kernel-fxtec-pro1x/kernel
Thomas Gleixner 7c0772556d futex: Handle faults correctly for PI futexes
commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a upstream

fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
pi_state and the user space value related to the PI futex are consistent
before returning to user space. In case that the user space value update
faults and the fault cannot be resolved by faulting the page in via
fault_in_user_writeable() the function returns with -EFAULT and leaves
the rtmutex and pi_state owner state inconsistent.

A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
releases the rtmutex despite not owning it which can corrupt the RB tree of
the rtmutex and cause a subsequent kernel stack use after free.

It was suggested to loop forever in fixup_pi_state_owner() if the fault
cannot be resolved, but that results in runaway tasks which is especially
undesired when the problem happens due to a programming error and not due
to malice.

As the user space value cannot be fixed up, the proper solution is to make
the rtmutex and the pi_state consistent so both have the same owner. This
leaves the user space value out of sync. Any subsequent operation on the
futex will fail because the 10th rule of PI futexes (pi_state owner and
user space value are consistent) has been violated.

As a consequence this removes the inept attempts of 'fixing' the situation
in case that the current task owns the rtmutex when returning with an
unresolvable fault by unlocking the rtmutex which left pi_state::owner and
rtmutex::owner out of sync in a different and only slightly less dangerous
way.

Change-Id: Ic19f2e16d6de16db63594706eae5f547e38ea852
Fixes: 1b7558e457 ("futexes: fix fault handling in futex_lock_pi")
Reported-by: gzobqq@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 6e7bfa046de83596c2a50f72e8ced1ee327db654
Git-repo: https://android.googlesource.com/kernel/msm
Signed-off-by: PavanKumar S.R. <pavasr@codeaurora.org>
2021-08-17 08:23:23 -07:00
..
bpf This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
cgroup BACKPORT: cgroup: make per-cgroup pressure stall tracking configurable 2021-07-01 23:43:00 -07:00
configs ANDROID: remove android config fragments 2018-08-28 17:15:17 +05:30
debug Merge android-4.19-stable.157 (8ee67bc) into msm-4.19 2020-12-18 18:35:06 +05:30
dma Merge android-4.19-stable.125 (a483478) into msm-4.19 2020-09-20 23:45:10 +05:30
events Revert "ANDROID: security,perf: Allow further restriction of perf_event_open" 2021-04-30 00:21:50 -07:00
gcov This is the 4.19.146 stable release 2020-09-17 13:59:19 +02:00
irq Merge android-4.19-stable.146 (443485d) into msm-4.19 2020-10-16 11:06:31 +05:30
livepatch livepatch: Nullify obj->mod in klp_module_coming()'s error path 2019-10-07 18:57:10 +02:00
locking Merge android-4.19-stable.146 (443485d) into msm-4.19 2020-10-16 11:06:31 +05:30
power Merge android-4.19-stable.157 (8ee67bc) into msm-4.19 2020-12-18 18:35:06 +05:30
printk Merge android-4.19-stable.149 (9ce79d9) into msm-4.19 2020-10-21 09:25:49 +05:30
rcu Merge android-4.19.110 (1984fff) into msm-4.19 2020-05-23 05:08:22 -07:00
sched BACKPORT: cgroup: make per-cgroup pressure stall tracking configurable 2021-07-01 23:43:00 -07:00
time Merge "Merge android-4.19-stable.152 (13abe23) into msm-4.19" 2020-11-10 06:31:20 -08:00
trace Merge android-4.19-stable.157 (8ee67bc) into msm-4.19 2020-12-18 18:35:06 +05:30
.gitignore BACKPORT: Provide in-kernel headers to make extending kernel easier 2019-06-12 12:33:20 +00:00
acct.c acct_on(): don't mess with freeze protection 2019-05-31 06:46:05 -07:00
async.c
audit.c audit: fix a net reference leak in audit_list_rules_send() 2020-06-22 09:05:13 +02:00
audit.h audit: fix a net reference leak in audit_list_rules_send() 2020-06-22 09:05:13 +02:00
audit_fsnotify.c
audit_tree.c audit: Embed key into chunk 2019-12-13 08:51:11 +01:00
audit_watch.c audit: CONFIG_CHANGE don't log internal bookkeeping as an event 2020-10-01 13:14:33 +02:00
auditfilter.c audit: fix a net reference leak in audit_list_rules_send() 2020-06-22 09:05:13 +02:00
auditsc.c audit: print empty EXECVE args 2019-12-01 09:17:17 +01:00
backtracetest.c
bounds.c kbuild: fix kernel/bounds.c 'W=1' warning 2018-11-13 11:08:47 -08:00
capability.c LSM: generalize flag passing to security_capable 2020-01-23 08:21:29 +01:00
cfi.c ANDROID: cfi: fix export symbol types 2020-04-29 19:16:15 +02:00
compat.c make 'user_access_begin()' do 'access_ok()' 2020-06-22 09:04:58 +02:00
configs.c
context_tracking.c
cpu.c Merge android-4.19-stable.136 (204dd19) into msm-4.19 2020-10-14 20:04:29 +05:30
cpu_pm.c Merge android-4.19-stable.136 (204dd19) into msm-4.19 2020-10-14 20:04:29 +05:30
crash_core.c kernel/crash_core.c: print timestamp using time64_t 2018-08-22 10:52:47 -07:00
crash_dump.c
cred.c memcg: account security cred as well to kmemcg 2020-01-09 10:19:00 +01:00
delayacct.c UPSTREAM: delayacct: track delays from thrashing cache pages 2019-03-21 16:25:26 -07:00
dma.c
elfcore.c kernel/elfcore.c: include proper prototypes 2019-10-11 18:21:23 +02:00
exec_domain.c
exit.c Merge android-4.19-stable.136 (204dd19) into msm-4.19 2020-10-14 20:04:29 +05:30
extable.c
fail_function.c
fork.c Merge android-4.19-stable.157 (8ee67bc) into msm-4.19 2020-12-18 18:35:06 +05:30
freezer.c PM / reboot: Eliminate race between reboot and suspend 2018-08-06 12:35:20 +02:00
futex.c futex: Handle faults correctly for PI futexes 2021-08-17 08:23:23 -07:00
gen_kheaders.sh kheaders: include only headers into kheaders_data.tar.xz 2020-06-11 05:00:06 -07:00
groups.c
hung_task.c hung task: check specific tasks for long uninterruptible sleep state 2019-08-02 12:42:25 -07:00
iomem.c
irq_work.c irq_work: Do not raise an IPI when queueing work on the local CPU 2019-05-31 06:46:19 -07:00
jump_label.c jump_label: move 'asm goto' support test to Kconfig 2019-06-04 08:02:34 +02:00
kallsyms.c Merge 4.19.133 into android-4.19-stable 2020-07-17 07:54:52 +02:00
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks locking/rwsem: for rwsem prio aware enhancement 2019-05-24 15:32:11 +08:00
Kconfig.preempt kconfig: include kernel/Kconfig.preempt from init/Kconfig 2018-08-02 08:06:54 +09:00
kcov.c UPSTREAM: kcov: remote coverage support 2020-01-15 14:51:23 +00:00
kexec.c
kexec_core.c kexec: Allocate decrypted control pages for kdump if SME is enabled 2019-11-24 08:20:29 +01:00
kexec_file.c
kexec_internal.h
kheaders.c BACKPORT: kheaders: Move from proc to sysfs 2019-06-12 12:33:54 +00:00
kmod.c kmod: make request_module() return an error when autoloading is disabled 2020-04-17 10:48:52 +02:00
kprobes.c kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE 2020-10-01 13:14:54 +02:00
ksysfs.c
kthread.c This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
latencytop.c
Makefile Merge android-4.19.95 (5da1114) into msm-4.19 2020-03-27 10:48:20 -07:00
memremap.c mm/memory_hotplug: shrink zones when offlining memory 2020-01-29 16:43:27 +01:00
module-internal.h
module.c Merge android-4.19-stable.146 (443485d) into msm-4.19 2020-10-16 11:06:31 +05:30
module_signing.c
notifier.c Merge "Merge android-4.19-stable.113 (2b82910d) into msm-4.19" 2020-07-24 22:21:24 -07:00
nsproxy.c
padata.c padata: purge get_cpu and reorder_via_wq from padata_do_serial 2020-05-27 17:37:36 +02:00
panic.c Merge android-4.19-stable.125 (a483478) into msm-4.19 2020-09-20 23:45:10 +05:30
params.c ANDROID: GKI: export symbols from abi_gki_aarch64_qcom_whitelist 2020-04-13 21:36:41 +00:00
pid.c UPSTREAM: pid: add pidfd_open() 2019-08-12 13:36:37 -04:00
pid_namespace.c signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig 2019-07-26 09:14:01 +02:00
profile.c
ptrace.c ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() 2020-01-23 08:21:29 +01:00
range.c
reboot.c UPSTREAM: GKI: panic/reboot: allow specifying reboot_mode for panic only 2020-04-17 05:00:40 +00:00
relay.c kernel/relay.c: fix memleak on destroy relay channel 2020-08-26 10:30:59 +02:00
resource.c resource: fix locking in find_next_iomem_res() 2019-09-16 08:22:20 +02:00
rseq.c
scs.c FROMLIST: scs: add support for stack usage debugging 2019-11-27 12:37:25 -08:00
seccomp.c LSM: generalize flag passing to security_capable 2020-01-23 08:21:29 +01:00
signal.c signal: Avoid corrupting si_pid and si_uid in do_notify_parent 2021-03-25 22:32:03 -07:00
smp.c smp: Wake up all idle CPUs when suspending to idle 2019-03-15 01:59:15 -07:00
smpboot.c
smpboot.h
softirq.c trace: Add trace points for tasklet entry/exit 2020-01-28 20:45:01 -08:00
stacktrace.c
stop_machine.c Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-08-13 11:25:07 -07:00
sys.c This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
sys_ni.c UPSTREAM: signal: support CLONE_PIDFD with pidfd_send_signal 2019-08-12 13:36:37 -04:00
sysctl.c sched/walt: Improve the scheduler 2020-10-06 12:41:10 +05:30
sysctl_binary.c netfilter: nf_defrag_ipv4: Add sysctl to disable per interface 2018-12-03 15:57:38 -08:00
task_work.c
taskstats.c taskstats: extended taskstats2 with acct fields 2020-05-13 22:59:08 -07:00
test_kprobes.c
torture.c
tracepoint.c tracepoint: Fix tracepoint array element size mismatch 2018-10-17 15:35:29 -04:00
tsacct.c
ucount.c
uid16.c
uid16.h
umh.c usermodehelper: reset umask to default before executing user process 2020-10-14 10:31:21 +02:00
up.c
user-return-notifier.c
user.c ANDROID: proc: Add /proc/uid directory 2019-03-06 15:59:21 +00:00
user_namespace.c userns: also map extents in the reverse map to kernel IDs 2018-11-13 11:09:00 -08:00
utsname.c
utsname_sysctl.c sys: don't hold uts_sem while accessing userspace memory 2018-08-11 02:05:53 -05:00
watchdog.c Merge android-4.19.110 (1984fff) into msm-4.19 2020-05-23 05:08:22 -07:00
watchdog_hld.c watchdog: Mark watchdog touch functions as notrace 2018-08-30 12:56:40 +02:00
workqueue.c Merge android-4.19-stable.125 (a483478) into msm-4.19 2020-09-20 23:45:10 +05:30
workqueue_internal.h UPSTREAM: psi: fix aggregation idle shut-off 2019-03-21 16:25:27 -07:00