From patchwork Wed Apr 24 17:09:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 162805 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp908995jan; Wed, 24 Apr 2019 10:13:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqz8s2U63gNcZTZKFhzK7skJSFYbcr2vOTgm/qTv4usNQwBej6V6Cwz98kUe5yIsLvXe0d1y X-Received: by 2002:a63:6cc7:: with SMTP id h190mr31115464pgc.350.1556125996627; Wed, 24 Apr 2019 10:13:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556125996; cv=none; d=google.com; s=arc-20160816; b=Fg3QMumf5IBMNNNAUWPAei5oD9tsZ8KCgwHhBb2CHfwmVPKTZ0bzmbfXl0Z8+mTNmr kSJ8xDjNriWFNKK3IVwjWtzsSsPJMCwzNyZNQiOUBgzT43AwLFxpyDn3ycraZT4xDZN7 KB3uIJSSTWRY0Nj9CcFqIq6Y1jMB93QXBE5FDGfYF8aWHb9gpAgMcRgzfkLSOGVifxWE qiAa/Yxqvggp3WSjYD0UX/Rq0TmWuoFGhBScidZp0btHwaebFQ0nSOK+hiSWeAkGAaEB FD3/hDgQ83kQVqzrzp216nbCl6o++M5SkU42jld8sajKbsFzlzZYgXy+1T06j/57Z12p 8Tog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fiL6s76HpOC6wwQXi5faS06lPXG/i7m1i+dyPW6vWW4=; b=LcjnVvWCjquRDqcZ34RXwOvBvW7EFq/6v7bqf8waDoSQpVzqOrlTvlH6trTFFw9Bh0 zRTEKkTfdR40iwJMk+LGzmoKUFxBu5j+4wyQNTWJ8l7DhLh8vJVc2NANukt75v6skVC1 U1UKrTKAUNeSJVmQjVMBH702Lf6jd4uAl3lx0VzBjK1eRTgAK22IFqmQ8Z4xTs+uILTb tKlME0uHqScKGkk6XAtRhcS9Zu+kjSRqns68LhbzK00wO3SMYRofD7AKQOkAyeenLGXl Yp/XF3Fb33TTTSZS1ampQZ2C3KCxRz6SGtX02tTAkgPnDQN7jjmc1hRoZnb6yy2LOV8f 0sgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HfS0hsOF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j1si6562332pgb.401.2019.04.24.10.13.16; Wed, 24 Apr 2019 10:13:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HfS0hsOF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387843AbfDXRNP (ORCPT + 30 others); Wed, 24 Apr 2019 13:13:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:37232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733277AbfDXRNN (ORCPT ); Wed, 24 Apr 2019 13:13:13 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCC92218FE; Wed, 24 Apr 2019 17:13:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556125992; bh=2NJ9dgFxntPnqiP4ufQQ9iIBtda8dh4UjhvbujhjpZU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HfS0hsOFcVILm22zetgubkcUpJBH1LZmliCXi8dP/Rqkzy4Kt63UioXUVLuRVGs7b 89Bs7z6O80BNujXBDee7q/CR29rzFLdTZhC3Htie8vtA92MchjjlrZFXw4YvgCDutm PnANvORczXpNMTnqfm8tLyNsVad0iOYdQ10iq5bg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Will Deacon Subject: [PATCH 3.18 055/104] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Date: Wed, 24 Apr 2019 19:09:12 +0200 Message-Id: <20190424170902.623665551@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170839.996641496@linuxfoundation.org> References: <20190424170839.996641496@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon commit 045afc24124d80c6998d9c770844c67912083506 upstream. Rather embarrassingly, our futex() FUTEX_WAKE_OP implementation doesn't explicitly set the return value on the non-faulting path and instead leaves it holding the result of the underlying atomic operation. This means that any FUTEX_WAKE_OP atomic operation which computes a non-zero value will be reported as having failed. Regrettably, I wrote the buggy code back in 2011 and it was upstreamed as part of the initial arm64 support in 2012. The reasons we appear to get away with this are: 1. FUTEX_WAKE_OP is rarely used and therefore doesn't appear to get exercised by futex() test applications 2. If the result of the atomic operation is zero, the system call behaves correctly 3. Prior to version 2.25, the only operation used by GLIBC set the futex to zero, and therefore worked as expected. From 2.25 onwards, FUTEX_WAKE_OP is not used by GLIBC at all. Fix the implementation by ensuring that the return value is either 0 to indicate that the atomic operation completed successfully, or -EFAULT if we encountered a fault when accessing the user mapping. Cc: Fixes: 6170a97460db ("arm64: Atomic operations") Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/futex.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) Reviewed-by: Greg Kroah-Hartman Signed-off-by: Nathan Chancellor Signed-off-by: Catalin Marinas --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h @@ -26,8 +26,8 @@ asm volatile( \ "1: ldxr %w1, %2\n" \ insn "\n" \ -"2: stlxr %w3, %w0, %2\n" \ -" cbnz %w3, 1b\n" \ +"2: stlxr %w0, %w3, %2\n" \ +" cbnz %w0, 1b\n" \ " dmb ish\n" \ "3:\n" \ " .pushsection .fixup,\"ax\"\n" \ @@ -50,7 +50,7 @@ futex_atomic_op_inuser(unsigned int enco int cmp = (encoded_op >> 24) & 15; int oparg = (int)(encoded_op << 8) >> 20; int cmparg = (int)(encoded_op << 20) >> 20; - int oldval = 0, ret, tmp; + int oldval, ret, tmp; if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) oparg = 1U << (oparg & 0x1f); @@ -62,23 +62,23 @@ futex_atomic_op_inuser(unsigned int enco switch (op) { case FUTEX_OP_SET: - __futex_atomic_op("mov %w0, %w4", + __futex_atomic_op("mov %w3, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_ADD: - __futex_atomic_op("add %w0, %w1, %w4", + __futex_atomic_op("add %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_OR: - __futex_atomic_op("orr %w0, %w1, %w4", + __futex_atomic_op("orr %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; case FUTEX_OP_ANDN: - __futex_atomic_op("and %w0, %w1, %w4", + __futex_atomic_op("and %w3, %w1, %w4", ret, oldval, uaddr, tmp, ~oparg); break; case FUTEX_OP_XOR: - __futex_atomic_op("eor %w0, %w1, %w4", + __futex_atomic_op("eor %w3, %w1, %w4", ret, oldval, uaddr, tmp, oparg); break; default: