Request for backport of [PARISC] futex: special case cmpxchg NULL in kernel space

Request for backport of [PARISC] futex: special case cmpxchg NULL in kernel space

[James Bottomley]

This is a fix for a bug introduced by tglx into 2.6.25 which we fixed
upstream.  However, he also got it backported to stable, so now 2.6.24.4
panics on boot on parisc.  The attached is the fix.

The upstream version of this patch is:

commit c20a84c91048c76c1379011c96b1a5cee5c7d9a0
Author: Kyle McMartin <kyle@shortfin.cabal.ca>
Date:   Sat Mar 1 10:25:52 2008 -0800

    [PARISC] futex: special case cmpxchg NULL in kernel space


James

---

From: Kyle McMartin <kyle@shortfin.cabal.ca>
Subject: [PARISC] futex: special case cmpxchg NULL in kernel space

Patch:

commit f9e77acd4060fefbb60a351cdb8d30fca27fe194
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Sun Feb 24 02:10:05 2008 +0000

    futex: runtime enable pi and robust functionality
 

which was backported to stable based on mainline Commit
a0c1e9073ef7428a14309cba010633a6cd6719ea added code to futex.c
to detect whether futex_atomic_cmpxchg_inatomic was implemented at run
time:

+       curval = cmpxchg_futex_value_locked(NULL, 0, 0);
+       if (curval == -EFAULT)
+               futex_cmpxchg_enabled = 1;

This is bogus on parisc, since page zero in kernel virtual space is the
gateway page for syscall entry, and should not be read from the kernel.
(That, and we really don't like the kernel faulting on its own address
 space...)

Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

---
 include/asm-parisc/futex.h |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/asm-parisc/futex.h b/include/asm-parisc/futex.h
index dbee6e6..fdc6d05 100644
--- a/include/asm-parisc/futex.h
+++ b/include/asm-parisc/futex.h
@@ -56,6 +56,12 @@ futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
 	int err = 0;
 	int uval;
 
+	/* futex.c wants to do a cmpxchg_inatomic on kernel NULL, which is
+	 * our gateway page, and causes no end of trouble...
+	 */
+	if (segment_eq(KERNEL_DS, get_fs()) && !uaddr)
+		return -EFAULT;
+
 	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
 		return -EFAULT;
 
@@ -67,5 +73,5 @@ futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
 	return uval;
 }
 
-#endif
-#endif
+#endif /*__KERNEL__*/
+#endif /*_ASM_PARISC_FUTEX_H*/
-- 
1.5.3.8

Re: Request for backport of [PARISC] futex: special case cmpxchg NULL in kernel space

[Kyle McMartin]

On Tue, Apr 15, 2008 at 10:45:11AM -0500, James Bottomley wrote:
> This is a fix for a bug introduced by tglx into 2.6.25 which we fixed
> upstream.  However, he also got it backported to stable, so now 2.6.24.4
> panics on boot on parisc.  The attached is the fix.
> 

The fix is fine, but it was misdiagnosed. The problem is actually that
swapper's *mm is unset. I switched it to if (!current->mm) in git,
but as usual I'm a slacker and haven't pushed it anywhere.

+1 for stable from me.

patch parisc-futex-special-case-cmpxchg-null-in-kernel-space.patch queued to 2.6.24-stable tree

[chrisw]

This is a note to let you know that we have just queued up the patch titled

     Subject: PARISC futex: special case cmpxchg NULL in kernel space

to the 2.6.24-stable tree.  Its filename is

     parisc-futex-special-case-cmpxchg-null-in-kernel-space.patch

A git repo of this tree can be found at 
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary


>From stable-bounces@linux.kernel.org  Wed Apr 16 16:44:42 2008
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: stable@kernel.org
Date: Tue, 15 Apr 2008 10:45:11 -0500
Message-Id: <1208274312.3131.11.camel@localhost.localdomain>
Cc: Parisc List <linux-parisc@vger.kernel.org>
Subject: PARISC futex: special case cmpxchg NULL in kernel space

From: Kyle McMartin <kyle@shortfin.cabal.ca>

upstream commit: c20a84c91048c76c1379011c96b1a5cee5c7d9a0

commit f9e77acd4060fefbb60a351cdb8d30fca27fe194
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Sun Feb 24 02:10:05 2008 +0000

    futex: runtime enable pi and robust functionality
 

which was backported to stable based on mainline Commit
a0c1e9073ef7428a14309cba010633a6cd6719ea added code to futex.c
to detect whether futex_atomic_cmpxchg_inatomic was implemented at run
time:

+       curval = cmpxchg_futex_value_locked(NULL, 0, 0);
+       if (curval == -EFAULT)
+               futex_cmpxchg_enabled = 1;

This is bogus on parisc, since page zero in kernel virtual space is the
gateway page for syscall entry, and should not be read from the kernel.
(That, and we really don't like the kernel faulting on its own address
 space...)

Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 include/asm-parisc/futex.h |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/include/asm-parisc/futex.h
+++ b/include/asm-parisc/futex.h
@@ -56,6 +56,12 @@ futex_atomic_cmpxchg_inatomic(int __user
 	int err = 0;
 	int uval;
 
+	/* futex.c wants to do a cmpxchg_inatomic on kernel NULL, which is
+	 * our gateway page, and causes no end of trouble...
+	 */
+	if (segment_eq(KERNEL_DS, get_fs()) && !uaddr)
+		return -EFAULT;
+
 	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
 		return -EFAULT;
 
@@ -67,5 +73,5 @@ futex_atomic_cmpxchg_inatomic(int __user
 	return uval;
 }
 
-#endif
-#endif
+#endif /*__KERNEL__*/
+#endif /*_ASM_PARISC_FUTEX_H*/


Patches currently in stable-queue which might be from James.Bottomley@HansenPartnership.com are

queue-2.6.24/parisc-pdc_console-fix-bizarre-panic-on-boot.patch
queue-2.6.24/parisc-futex-special-case-cmpxchg-null-in-kernel-space.patch