1 files changed, 39 insertions, 18 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 8e3c3ffe1b9a..e7a35f1039e7 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -203,8 +203,6 @@ static void drop_futex_key_refs(union futex_key *key)
 * @uaddr:      virtual address of the futex
 * @fshared:    0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
 * @key:        address where result is stored.
- * @rw:         mapping needs to be read/write (values: VERIFY_READ,
- *              VERIFY_WRITE)
 *
 * Returns a negative error code or 0
 * The key words are stored in *key on success.
@@ -216,7 +214,7 @@ static void drop_futex_key_refs(union futex_key *key)
 * lock_page() might sleep, the caller should not hold a spinlock.
 */
 static int
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
+get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
 {
        unsigned long address = (unsigned long)uaddr;
        struct mm_struct *mm = current->mm;
@@ -239,7 +237,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
         *        but access_ok() should be faster than find_vma()
         */
        if (!fshared) {
-                if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+                if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
                        return -EFAULT;
                key->private.mm = mm;
                key->private.address = address;
@@ -248,7 +246,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
        }
 again:
-        err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page);
+        err = get_user_pages_fast(address, 1, 1, &page);
        if (err < 0)
                return err;
@@ -532,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                                return -EINVAL;
                        WARN_ON(!atomic_read(&pi_state->refcount));
-                        WARN_ON(pid && pi_state->owner &&
-                                pi_state->owner->pid != pid);
+                        /*
+                         * When pi_state->owner is NULL then the owner died
+                         * and another waiter is on the fly. pi_state->owner
+                         * is fixed up by the task which acquires
+                         * pi_state->rt_mutex.
+                         *
+                         * We do not check for pid == 0 which can happen when
+                         * the owner died and robust_list_exit() cleared the
+                         * TID.
+                         */
+                        if (pid && pi_state->owner) {
+                                /*
+                                 * Bail out if user space manipulated the
+                                 * futex value.
+                                 */
+                                if (pid != task_pid_vnr(pi_state->owner))
+                                        return -EINVAL;
+                        }
                        atomic_inc(&pi_state->refcount);
                        *ps = pi_state;
@@ -760,6 +775,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
        if (!pi_state)
                return -EINVAL;
+        /*
+         * If current does not own the pi_state then the futex is
+         * inconsistent and user space fiddled with the futex value.
+         */
+        if (pi_state->owner != current)
+                return -EINVAL;
        raw_spin_lock(&pi_state->pi_mutex.wait_lock);
        new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
@@ -867,7 +889,7 @@ static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
        if (!bitset)
                return -EINVAL;
-        ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ);
+        ret = get_futex_key(uaddr, fshared, &key);
        if (unlikely(ret != 0))
                goto out;
@@ -913,10 +935,10 @@ futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
        int ret, op_ret;
 retry:
-        ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+        ret = get_futex_key(uaddr1, fshared, &key1);
        if (unlikely(ret != 0))
                goto out;
-        ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+        ret = get_futex_key(uaddr2, fshared, &key2);
        if (unlikely(ret != 0))
                goto out_put_key1;
@@ -1175,11 +1197,10 @@ retry:
                pi_state = NULL;
        }
-        ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+        ret = get_futex_key(uaddr1, fshared, &key1);
        if (unlikely(ret != 0))
                goto out;
-        ret = get_futex_key(uaddr2, fshared, &key2,
+        ret = get_futex_key(uaddr2, fshared, &key2);
-                            requeue_pi ? VERIFY_WRITE : VERIFY_READ);
        if (unlikely(ret != 0))
                goto out_put_key1;
@@ -1738,7 +1759,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,
         */
 retry:
        q->key = FUTEX_KEY_INIT;
-        ret = get_futex_key(uaddr, fshared, &q->key, VERIFY_READ);
+        ret = get_futex_key(uaddr, fshared, &q->key);
        if (unlikely(ret != 0))
                return ret;
@@ -1904,7 +1925,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
        q.requeue_pi_key = NULL;
 retry:
        q.key = FUTEX_KEY_INIT;
-        ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);
+        ret = get_futex_key(uaddr, fshared, &q.key);
        if (unlikely(ret != 0))
                goto out;
@@ -1974,7 +1995,7 @@ retry_private:
        /* Unqueue and drop the lock */
        unqueue_me_pi(&q);
-        goto out;
+        goto out_put_key;
 out_unlock_put_key:
        queue_unlock(&q, hb);
@@ -2023,7 +2044,7 @@ retry:
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
                return -EPERM;
-        ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE);
+        ret = get_futex_key(uaddr, fshared, &key);
        if (unlikely(ret != 0))
                goto out;
@@ -2215,7 +2236,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
        rt_waiter.task = NULL;
        key2 = FUTEX_KEY_INIT;
-        ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+        ret = get_futex_key(uaddr2, fshared, &key2);
        if (unlikely(ret != 0))
                goto out;

diff --git a/kernel/futex.c b/kernel/futex.c index 8e3c3ffe1b9a..e7a35f1039e7 100644 --- a/kernel/futex.c +++ b/kernel/futex.c
@@ -203,8 +203,6 @@ static void drop_futex_key_refs(union futex_key *key)
203	* @uaddr: virtual address of the futex	203	* @uaddr: virtual address of the futex
204	* @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED	204	* @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
205	* @key: address where result is stored.	205	* @key: address where result is stored.
206	* @rw: mapping needs to be read/write (values: VERIFY_READ,
207	* VERIFY_WRITE)
208	*	206	*
209	* Returns a negative error code or 0	207	* Returns a negative error code or 0
210	* The key words are stored in *key on success.	208	* The key words are stored in *key on success.
@@ -216,7 +214,7 @@ static void drop_futex_key_refs(union futex_key *key)
216	* lock_page() might sleep, the caller should not hold a spinlock.	214	* lock_page() might sleep, the caller should not hold a spinlock.
217	*/	215	*/
218	static int	216	static int
219	get_futex_key(u32 __user uaddr, int fshared, union futex_key key, int rw)	217	get_futex_key(u32 __user uaddr, int fshared, union futex_key key)
220	{	218	{
221	unsigned long address = (unsigned long)uaddr;	219	unsigned long address = (unsigned long)uaddr;
222	struct mm_struct *mm = current->mm;	220	struct mm_struct *mm = current->mm;
@@ -239,7 +237,7 @@ get_futex_key(u32 __user uaddr, int fshared, union futex_key key, int rw)
239	* but access_ok() should be faster than find_vma()	237	* but access_ok() should be faster than find_vma()
240	*/	238	*/
241	if (!fshared) {	239	if (!fshared) {
242	if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))	240	if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
243	return -EFAULT;	241	return -EFAULT;
244	key->private.mm = mm;	242	key->private.mm = mm;
245	key->private.address = address;	243	key->private.address = address;
@@ -248,7 +246,7 @@ get_futex_key(u32 __user uaddr, int fshared, union futex_key key, int rw)
248	}	246	}
249		247
250	again:	248	again:
251	err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page);	249	err = get_user_pages_fast(address, 1, 1, &page);
252	if (err < 0)	250	if (err < 0)
253	return err;	251	return err;
254		252
@@ -532,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
532	return -EINVAL;	530	return -EINVAL;
533		531
534	WARN_ON(!atomic_read(&pi_state->refcount));	532	WARN_ON(!atomic_read(&pi_state->refcount));
535	WARN_ON(pid && pi_state->owner &&	533
536	pi_state->owner->pid != pid);	534	/*
		535	* When pi_state->owner is NULL then the owner died
		536	* and another waiter is on the fly. pi_state->owner
		537	* is fixed up by the task which acquires
		538	* pi_state->rt_mutex.
		539	*
		540	* We do not check for pid == 0 which can happen when
		541	* the owner died and robust_list_exit() cleared the
		542	* TID.
		543	*/
		544	if (pid && pi_state->owner) {
		545	/*
		546	* Bail out if user space manipulated the
		547	* futex value.
		548	*/
		549	if (pid != task_pid_vnr(pi_state->owner))
		550	return -EINVAL;
		551	}
537		552
538	atomic_inc(&pi_state->refcount);	553	atomic_inc(&pi_state->refcount);
539	*ps = pi_state;	554	*ps = pi_state;
@@ -760,6 +775,13 @@ static int wake_futex_pi(u32 __user uaddr, u32 uval, struct futex_q this)
760	if (!pi_state)	775	if (!pi_state)
761	return -EINVAL;	776	return -EINVAL;
762		777
		778	/*
		779	* If current does not own the pi_state then the futex is
		780	* inconsistent and user space fiddled with the futex value.
		781	*/
		782	if (pi_state->owner != current)
		783	return -EINVAL;
		784
763	raw_spin_lock(&pi_state->pi_mutex.wait_lock);	785	raw_spin_lock(&pi_state->pi_mutex.wait_lock);
764	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);	786	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
765		787
@@ -867,7 +889,7 @@ static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
867	if (!bitset)	889	if (!bitset)
868	return -EINVAL;	890	return -EINVAL;
869		891
870	ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ);	892	ret = get_futex_key(uaddr, fshared, &key);
871	if (unlikely(ret != 0))	893	if (unlikely(ret != 0))
872	goto out;	894	goto out;
873		895
@@ -913,10 +935,10 @@ futex_wake_op(u32 __user uaddr1, int fshared, u32 __user uaddr2,
913	int ret, op_ret;	935	int ret, op_ret;
914		936
915	retry:	937	retry:
916	ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);	938	ret = get_futex_key(uaddr1, fshared, &key1);
917	if (unlikely(ret != 0))	939	if (unlikely(ret != 0))
918	goto out;	940	goto out;
919	ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);	941	ret = get_futex_key(uaddr2, fshared, &key2);
920	if (unlikely(ret != 0))	942	if (unlikely(ret != 0))
921	goto out_put_key1;	943	goto out_put_key1;
922		944
@@ -1175,11 +1197,10 @@ retry:
1175	pi_state = NULL;	1197	pi_state = NULL;
1176	}	1198	}
1177		1199
1178	ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);	1200	ret = get_futex_key(uaddr1, fshared, &key1);
1179	if (unlikely(ret != 0))	1201	if (unlikely(ret != 0))
1180	goto out;	1202	goto out;
1181	ret = get_futex_key(uaddr2, fshared, &key2,	1203	ret = get_futex_key(uaddr2, fshared, &key2);
1182	requeue_pi ? VERIFY_WRITE : VERIFY_READ);
1183	if (unlikely(ret != 0))	1204	if (unlikely(ret != 0))
1184	goto out_put_key1;	1205	goto out_put_key1;
1185		1206
@@ -1738,7 +1759,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,
1738	*/	1759	*/
1739	retry:	1760	retry:
1740	q->key = FUTEX_KEY_INIT;	1761	q->key = FUTEX_KEY_INIT;
1741	ret = get_futex_key(uaddr, fshared, &q->key, VERIFY_READ);	1762	ret = get_futex_key(uaddr, fshared, &q->key);
1742	if (unlikely(ret != 0))	1763	if (unlikely(ret != 0))
1743	return ret;	1764	return ret;
1744		1765
@@ -1904,7 +1925,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
1904	q.requeue_pi_key = NULL;	1925	q.requeue_pi_key = NULL;
1905	retry:	1926	retry:
1906	q.key = FUTEX_KEY_INIT;	1927	q.key = FUTEX_KEY_INIT;
1907	ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);	1928	ret = get_futex_key(uaddr, fshared, &q.key);
1908	if (unlikely(ret != 0))	1929	if (unlikely(ret != 0))
1909	goto out;	1930	goto out;
1910		1931
@@ -1974,7 +1995,7 @@ retry_private:
1974	/* Unqueue and drop the lock */	1995	/* Unqueue and drop the lock */
1975	unqueue_me_pi(&q);	1996	unqueue_me_pi(&q);
1976		1997
1977	goto out;	1998	goto out_put_key;
1978		1999
1979	out_unlock_put_key:	2000	out_unlock_put_key:
1980	queue_unlock(&q, hb);	2001	queue_unlock(&q, hb);
@@ -2023,7 +2044,7 @@ retry:
2023	if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))	2044	if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
2024	return -EPERM;	2045	return -EPERM;
2025		2046
2026	ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE);	2047	ret = get_futex_key(uaddr, fshared, &key);
2027	if (unlikely(ret != 0))	2048	if (unlikely(ret != 0))
2028	goto out;	2049	goto out;
2029		2050
@@ -2215,7 +2236,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
2215	rt_waiter.task = NULL;	2236	rt_waiter.task = NULL;
2216		2237
2217	key2 = FUTEX_KEY_INIT;	2238	key2 = FUTEX_KEY_INIT;
2218	ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);	2239	ret = get_futex_key(uaddr2, fshared, &key2);
2219	if (unlikely(ret != 0))	2240	if (unlikely(ret != 0))
2220	goto out;	2241	goto out;
2221		2242