From patchwork Mon Apr 15 19:01:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 162254 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp3301606jan; Mon, 15 Apr 2019 12:13:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqxy/hYTvFNTHHtVMXL6XRP0MbCA6o35QZ5IlwLtVIQffG4AM9RO9R/w36b09pKuyQnfLwim X-Received: by 2002:a17:902:364:: with SMTP id 91mr64765493pld.72.1555355589221; Mon, 15 Apr 2019 12:13:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555355589; cv=none; d=google.com; s=arc-20160816; b=sFerZW/DHB3Do7Qvm7k1mblWn1k6EZU3XcbP0I3LvOQ2igtSD71c09iCNr2OPm9gzs uCohbyx9uJFyQ/Wo6oK8q8+3B6sSOWYbLv7c1mCPJq8D1iz9za5QlXrqWJOqsE7DIK2S CPB6B31EnGORySzv/IZcMAccj+S0FiyDRo22Z4598ncXzJ30V9rJ97xTODZkOnYO4HHC nH8AB5p6BNOffJdrmQe6pfBdvemvjkJS17YejPvn2g4QTVqnHdI3r936apHxU8lZ+6wn gMm3Nm90GXXuiUmKi5lc2PRG1SnE4KwVzsIDdGkzC1Cz9IDP4fGKTzZNy5Wi2oabpPi2 l8Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rlRsJJi7P3ntkMcQCUea3lyipPhHID8kdCGeGyjLvzc=; b=YUOAcbxARDg3OB/O6ajDaPUHWhzT17l5P2cegrdi1dA33QoyC28VtwtQ1H2SZUnAa8 fuXSU/ZkTYZucfN5u4A/ZWTS+COlRk9lBsgh7yT2i/wOgGVhcCMjaIE4iwWwyklOiotf fYOEuXtIiFkfNtIEtO0ZnEBhtBXOfU7KAh0ZXdsLCKqbrg7ED6kCANJRol9/y9fCuCvF LwvGuSiDbYIUaldgcVgGgedD5Rl3z+MMHazrP+UFL4NcWN9/gRw7h6BQGie+nlCh9px6 yJRdbrHWS34qRfD5ercTVKwOfPkfFtkf5d1ftWvFP8P/hGal681VcUAJUnVQZjlkjUoX K+lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Eg1QbtwO; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t4si40745591pgu.544.2019.04.15.12.13.08; Mon, 15 Apr 2019 12:13:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Eg1QbtwO; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731495AbfDOTNI (ORCPT + 14 others); Mon, 15 Apr 2019 15:13:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:50718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731141AbfDOTNI (ORCPT ); Mon, 15 Apr 2019 15:13:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10AE320880; Mon, 15 Apr 2019 19:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555355586; bh=2d021XjXqrApmCc0tAWeYZHebctEUMdgkcjJfV2+07I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Eg1QbtwOL8Kzk0mvEx63q6Sp9K8nxJ1bZwTX8zJmKikh7jTYDXmqQurJLzaxdpgj/ VlV8+5y5ZA29x2QokOjsbVno81fiL6j+iw4/4Y4687Cx3koYW9iZSuseXAsivBdSK5 DFQjOrHsezLKxmfJJYMxxYSrc5IE6bn5riegsn0g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Will Deacon Subject: [PATCH 5.0 091/117] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Date: Mon, 15 Apr 2019 21:01:01 +0200 Message-Id: <20190415183749.494366460@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190415183744.887851196@linuxfoundation.org> References: <20190415183744.887851196@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Will Deacon commit 045afc24124d80c6998d9c770844c67912083506 upstream. Rather embarrassingly, our futex() FUTEX_WAKE_OP implementation doesn't explicitly set the return value on the non-faulting path and instead leaves it holding the result of the underlying atomic operation. This means that any FUTEX_WAKE_OP atomic operation which computes a non-zero value will be reported as having failed. Regrettably, I wrote the buggy code back in 2011 and it was upstreamed as part of the initial arm64 support in 2012. The reasons we appear to get away with this are: 1. FUTEX_WAKE_OP is rarely used and therefore doesn't appear to get exercised by futex() test applications 2. If the result of the atomic operation is zero, the system call behaves correctly 3. Prior to version 2.25, the only operation used by GLIBC set the futex to zero, and therefore worked as expected. From 2.25 onwards, FUTEX_WAKE_OP is not used by GLIBC at all. Fix the implementation by ensuring that the return value is either 0 to indicate that the atomic operation completed successfully, or -EFAULT if we encountered a fault when accessing the user mapping. Cc: Fixes: 6170a97460db ("arm64: Atomic operations") Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/futex.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h @@ -30,8 +30,8 @@ do { \ " prfm pstl1strm, %2\n" \ "1: ldxr %w1, %2\n" \ insn "\n" \ -"2: stlxr %w3, %w0, %2\n" \ -" cbnz %w3, 1b\n" \ +"2: stlxr %w0, %w3, %2\n" \ +" cbnz %w0, 1b\n" \ " dmb ish\n" \ "3:\n" \ " .pushsection .fixup,\"ax\"\n" \ @@ -50,30 +50,30 @@ do { \ static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) { - int oldval = 0, ret, tmp; + int oldval, ret, tmp; u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); pagefault_disable(); switch (op) { case FUTEX_OP_SET: - __futex_atomic_op("mov %w0, %w4", + __futex_atomic_op("mov %w3, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_ADD: - __futex_atomic_op("add %w0, %w1, %w4", + __futex_atomic_op("add %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_OR: - __futex_atomic_op("orr %w0, %w1, %w4", + __futex_atomic_op("orr %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_ANDN: - __futex_atomic_op("and %w0, %w1, %w4", + __futex_atomic_op("and %w3, %w1, %w4", ret, oldval, uaddr, tmp, ~oparg); break; case FUTEX_OP_XOR: - __futex_atomic_op("eor %w0, %w1, %w4", + __futex_atomic_op("eor %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; default: