pcs config when enable|disable mac
net: hns: Fix ping failed when use net bridge and send multicast
YueHaibing (1):
ieee802154: ca8210: fix possible u8 overflow in ca8210_rx_done
Yussuf Khalil (1):
Input: synaptics - enable RMI on ThinkPad T560
Yuval Avnery (1):
net/mlx5: Typo fix in del_sw_hw_rule
ndesaulniers@google.com (1):
sparc: vdso: Drop implicit common-page-size linker flag
shamir rabinovitch (2):
net/rds: fix warn in rds_message_alloc_sgs
net/rds: remove user triggered WARN_ON in rds_sendmsg
wenxu (1):
iptunnel: make TUNNEL_FLAGS available in uapi
^ permalink raw reply [relevance 4%]
* [GIT PULL] futex fix
@ 2018-12-21 12:30 8% Ingo Molnar
0 siblings, 0 replies; 63+ results
From: Ingo Molnar @ 2018-12-21 12:30 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Thomas Gleixner, Peter Zijlstra, Andrew Morton
Linus,
Please pull the latest locking-urgent-for-linus git tree from:
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git locking-urgent-for-linus
# HEAD: da791a667536bf8322042e38ca85d55a78d3c273 futex: Cure exit race
A single fix for a robust futexes race between sys_exit() and
sys_futex_lock_pi().
Thanks,
Ingo
------------------>
Thomas Gleixner (1):
futex: Cure exit race
kernel/futex.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 63 insertions(+), 6 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index f423f9b6577e..5cc8083a4c89 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,65 @@ static int attach_to_pi_state(u32 __user *uaddr, u32 uval,
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = find_get_task_by_vpid(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply related [relevance 8%]
* Re: [patch] futex: Cure exit race
2018-12-19 13:29 9% ` Thomas Gleixner
@ 2018-12-19 19:13 9% ` Thomas Gleixner
0 siblings, 0 replies; 63+ results
From: Thomas Gleixner @ 2018-12-19 19:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On Wed, 19 Dec 2018, Thomas Gleixner wrote:
> On 2018-12-18 10:31, Thomas Gleixner wrote:
> > On Wed, 12 Dec 2018, Peter Zijlstra wrote:
> > > On Mon, Dec 10, 2018 at 06:43:51PM +0100, Thomas Gleixner wrote:
> > > @@ -806,6 +806,8 @@ void __noreturn do_exit(long code)
> > > * task into the wait for ever nirwana as well.
> > > */
> > > tsk->flags |= PF_EXITPIDONE;
> > > + smp_mb();
> > > + wake_up_bit(&tsk->flags, 3 /* PF_EXITPIDONE */);
> >
> > Using ilog2(PF_EXITPIDONE) spares that horrible inline comment and more
> > importantly selects the right bit. 0x04 is bit 2 ....
>
> Plus wake_up_bit() and wait_on_bit() want an unsigned long, but tsk->flags is
> unsigned int....
>
> Moar staring....
Aside of that calling wake_on_bit() unconditionally can be slow if the
waitqueue in the hash bucket is not empty.
So while cooking up an alternative solution I found yet another exit race:
CPU0 CPU1
sys_futex() sys_exit()
futex_lock_pi() do_exit()
No waiters:
*uaddr == 0x00000PID;
Set waiter bit
*uaddr = 0x80000PID;
attach_to_pi_owner()
tsk = get_task(PID); exit_signals(tsk)
if (!(tsk->flags & PF_EXITING))
... tsk->flags |= PF_EXITING;
mm_release(tsk)
exit_robust_list(tsk)
Set owner died and clear PID
*uaddr = 0xC0000000;
if (unlikely(!list_empty(&tsk->pi_state_list)))
list_add(&pi_state->list,
&tsk->pi_state_list);
I put that all on hold until Jan 7.
If somebody is really bored, here is the WIP patch series which addresses
the live lock mess: https://tglx.de/~tglx/patches.tar
Thanks,
tglx
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-18 9:31 9% ` Thomas Gleixner
@ 2018-12-19 13:29 9% ` Thomas Gleixner
2018-12-19 19:13 9% ` Thomas Gleixner
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2018-12-19 13:29 UTC (permalink / raw)
To: Peter Zijlstra
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On 2018-12-18 10:31, Thomas Gleixner wrote:
> On Wed, 12 Dec 2018, Peter Zijlstra wrote:
>> On Mon, Dec 10, 2018 at 06:43:51PM +0100, Thomas Gleixner wrote:
>> @@ -806,6 +806,8 @@ void __noreturn do_exit(long code)
>> * task into the wait for ever nirwana as well.
>> */
>> tsk->flags |= PF_EXITPIDONE;
>> + smp_mb();
>> + wake_up_bit(&tsk->flags, 3 /* PF_EXITPIDONE */);
>
> Using ilog2(PF_EXITPIDONE) spares that horrible inline comment and
> more
> importantly selects the right bit. 0x04 is bit 2 ....
Plus wake_up_bit() and wait_on_bit() want an unsigned long, but
tsk->flags is
unsigned int....
Moar staring....
^ permalink raw reply [relevance 9%]
* [tip:locking/urgent] futex: Cure exit race
2018-12-10 15:23 7% [patch] futex: Cure exit race Thomas Gleixner
` (2 preceding siblings ...)
2018-12-11 8:04 9% ` Stefan Liebler
@ 2018-12-18 22:18 14% ` tip-bot for Thomas Gleixner
3 siblings, 0 replies; 63+ results
From: tip-bot for Thomas Gleixner @ 2018-12-18 22:18 UTC (permalink / raw)
To: linux-tip-commits
Cc: peterz, stli, mingo, linux-kernel, heiko.carstens, hpa, sashal,
dvhart, tglx
Commit-ID: da791a667536bf8322042e38ca85d55a78d3c273
Gitweb: https://git.kernel.org/tip/da791a667536bf8322042e38ca85d55a78d3c273
Author: Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Mon, 10 Dec 2018 14:35:14 +0100
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 18 Dec 2018 23:13:15 +0100
futex: Cure exit race
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex_lock_pi():
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which 'owns' the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
Link: https://lkml.kernel.org/r/20181210152311.986181245@linutronix.de
---
kernel/futex.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 63 insertions(+), 6 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index f423f9b6577e..5cc8083a4c89 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,65 @@ out_error:
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = find_get_task_by_vpid(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply related [relevance 14%]
* Re: [patch] futex: Cure exit race
2018-12-12 9:04 7% ` Peter Zijlstra
@ 2018-12-18 9:31 9% ` Thomas Gleixner
2018-12-19 13:29 9% ` Thomas Gleixner
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2018-12-18 9:31 UTC (permalink / raw)
To: Peter Zijlstra
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On Wed, 12 Dec 2018, Peter Zijlstra wrote:
> On Mon, Dec 10, 2018 at 06:43:51PM +0100, Thomas Gleixner wrote:
> @@ -806,6 +806,8 @@ void __noreturn do_exit(long code)
> * task into the wait for ever nirwana as well.
> */
> tsk->flags |= PF_EXITPIDONE;
> + smp_mb();
> + wake_up_bit(&tsk->flags, 3 /* PF_EXITPIDONE */);
Using ilog2(PF_EXITPIDONE) spares that horrible inline comment and more
importantly selects the right bit. 0x04 is bit 2 ....
> @@ -1187,10 +1236,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
> * set, we know that the task has finished the
> * cleanup:
> */
> int ret = handle_exit_race(uaddr, uval, p);
>
> raw_spin_unlock_irq(&p->pi_lock);
> - put_task_struct(p);
> +
> + if (ret == -EAGAIN)
> + *pe = p;
Hmm, no. We really want to split the return value for that. EAGAIN is also
returned for other reasons.
Plus requeue_pi() needs the same treatment. I'm staring into it, but all I
came up with so far is horribly ugly.
Thanks,
tglx
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-10 17:43 9% ` Thomas Gleixner
@ 2018-12-12 9:04 7% ` Peter Zijlstra
2018-12-18 9:31 9% ` Thomas Gleixner
0 siblings, 1 reply; 63+ results
From: Peter Zijlstra @ 2018-12-12 9:04 UTC (permalink / raw)
To: Thomas Gleixner
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On Mon, Dec 10, 2018 at 06:43:51PM +0100, Thomas Gleixner wrote:
> On Mon, 10 Dec 2018, Peter Zijlstra wrote:
> > On Mon, Dec 10, 2018 at 04:23:06PM +0100, Thomas Gleixner wrote:
> > There is another callers of futex_lock_pi_atomic(),
> > futex_proxy_trylock_atomic(), which is part of futex_requeue(), that too
> > does a retry loop on -EAGAIN.
> >
> > And there is another caller of attach_to_pi_owner(): lookup_pi_state(),
> > and that too is in futex_requeue() and handles the retry case properly.
> >
> > Yes, this all looks good.
> >
> > Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>
> Bah. The little devil in the unconcious part of my brain insisted on
> thinking further about that EAGAIN loop even despite my attempt to page
> that futex horrors out again immediately after sending that patch.
>
> There is another related issue which is even worse than just mildly
> confusing user space:
>
> task1(SCHED_OTHER)
> sys_exit()
> do_exit()
> exit_mm()
> task1->flags |= PF_EXITING;
>
> ---> preemption
>
> task2(SCHED_FIFO)
> sys_futex(LOCK_PI)
> ....
> attach_to_pi_owner() {
> ...
> if (!task1->flags & PF_EXITING) {
> attach();
> } else {
> if (!(tsk->flags & PF_EXITPIDONE))
> return -EAGAIN;
>
> Now assume UP or both tasks pinned on the same CPU. That results in a
> livelock because task2 is going to loop forever.
>
> No immediate idea how to cure that one w/o creating a mess.
One possible; but fairly gruesome hack; would be something like the
below.
Now, this obviously introduces a priority inversion, but that's
arguablly better than a live-lock, also I'm not sure there's really
anything 'sane' you can do in the case where your lock holder is dying
instead of doing a proper unlock anyway.
But no, I'm not liking this much either...
diff --git a/kernel/exit.c b/kernel/exit.c
index 0e21e6d21f35..bc6a01112d9d 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -806,6 +806,8 @@ void __noreturn do_exit(long code)
* task into the wait for ever nirwana as well.
