rpms/kernel/F-11 futex-handle-futex-value-corruption-gracefully.patch, NONE, 1.1.2.1 futex_lock_pi-key-refcnt-fix.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.23, 1.1784.2.24

Chuck Ebbert cebbert at fedoraproject.org
Sat Feb 13 14:22:00 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3402

Modified Files:
      Tag: private-fedora-11-2_6_30
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_30
	futex-handle-futex-value-corruption-gracefully.patch 
	futex_lock_pi-key-refcnt-fix.patch 
Log Message:
futex-handle-futex-value-corruption-gracefully.patch, futex_lock_pi-key-refcnt-fix.patch:
  more futex fixes from the 2.6.31 queue

futex-handle-futex-value-corruption-gracefully.patch:
 futex.c |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

--- NEW FILE futex-handle-futex-value-corruption-gracefully.patch ---
>From 59647b6ac3050dd964bc556fe6ef22f4db5b935c Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx at linutronix.de>
Date: Wed, 3 Feb 2010 09:33:05 +0100
Subject: futex: Handle futex value corruption gracefully

From: Thomas Gleixner <tglx at linutronix.de>

commit 59647b6ac3050dd964bc556fe6ef22f4db5b935c upstream.

The WARN_ON in lookup_pi_state which complains about a mismatch
between pi_state->owner->pid and the pid which we retrieved from the
user space futex is completely bogus.

The code just emits the warning and then continues despite the fact
that it detected an inconsistent state of the futex. A conveniant way
for user space to spam the syslog.

Replace the WARN_ON by a consistency check. If the values do not match
return -EINVAL and let user space deal with the mess it created.

This also fixes the missing task_pid_vnr() when we compare the
pi_state->owner pid with the futex value.

Reported-by: Jermome Marchand <jmarchan at redhat.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Acked-by: Darren Hart <dvhltc at us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 kernel/futex.c |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -531,8 +531,25 @@ lookup_pi_state(u32 uval, struct futex_h
 				return -EINVAL;
 
 			WARN_ON(!atomic_read(&pi_state->refcount));
-			WARN_ON(pid && pi_state->owner &&
-				pi_state->owner->pid != pid);
+
+			/*
+			 * When pi_state->owner is NULL then the owner died
+			 * and another waiter is on the fly. pi_state->owner
+			 * is fixed up by the task which acquires
+			 * pi_state->rt_mutex.
+			 *
+			 * We do not check for pid == 0 which can happen when
+			 * the owner died and robust_list_exit() cleared the
+			 * TID.
+			 */
+			if (pid && pi_state->owner) {
+				/*
+				 * Bail out if user space manipulated the
+				 * futex value.
+				 */
+				if (pid != task_pid_vnr(pi_state->owner))
+					return -EINVAL;
+			}
 
 			atomic_inc(&pi_state->refcount);
 			*ps = pi_state;

futex_lock_pi-key-refcnt-fix.patch:
 futex.c |    2 ++
 1 file changed, 2 insertions(+)

--- NEW FILE futex_lock_pi-key-refcnt-fix.patch ---
>From 5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc Mon Sep 17 00:00:00 2001
From: Mikael Pettersson <mikpe at it.uu.se>
Date: Sat, 23 Jan 2010 22:36:29 +0100
Subject: futex_lock_pi() key refcnt fix

From: Mikael Pettersson <mikpe at it.uu.se>

commit 5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc upstream.

[ cebbert at redhat.com : backport to 2.6.30 ]

This fixes a futex key reference count bug in futex_lock_pi(),
where a key's reference count is incremented twice but decremented
only once, causing the backing object to not be released.

If the futex is created in a temporary file in an ext3 file system,
this bug causes the file's inode to become an "undead" orphan,
which causes an oops from a BUG_ON() in ext3_put_super() when the
file system is unmounted. glibc's test suite is known to trigger this,
see <http://bugzilla.kernel.org/show_bug.cgi?id=14256>.

The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's
38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on
get_user_pages() for shared futexes". That commit made get_futex_key()
also increment the reference count of the futex key, and updated its
callers to decrement the key's reference count before returning.
Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
the reference count is incremented by get_futex_key() and queue_lock(),
but the normal exit path only decrements once, via unqueue_me_pi().
The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31
this is easily done by 'goto out_put_key' rather than 'goto out'.

Signed-off-by: Mikael Pettersson <mikpe at it.uu.se>
Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
Acked-by: Darren Hart <dvhltc at us.ibm.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 kernel/futex.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1974,6 +1974,8 @@ retry_private:
 	/* Unqueue and drop the lock */
 	unqueue_me_pi(&q);
 
+	put_futex_key(fshared, &q.key);
+
 	if (to)
 		destroy_hrtimer_on_stack(&to->timer);
 	return ret != -EINTR ? ret : -ERESTARTNOINTR;



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.23
retrieving revision 1.1784.2.24
diff -u -p -r1.1784.2.23 -r1.1784.2.24
--- kernel.spec	11 Feb 2010 06:20:55 -0000	1.1784.2.23
+++ kernel.spec	13 Feb 2010 14:21:59 -0000	1.1784.2.24
@@ -897,6 +897,8 @@ Patch16540: connector-delete-buggy-notif
 Patch16550: fix-crash-with-sys_move_pages.patch
 
 Patch16560: futex-handle-user-space-corruption-gracefully.patch
+Patch16561: futex-handle-futex-value-corruption-gracefully.patch
+Patch16562: futex_lock_pi-key-refcnt-fix.patch
 
 %endif
 
@@ -1689,6 +1691,8 @@ ApplyPatch connector-delete-buggy-notifi
 ApplyPatch fix-crash-with-sys_move_pages.patch
 
 ApplyPatch futex-handle-user-space-corruption-gracefully.patch
+ApplyPatch futex-handle-futex-value-corruption-gracefully.patch
+ApplyPatch futex_lock_pi-key-refcnt-fix.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2278,6 +2282,10 @@ fi
 # and build.
 
 %changelog
+* Sat Feb 13 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.24
+- futex-handle-futex-value-corruption-gracefully.patch, futex_lock_pi-key-refcnt-fix.patch:
+  more futex fixes from the 2.6.31 queue
+
 * Thu Feb 11 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.23
 - fix-race-in-tty_fasync_properly.patch: fix problems caused by the fix
   for bug #559100

More information about the scm-commits mailing list