Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 183aca75 authored by shaohanlin's avatar shaohanlin Committed by Luca Weiss
Browse files

Revert "futex: Handle faults correctly for PI futexes"

Security patch 2021-06 has removed this patch from v1.3

This reverts commit 7b909dce.
parent 77476612
Loading
Loading
Loading
Loading
+18 −2
Original line number Diff line number Diff line
@@ -988,8 +988,7 @@ void exit_pi_state_list(struct task_struct *curr)
 *	FUTEX_OWNER_DIED bit. See [4]
 *
 * [10] There is no transient state which leaves owner and user space
 *	TID out of sync. Except one error case where the kernel is denied
 *	write access to the user address, see fixup_pi_state_owner().
 *	TID out of sync.
 */

/*
@@ -2654,6 +2653,13 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
	if (res)
		ret = (res < 0) ? res : 0;

	/*
	 * If fixup_owner() faulted and was unable to handle the fault, unlock
	 * it and return the fault to userspace.
	 */
	if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
		rt_mutex_unlock(&q.pi_state->pi_mutex);

	/* Unqueue and drop the lock */
	unqueue_me_pi(&q);

@@ -2958,6 +2964,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
		if (q.pi_state && (q.pi_state->owner != current)) {
			spin_lock(q.lock_ptr);
			ret = fixup_pi_state_owner(uaddr2, &q, current);
			if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
				rt_mutex_unlock(&q.pi_state->pi_mutex);
			/*
			 * Drop the reference to the pi state which
			 * the requeue_pi() code acquired for us.
@@ -2994,6 +3002,14 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
		if (res)
			ret = (res < 0) ? res : 0;

		/*
		 * If fixup_pi_state_owner() faulted and was unable to handle
		 * the fault, unlock the rt_mutex and return the fault to
		 * userspace.
		 */
		if (ret && rt_mutex_owner(pi_mutex) == current)
			rt_mutex_unlock(pi_mutex);

		/* Unqueue and drop the lock. */
		unqueue_me_pi(&q);
	}