*/
tsk->flags |= PF_EXITPIDONE;
+ smp_mb();
+ wake_up_bit(&tsk->flags, 3 /* PF_EXITPIDONE */);
set_current_state(TASK_UNINTERRUPTIBLE);
schedule();
}
diff --git a/kernel/futex.c b/kernel/futex.c
index f423f9b6577e..a743d657e783 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,8 +1148,8 @@ static int attach_to_pi_state(u32 __user *uaddr, u32 uval,
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
- struct futex_pi_state **ps)
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
+ struct futex_pi_state **ps, struct task_struct **pe)
{
pid_t pid = uval & FUTEX_TID_MASK;
struct futex_pi_state *pi_state;
@@ -1187,10 +1236,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
* set, we know that the task has finished the
* cleanup:
*/
int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
- put_task_struct(p);
+
+ if (ret == -EAGAIN)
+ *pe = p;
+ else
+ put_task_struct(p);
+
return ret;
}
@@ -1244,7 +1298,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1282,7 +1336,8 @@ static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
union futex_key *key,
struct futex_pi_state **ps,
- struct task_struct *task, int set_waiters)
+ struct task_struct *task, int set_waiters,
+ struct task_struct **exiting)
{
u32 uval, newval, vpid = task_pid_vnr(task);
struct futex_q *top_waiter;
@@ -1352,7 +1407,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
}
/**
@@ -2716,6 +2771,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
struct rt_mutex_waiter rt_waiter;
struct futex_hash_bucket *hb;
struct futex_q q = futex_q_init;
+ struct task_struct *exiting;
int res, ret;
if (!IS_ENABLED(CONFIG_FUTEX_PI))
@@ -2733,6 +2789,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
}
retry:
+ exiting = NULL;
ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE);
if (unlikely(ret != 0))
goto out;
@@ -2740,7 +2797,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
retry_private:
hb = queue_lock(&q);
- ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);
+ ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0, &exiting);
if (unlikely(ret)) {
/*
* Atomic work succeeded and we got the lock,
@@ -2762,6 +2819,12 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
*/
queue_unlock(hb);
put_futex_key(&q.key);
+
+ if (exiting) {
+ wait_bit(&exiting->flags, 3 /* PF_EXITPIDONE */, TASK_UNINTERRUPTIBLE);
+ put_task_struct(exiting);
+ }
+
cond_resched();
goto retry;
default:
^ permalink raw reply related [relevance 7%]
* Re: [patch] futex: Cure exit race
2018-12-11 8:04 9% ` Stefan Liebler
@ 2018-12-11 10:32 7% ` Thomas Gleixner
0 siblings, 0 replies; 63+ results
From: Thomas Gleixner @ 2018-12-11 10:32 UTC (permalink / raw)
To: Stefan Liebler
Cc: LKML, Heiko Carstens, Peter Zijlstra, Darren Hart, Ingo Molnar
Stefan,
On Tue, 11 Dec 2018, Stefan Liebler wrote:
> does this also handle the ESRCH returned by
> attach_to_pi_owner(...)
> {...
> if (!pid)
> return -ESRCH;
> p = find_get_task_by_vpid(pid);
> if (!p)
> return -ESRCH;
> ...
>
> I think pid should never be zero when attach_to_pi_owner is called.
Yeah, I just checked again. It's a paranoid check.
> But it can happen that p is null? At least I traced the "return -ESRCH" with
> the 4.17 kernel. Unfortunately both returns were done by the same instruction
> address.
Yes, you are right. We need the same sanity check for that part. Updated
patch below.
Now I "just" have to come up with a cure for that livelock thing ....
Thanks,
tglx
8<--------------
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,65 @@ static int attach_to_pi_state(u32 __user
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval,
+ struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set, then try again.
+ */
+ if (tsk && !(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * futex_lock_pi_atomic()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ *
+ * The same logic applies to the case where the exiting task is
+ * already gone.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval,
/*
* We are the first waiter - try to look up the real owner and attach
* the new pi_state to it, but bail out when TID = 0 [1]
+ *
+ * The !pid check is paranoid. None of the call sites should end up
+ * with pid == 0, but better safe than sorry. Let the caller retry
*/
if (!pid)
- return -ESRCH;
+ return -EAGAIN;
p = find_get_task_by_vpid(pid);
if (!p)
- return -ESRCH;
+ return handle_exit_race(uaddr, uval, NULL);
if (unlikely(p->flags & PF_KTHREAD)) {
put_task_struct(p);
@@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, newval, key, ps);
}
/**
^ permalink raw reply [relevance 7%]
* Re: [patch] futex: Cure exit race
2018-12-10 23:01 9% ` Sasha Levin
@ 2018-12-11 10:29 9% ` Thomas Gleixner
0 siblings, 0 replies; 63+ results
From: Thomas Gleixner @ 2018-12-11 10:29 UTC (permalink / raw)
To: Sasha Levin; +Cc: LKML, stable
On Mon, 10 Dec 2018, Sasha Levin wrote:
> On Mon, Dec 10, 2018 at 10:16:03PM +0100, Thomas Gleixner wrote:
> > On Mon, 10 Dec 2018, Sasha Levin wrote:
> > > How should we proceed with this patch?
> >
> > I'll look into that once this is sorted... I so love these rotten kernels.
>
> It seems we need:
>
> 734009e96d19 ("futex: Change locking rules")
>
> Which isn't trivial to backport.
It's simpler to backport the fix. I'll look at that once we agreed on the
final solution.
Thanks,
tglx
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-10 15:23 7% [patch] futex: Cure exit race Thomas Gleixner
2018-12-10 16:02 9% ` Peter Zijlstra
[not found] ` <20181210210920.75EBD20672@mail.kernel.org>
@ 2018-12-11 8:04 9% ` Stefan Liebler
2018-12-11 10:32 7% ` Thomas Gleixner
2018-12-18 22:18 14% ` [tip:locking/urgent] " tip-bot for Thomas Gleixner
3 siblings, 1 reply; 63+ results
From: Stefan Liebler @ 2018-12-11 8:04 UTC (permalink / raw)
To: Thomas Gleixner, LKML
Cc: Heiko Carstens, Peter Zijlstra, Darren Hart, Ingo Molnar
Hi Thomas,
does this also handle the ESRCH returned by
attach_to_pi_owner(...)
{...
if (!pid)
return -ESRCH;
p = find_get_task_by_vpid(pid);
if (!p)
return -ESRCH;
...
I think pid should never be zero when attach_to_pi_owner is called.
But it can happen that p is null? At least I traced the "return -ESRCH"
with the 4.17 kernel. Unfortunately both returns were done by the same
instruction address.
Bye
Stefan
On 12/10/2018 04:23 PM, Thomas Gleixner wrote:
> Stefan reported, that the glibc tst-robustpi4 test case fails
> occasionally. That case creates the following race between
> sys_exit() and sys_futex(LOCK_PI):
>
> CPU0 CPU1
>
> sys_exit() sys_futex()
> do_exit() futex_lock_pi()
> exit_signals(tsk) No waiters:
> tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
> mm_release(tsk) Set waiter bit
> exit_robust_list(tsk) { *uaddr = 0x80000PID;
> Set owner died attach_to_pi_owner() {
> *uaddr = 0xC0000000; tsk = get_task(PID);
> } if (!tsk->flags & PF_EXITING) {
> ... attach();
> tsk->flags |= PF_EXITPIDONE; } else {
> if (!(tsk->flags & PF_EXITPIDONE))
> return -EAGAIN;
> return -ESRCH; <--- FAIL
> }
>
> ESRCH is returned all the way to user space, which triggers the glibc test
> case assert. Returning ESRCH unconditionally is wrong here because the user
> space value has been changed by the exiting task to 0xC0000000, i.e. the
> FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
> is a valid state and the kernel has to handle it, i.e. taking the futex.
>
> Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
> is set in the task which owns the futex. If the value has changed, let
> the kernel retry the operation, which includes all regular sanity checks
> and correctly handles the FUTEX_OWNER_DIED case.
>
> If it hasn't changed, then return ESRCH as there is no way to distinguish
> this case from malfunctioning user space. This happens when the exiting
> task did not have a robust list, the robust list was corrupted or the user
> space value in the futex was simply bogus.
>
> Reported-by: Stefan Liebler <stli@linux.ibm.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Darren Hart <dvhart@infradead.org>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: stable@vger.kernel.org
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
> ---
> kernel/futex.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
> 1 file changed, 53 insertions(+), 4 deletions(-)
>
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1148,11 +1148,60 @@ static int attach_to_pi_state(u32 __user
> return ret;
> }
>
> +static int handle_exit_race(u32 __user *uaddr, u32 uval, struct task_struct *tsk)
> +{
> + u32 uval2;
> +
> + /*
> + * If PF_EXITPIDONE is not yet set try again.
> + */
> + if (!(tsk->flags & PF_EXITPIDONE))
> + return -EAGAIN;
> +
> + /*
> + * Reread the user space value to handle the following situation:
> + *
> + * CPU0 CPU1
> + *
> + * sys_exit() sys_futex()
> + * do_exit() futex_lock_pi()
> + * exit_signals(tsk) No waiters:
> + * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
> + * mm_release(tsk) Set waiter bit
> + * exit_robust_list(tsk) { *uaddr = 0x80000PID;
> + * Set owner died attach_to_pi_owner() {
> + * *uaddr = 0xC0000000; tsk = get_task(PID);
> + * } if (!tsk->flags & PF_EXITING) {
> + * ... attach();
> + * tsk->flags |= PF_EXITPIDONE; } else {
> + * if (!(tsk->flags & PF_EXITPIDONE))
> + * return -EAGAIN;
> + * return -ESRCH; <--- FAIL
> + * }
> + *
> + * Returning ESRCH unconditionally is wrong here because the
> + * user space value has been changed by the exiting task.
> + */
> + if (get_futex_value_locked(&uval2, uaddr))
> + return -EFAULT;
> +
> + /* If the user space value has changed, try again. */
> + if (uval2 != uval)
> + return -EAGAIN;
> +
> + /*
> + * The exiting task did not have a robust list, the robust list was
> + * corrupted or the user space value in *uaddr is simply bogus.
> + * Give up and tell user space.
> + */
> + return -ESRCH;
> +}
> +
> /*
> * Lookup the task for the TID provided from user space and attach to
> * it after doing proper sanity checks.
> */
> -static int attach_to_pi_owner(u32 uval, union futex_key *key,
> +static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
> struct futex_pi_state **ps)
> {
> pid_t pid = uval & FUTEX_TID_MASK;
> @@ -1187,7 +1236,7 @@ static int attach_to_pi_owner(u32 uval,
> * set, we know that the task has finished the
> * cleanup:
> */
> - int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
> + int ret = handle_exit_race(uaddr, uval, p);
>
> raw_spin_unlock_irq(&p->pi_lock);
> put_task_struct(p);
> @@ -1244,7 +1293,7 @@ static int lookup_pi_state(u32 __user *u
> * We are the first waiter - try to look up the owner based on
> * @uval and attach to it.
> */
> - return attach_to_pi_owner(uval, key, ps);
> + return attach_to_pi_owner(uaddr, uval, key, ps);
> }
>
> static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
> @@ -1352,7 +1401,7 @@ static int futex_lock_pi_atomic(u32 __us
> * attach to the owner. If that fails, no harm done, we only
> * set the FUTEX_WAITERS bit in the user space variable.
> */
> - return attach_to_pi_owner(uval, key, ps);
> + return attach_to_pi_owner(uaddr, uval, key, ps);
> }
>
> /**
>
>
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-10 21:16 9% ` Thomas Gleixner
@ 2018-12-10 23:01 9% ` Sasha Levin
2018-12-11 10:29 9% ` Thomas Gleixner
0 siblings, 1 reply; 63+ results
From: Sasha Levin @ 2018-12-10 23:01 UTC (permalink / raw)
To: Thomas Gleixner; +Cc: LKML, stable
On Mon, Dec 10, 2018 at 10:16:03PM +0100, Thomas Gleixner wrote:
>On Mon, 10 Dec 2018, Sasha Levin wrote:
>> This commit has been processed because it contains a -stable tag.
>> The stable tag indicates that it's relevant for the following trees: all
>>
>> The bot has tested the following trees: v4.19.8, v4.14.87, v4.9.144, v4.4.166, v3.18.128,
>>
>> v4.19.8: Build OK!
>> v4.14.87: Build OK!
>> v4.9.144: Build failed! Errors:
>> kernel/futex.c:1186:28: error: ???uaddr??? undeclared (first use in this function)
>>
>> v4.4.166: Build failed! Errors:
>> kernel/futex.c:1181:28: error: ???uaddr??? undeclared (first use in this function)
>>
>> v3.18.128: Build failed! Errors:
>> kernel/futex.c:1103:28: error: ???uaddr??? undeclared (first use in this function)
>>
>> How should we proceed with this patch?
>
>I'll look into that once this is sorted... I so love these rotten kernels.
It seems we need:
734009e96d19 ("futex: Change locking rules")
Which isn't trivial to backport.
--
Thanks,
Sasha
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
[not found] ` <20181210210920.75EBD20672@mail.kernel.org>
@ 2018-12-10 21:16 9% ` Thomas Gleixner
2018-12-10 23:01 9% ` Sasha Levin
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2018-12-10 21:16 UTC (permalink / raw)
To: Sasha Levin; +Cc: LKML, stable
On Mon, 10 Dec 2018, Sasha Levin wrote:
> This commit has been processed because it contains a -stable tag.
> The stable tag indicates that it's relevant for the following trees: all
>
> The bot has tested the following trees: v4.19.8, v4.14.87, v4.9.144, v4.4.166, v3.18.128,
>
> v4.19.8: Build OK!
> v4.14.87: Build OK!
> v4.9.144: Build failed! Errors:
> kernel/futex.c:1186:28: error: ???uaddr??? undeclared (first use in this function)
>
> v4.4.166: Build failed! Errors:
> kernel/futex.c:1181:28: error: ???uaddr??? undeclared (first use in this function)
>
> v3.18.128: Build failed! Errors:
> kernel/futex.c:1103:28: error: ???uaddr??? undeclared (first use in this function)
>
> How should we proceed with this patch?
I'll look into that once this is sorted... I so love these rotten kernels.
Thanks,
tglx
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-10 16:02 9% ` Peter Zijlstra
@ 2018-12-10 17:43 9% ` Thomas Gleixner
2018-12-12 9:04 7% ` Peter Zijlstra
0 siblings, 1 reply; 63+ results
From: Thomas Gleixner @ 2018-12-10 17:43 UTC (permalink / raw)
To: Peter Zijlstra
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On Mon, 10 Dec 2018, Peter Zijlstra wrote:
> On Mon, Dec 10, 2018 at 04:23:06PM +0100, Thomas Gleixner wrote:
> There is another callers of futex_lock_pi_atomic(),
> futex_proxy_trylock_atomic(), which is part of futex_requeue(), that too
> does a retry loop on -EAGAIN.
>
> And there is another caller of attach_to_pi_owner(): lookup_pi_state(),
> and that too is in futex_requeue() and handles the retry case properly.
>
> Yes, this all looks good.
>
> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Bah. The little devil in the unconcious part of my brain insisted on
thinking further about that EAGAIN loop even despite my attempt to page
that futex horrors out again immediately after sending that patch.
There is another related issue which is even worse than just mildly
confusing user space:
task1(SCHED_OTHER)
sys_exit()
do_exit()
exit_mm()
task1->flags |= PF_EXITING;
---> preemption
task2(SCHED_FIFO)
sys_futex(LOCK_PI)
....
attach_to_pi_owner() {
...
if (!task1->flags & PF_EXITING) {
attach();
} else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
Now assume UP or both tasks pinned on the same CPU. That results in a
livelock because task2 is going to loop forever.
No immediate idea how to cure that one w/o creating a mess.
Thanks,
tglx
^ permalink raw reply [relevance 9%]
* Re: [patch] futex: Cure exit race
2018-12-10 15:23 7% [patch] futex: Cure exit race Thomas Gleixner
@ 2018-12-10 16:02 9% ` Peter Zijlstra
2018-12-10 17:43 9% ` Thomas Gleixner
[not found] ` <20181210210920.75EBD20672@mail.kernel.org>
` (2 subsequent siblings)
3 siblings, 1 reply; 63+ results
From: Peter Zijlstra @ 2018-12-10 16:02 UTC (permalink / raw)
To: Thomas Gleixner
Cc: LKML, Stefan Liebler, Heiko Carstens, Darren Hart, Ingo Molnar
On Mon, Dec 10, 2018 at 04:23:06PM +0100, Thomas Gleixner wrote:
> kernel/futex.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
> 1 file changed, 53 insertions(+), 4 deletions(-)
>
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1148,11 +1148,60 @@ static int attach_to_pi_state(u32 __user
> return ret;
> }
>
> +static int handle_exit_race(u32 __user *uaddr, u32 uval, struct task_struct *tsk)
> +{
> + u32 uval2;
> +
> + /*
> + * If PF_EXITPIDONE is not yet set try again.
> + */
> + if (!(tsk->flags & PF_EXITPIDONE))
> + return -EAGAIN;
> +
> + /*
> + * Reread the user space value to handle the following situation:
> + *
> + * CPU0 CPU1
> + *
> + * sys_exit() sys_futex()
> + * do_exit() futex_lock_pi()
> + * exit_signals(tsk) No waiters:
> + * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
> + * mm_release(tsk) Set waiter bit
> + * exit_robust_list(tsk) { *uaddr = 0x80000PID;
Just to clarify; this is: sys_futex() <- futex_lock_pi() <-
futex_lock_pi_atomic(), where we do:
lock_pi_update_atomic(); // changes the futex word
attach_to_pi_owner(); // possibly returns ESRCH after changing the word
> + * Set owner died attach_to_pi_owner() {
> + * *uaddr = 0xC0000000; tsk = get_task(PID);
> + * } if (!tsk->flags & PF_EXITING) {
> + * ... attach();
> + * tsk->flags |= PF_EXITPIDONE; } else {
> + * if (!(tsk->flags & PF_EXITPIDONE))
> + * return -EAGAIN;
> + * return -ESRCH; <--- FAIL
> + * }
> + *
> + * Returning ESRCH unconditionally is wrong here because the
> + * user space value has been changed by the exiting task.
> + */
> + if (get_futex_value_locked(&uval2, uaddr))
> + return -EFAULT;
> +
> + /* If the user space value has changed, try again. */
> + if (uval2 != uval)
> + return -EAGAIN;
And this then goes back to futex_lock_pi(), which does a retry loop.
> + /*
> + * The exiting task did not have a robust list, the robust list was
> + * corrupted or the user space value in *uaddr is simply bogus.
> + * Give up and tell user space.
> + */
> + return -ESRCH;
If it is unchanged; -ESRCH is a valid return value.
> +}
There is another callers of futex_lock_pi_atomic(),
futex_proxy_trylock_atomic(), which is part of futex_requeue(), that too
does a retry loop on -EAGAIN.
And there is another caller of attach_to_pi_owner(): lookup_pi_state(),
and that too is in futex_requeue() and handles the retry case properly.
Yes, this all looks good.
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
^ permalink raw reply [relevance 9%]
* [patch] futex: Cure exit race
@ 2018-12-10 15:23 7% Thomas Gleixner
2018-12-10 16:02 9% ` Peter Zijlstra
` (3 more replies)
0 siblings, 4 replies; 63+ results
From: Thomas Gleixner @ 2018-12-10 15:23 UTC (permalink / raw)
To: LKML
Cc: Stefan Liebler, Heiko Carstens, Peter Zijlstra, Darren Hart, Ingo Molnar
Stefan reported, that the glibc tst-robustpi4 test case fails
occasionally. That case creates the following race between
sys_exit() and sys_futex(LOCK_PI):
CPU0 CPU1
sys_exit() sys_futex()
do_exit() futex_lock_pi()
exit_signals(tsk) No waiters:
tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
mm_release(tsk) Set waiter bit
exit_robust_list(tsk) { *uaddr = 0x80000PID;
Set owner died attach_to_pi_owner() {
*uaddr = 0xC0000000; tsk = get_task(PID);
} if (!tsk->flags & PF_EXITING) {
... attach();
tsk->flags |= PF_EXITPIDONE; } else {
if (!(tsk->flags & PF_EXITPIDONE))
return -EAGAIN;
return -ESRCH; <--- FAIL
}
ESRCH is returned all the way to user space, which triggers the glibc test
case assert. Returning ESRCH unconditionally is wrong here because the user
space value has been changed by the exiting task to 0xC0000000, i.e. the
FUTEX_OWNER_DIED bit is set and the futex PID value has been cleared. This
is a valid state and the kernel has to handle it, i.e. taking the futex.
