futex: Sanitize cmpxchg_futex_value_locked API

The cmpxchg_futex_value_locked API was funny in that it returned either the original, user-exposed futex value OR an error code such as -EFAULT. This was confusing at best, and could be a source of livelocks in places that retry the cmpxchg_futex_value_locked after trying to fix the issue by running fault_in_user_writeable(). This change makes the cmpxchg_futex_value_locked API more similar to the get_futex_value_locked one, returning an error code and updating the original value through a reference argument. Signed-off-by: Michel Lespinasse <walken@google.com> Acked-by: Chris Metcalf <cmetcalf@tilera.com> [tile] Acked-by: Tony Luck <tony.luck@intel.com> [ia64] Acked-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Michal Simek <monstr@monstr.eu> [microblaze] Acked-by: David Howells <dhowells@redhat.com> [frv] Cc: Darren Hart <darren@dvhart.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Matt Turner <mattst88@gmail.com> Cc: Russell King <linux@arm.linux.org.uk> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Paul Mundt <lethal@linux-sh.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> LKML-Reference: <20110311024851.GC26122@google.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Michel Lespinasse <walken@google.com> 2011-03-10 21:48:51 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2011-03-11 06:23:08 -0500
commit: 37a9d912b24f96a0591773e6e6c3642991ae5a70 (patch)
tree: 5c4d5b9a52e2c533269e589115afbd25b6c8534b /arch/s390/lib/uaccess_pt.c
parent: 522d7decc0370070448a8c28982c8dfd8970489e (diff)
1 files changed, 8 insertions, 5 deletions
diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c
index 404f2de296dc..b3cebcd52f5c 100644
--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -354,26 +354,29 @@ int futex_atomic_op_pt(int op, int __user *uaddr, int oparg, int *old)
        return ret;
 }
-static int __futex_atomic_cmpxchg_pt(int __user *uaddr, int oldval, int newval)
+static int __futex_atomic_cmpxchg_pt(int *uval, int __user *uaddr,
+                                     int oldval, int newval)
 {
        int ret;
        asm volatile("0: cs   %1,%4,0(%5)\n"
-                     "1: lr   %0,%1\n"
+                     "1: la   %0,0\n"
                     "2:\n"
                     EX_TABLE(0b,2b) EX_TABLE(1b,2b)
                     : "=d" (ret), "+d" (oldval), "=m" (*uaddr)
                     : "0" (-EFAULT), "d" (newval), "a" (uaddr), "m" (*uaddr)
                     : "cc", "memory" );
+        *uval = oldval;
        return ret;
 }
-int futex_atomic_cmpxchg_pt(int __user *uaddr, int oldval, int newval)
+int futex_atomic_cmpxchg_pt(int *uval, int __user *uaddr,
+                            int oldval, int newval)
 {
        int ret;
        if (segment_eq(get_fs(), KERNEL_DS))
-                return __futex_atomic_cmpxchg_pt(uaddr, oldval, newval);
+                return __futex_atomic_cmpxchg_pt(uval, uaddr, oldval, newval);
        spin_lock(&current->mm->page_table_lock);
        uaddr = (int __user *) __dat_user_addr((unsigned long) uaddr);
        if (!uaddr) {
@@ -382,7 +385,7 @@ int futex_atomic_cmpxchg_pt(int __user *uaddr, int oldval, int newval)
        }
        get_page(virt_to_page(uaddr));
        spin_unlock(&current->mm->page_table_lock);
-        ret = __futex_atomic_cmpxchg_pt(uaddr, oldval, newval);
+        ret = __futex_atomic_cmpxchg_pt(uval, uaddr, oldval, newval);
        put_page(virt_to_page(uaddr));
        return ret;
 }
author	Michel Lespinasse <walken@google.com>	2011-03-10 21:48:51 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2011-03-11 06:23:08 -0500
commit	37a9d912b24f96a0591773e6e6c3642991ae5a70 (patch)
tree	5c4d5b9a52e2c533269e589115afbd25b6c8534b /arch/s390/lib/uaccess_pt.c
parent	522d7decc0370070448a8c28982c8dfd8970489e (diff)