Cure it by rereading the user space value when PF_EXITING and PF_EXITPIDONE
is set in the task which owns the futex. If the value has changed, let
the kernel retry the operation, which includes all regular sanity checks
and correctly handles the FUTEX_OWNER_DIED case.
If it hasn't changed, then return ESRCH as there is no way to distinguish
this case from malfunctioning user space. This happens when the exiting
task did not have a robust list, the robust list was corrupted or the user
space value in the futex was simply bogus.
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200467
---
kernel/futex.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 53 insertions(+), 4 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1148,11 +1148,60 @@ static int attach_to_pi_state(u32 __user
return ret;
}
+static int handle_exit_race(u32 __user *uaddr, u32 uval, struct task_struct *tsk)
+{
+ u32 uval2;
+
+ /*
+ * If PF_EXITPIDONE is not yet set try again.
+ */
+ if (!(tsk->flags & PF_EXITPIDONE))
+ return -EAGAIN;
+
+ /*
+ * Reread the user space value to handle the following situation:
+ *
+ * CPU0 CPU1
+ *
+ * sys_exit() sys_futex()
+ * do_exit() futex_lock_pi()
+ * exit_signals(tsk) No waiters:
+ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
+ * mm_release(tsk) Set waiter bit
+ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
+ * Set owner died attach_to_pi_owner() {
+ * *uaddr = 0xC0000000; tsk = get_task(PID);
+ * } if (!tsk->flags & PF_EXITING) {
+ * ... attach();
+ * tsk->flags |= PF_EXITPIDONE; } else {
+ * if (!(tsk->flags & PF_EXITPIDONE))
+ * return -EAGAIN;
+ * return -ESRCH; <--- FAIL
+ * }
+ *
+ * Returning ESRCH unconditionally is wrong here because the
+ * user space value has been changed by the exiting task.
+ */
+ if (get_futex_value_locked(&uval2, uaddr))
+ return -EFAULT;
+
+ /* If the user space value has changed, try again. */
+ if (uval2 != uval)
+ return -EAGAIN;
+
+ /*
+ * The exiting task did not have a robust list, the robust list was
+ * corrupted or the user space value in *uaddr is simply bogus.
+ * Give up and tell user space.
+ */
+ return -ESRCH;
+}
+
/*
* Lookup the task for the TID provided from user space and attach to
* it after doing proper sanity checks.
*/
-static int attach_to_pi_owner(u32 uval, union futex_key *key,
+static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
struct futex_pi_state **ps)
{
pid_t pid = uval & FUTEX_TID_MASK;
@@ -1187,7 +1236,7 @@ static int attach_to_pi_owner(u32 uval,
* set, we know that the task has finished the
* cleanup:
*/
- int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
+ int ret = handle_exit_race(uaddr, uval, p);
raw_spin_unlock_irq(&p->pi_lock);
put_task_struct(p);
@@ -1244,7 +1293,7 @@ static int lookup_pi_state(u32 __user *u
* We are the first waiter - try to look up the owner based on
* @uval and attach to it.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
@@ -1352,7 +1401,7 @@ static int futex_lock_pi_atomic(u32 __us
* attach to the owner. If that fails, no harm done, we only
* set the FUTEX_WAITERS bit in the user space variable.
*/
- return attach_to_pi_owner(uval, key, ps);
+ return attach_to_pi_owner(uaddr, uval, key, ps);
}
/**
^ permalink raw reply [relevance 7%]
Results 1-63 of 63 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2018-11-27 8:11 WARN_ON_ONCE(!new_owner) within wake_futex_pi() triggered Heiko Carstens
2018-11-28 14:32 ` Thomas Gleixner
2018-11-29 11:23 ` Heiko Carstens
2019-01-21 12:21 ` Heiko Carstens
2019-01-21 13:12 ` Thomas Gleixner
2019-01-22 21:14 7% ` Thomas Gleixner
2019-01-23 9:24 0% ` Heiko Carstens
2019-01-28 13:44 ` Peter Zijlstra
2019-01-28 13:58 ` Peter Zijlstra
2019-01-28 15:53 ` Thomas Gleixner
2019-01-29 9:01 ` Heiko Carstens
2019-01-29 9:45 ` Thomas Gleixner
2019-01-29 10:24 ` Heiko Carstens
2019-01-29 10:35 7% ` Peter Zijlstra
2018-12-10 15:23 7% [patch] futex: Cure exit race Thomas Gleixner
2018-12-10 16:02 9% ` Peter Zijlstra
2018-12-10 17:43 9% ` Thomas Gleixner
2018-12-12 9:04 7% ` Peter Zijlstra
2018-12-18 9:31 9% ` Thomas Gleixner
2018-12-19 13:29 9% ` Thomas Gleixner
2018-12-19 19:13 9% ` Thomas Gleixner
[not found] ` <20181210210920.75EBD20672@mail.kernel.org>
2018-12-10 21:16 9% ` Thomas Gleixner
2018-12-10 23:01 9% ` Sasha Levin
2018-12-11 10:29 9% ` Thomas Gleixner
2018-12-11 8:04 9% ` Stefan Liebler
2018-12-11 10:32 7% ` Thomas Gleixner
2018-12-18 22:18 14% ` [tip:locking/urgent] " tip-bot for Thomas Gleixner
2018-12-21 12:30 8% [GIT PULL] futex fix Ingo Molnar
2018-12-24 0:21 4% Linux 4.20 released Linus Torvalds
2018-12-28 11:51 5% [PATCH 4.19 00/46] 4.19.13-stable review Greg Kroah-Hartman
2018-12-28 11:52 6% ` [PATCH 4.19 25/46] futex: Cure exit race Greg Kroah-Hartman
2018-12-29 13:07 5% Linux 4.19.13 Greg KH
2019-02-18 13:43 4% [PATCH 4.14 00/62] 4.14.102-stable review Greg Kroah-Hartman
2019-02-18 13:44 6% ` [PATCH 4.14 61/62] futex: Cure exit race Greg Kroah-Hartman
2019-02-20 9:56 5% Linux 4.14.102 Greg KH
2019-11-04 0:29 [RFC v2 PATCH] futex: extend set_robust_list to allow 2 locking ABIs at the same time Shawn Landden
2019-11-05 9:48 ` Florian Weimer
2019-11-05 9:59 ` Thomas Gleixner
2019-11-05 15:27 ` handle_exit_race && PF_EXITING Oleg Nesterov
2019-11-05 17:28 ` Thomas Gleixner
2019-11-05 17:59 ` Thomas Gleixner
2019-11-05 18:56 ` Thomas Gleixner
2019-11-05 19:19 ` Thomas Gleixner
2019-11-06 8:55 ` Oleg Nesterov
2019-11-06 9:53 8% ` Thomas Gleixner
2019-11-06 10:35 0% ` Oleg Nesterov
2019-11-06 11:07 0% ` Thomas Gleixner
2021-02-22 7:03 10% [PATCH stable-rc queue/4.9 0/1] repatch Xiaoming Ni
2021-02-22 7:03 ` [PATCH stable-rc queue/4.9 1/1] futex: Provide distinct return value when owner is exiting Xiaoming Ni
2021-02-22 10:16 ` Greg KH
2021-02-22 10:54 10% ` Xiaoming Ni
2021-02-22 12:09 0% ` Greg KH
2021-02-22 14:11 0% ` Xiaoming Ni
2021-02-23 13:00 0% ` Greg KH
2021-02-24 1:41 0% ` Xiaoming Ni
2021-02-24 7:47 0% ` Greg KH
2021-02-24 12:40 0% ` Xiaoming Ni
2021-02-22 12:35 6% [PATCH 4.9 00/49] 4.9.258-rc1 review Greg Kroah-Hartman
2021-02-22 12:36 6% ` [PATCH 4.9 15/49] futex: Cure exit race Greg Kroah-Hartman
2021-02-22 12:53 9% [PATCH] futex: fix dead code in attach_to_pi_owner() Xiaoming Ni
2021-02-25 8:25 0% ` Greg KH
2021-02-25 8:56 8% ` Xiaoming Ni
2021-02-25 9:31 0% ` Lee Jones
2021-02-23 14:00 6% Linux 4.9.258 Greg Kroah-Hartman
2021-02-24 10:09 9% [PATCH 4.9.258] futex: fix dead code in attach_to_pi_owner() Xiaoming Ni
2021-02-25 9:17 0% ` Lee Jones
2021-03-01 14:19 0% ` Greg KH
2021-03-01 16:11 [PATCH 4.9 000/134] 4.9.259-rc1 review Greg Kroah-Hartman
2021-03-01 16:13 9% ` [PATCH 4.9 127/134] futex: fix dead code in attach_to_pi_owner() Greg Kroah-Hartman
2021-03-09 3:06 8% [PATCH 4.4 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
2021-03-09 3:06 6% ` [PATCH 4.4 2/3] futex: Cure exit race Zheng Yejian
2021-03-09 3:06 9% ` [PATCH 4.4 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
2021-03-09 10:40 0% ` Greg KH
2021-03-09 18:14 0% ` Lee Jones
2021-03-10 12:00 0% ` Greg KH
2021-03-10 13:28 0% ` Lee Jones
2021-03-10 14:10 0% ` Greg KH
2021-03-11 1:39 0% ` Zhengyejian (Zetta)
2021-03-11 3:25 7% [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Zheng Yejian
2021-03-11 3:25 6% ` [PATCH 4.4 v2 2/3] futex: Cure exit race Zheng Yejian
2021-03-11 3:26 9% ` [PATCH 4.4 v2 3/3] futex: fix dead code in attach_to_pi_owner() Zheng Yejian
2021-03-12 13:26 0% ` [PATCH 4.4 v2 0/3] Backport patch series to update Futex from 4.9 Greg KH
2021-03-15 13:51 5% [PATCH 4.4 00/75] 4.4.262-rc1 review gregkh
2021-03-15 13:51 6% ` [PATCH 4.4 12/75] futex: Cure exit race gregkh
2021-03-15 13:51 9% ` [PATCH 4.4 13/75] futex: fix dead code in attach_to_pi_owner() gregkh
2021-03-17 17:13 5% Linux 4.4.262 gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).