Blame SOURCES/CVE-2021-3347.patch

afa55e
From 517d5c245c9805b56f73c7fa0e23e8853fe22da6 Mon Sep 17 00:00:00 2001
afa55e
From: Artem Savkov <asavkov@redhat.com>
afa55e
Date: Fri, 21 May 2021 14:20:32 +0200
afa55e
Subject: [RHEL7.9 KPATCH] CVE-2021-3347 Use after free via PI futex state
afa55e
afa55e
Kernels:
afa55e
3.10.0-1160.el7
afa55e
3.10.0-1160.2.1.el7
afa55e
3.10.0-1160.2.2.el7
afa55e
3.10.0-1160.6.1.el7
afa55e
3.10.0-1160.11.1.el7
afa55e
3.10.0-1160.15.2.el7
afa55e
3.10.0-1160.21.1.el7
afa55e
3.10.0-1160.24.1.el7
afa55e
3.10.0-1160.25.1.el7
afa55e
afa55e
Changes since last build:
afa55e
[x86_64]:
afa55e
futex.o: changed function: do_futex
afa55e
futex.o: changed function: fixup_owner
afa55e
futex.o: changed function: fixup_pi_state_owner.isra.16
afa55e
futex.o: changed function: free_pi_state
afa55e
futex.o: changed function: futex_lock_pi.isra.20
afa55e
futex.o: changed function: futex_wait_requeue_pi.constprop.22
afa55e
futex.o: new function: pi_state_update_owner
afa55e
afa55e
[ppc64le]:
afa55e
futex.o: changed function: do_futex
afa55e
futex.o: changed function: fixup_owner
afa55e
futex.o: changed function: fixup_pi_state_owner.isra.9
afa55e
futex.o: changed function: free_pi_state
afa55e
futex.o: changed function: futex_lock_pi.isra.16
afa55e
futex.o: changed function: futex_wait_requeue_pi.constprop.17
afa55e
futex.o: changed function: unqueue_me_pi
afa55e
futex.o: new function: pi_state_update_owner
afa55e
afa55e
---------------------------
afa55e
afa55e
Modifications: added -fno-optimize-sibling-calls to fixup_owner()
afa55e
afa55e
commit d2fb2a9cf682bdba4b66103fb079c13a04039430
afa55e
Author: Donghai Qiao <dqiao@redhat.com>
afa55e
Date:   Thu May 20 16:35:49 2021 -0400
afa55e
afa55e
    futex: Handle faults correctly for PI futexes
afa55e
afa55e
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1935108
afa55e
    Upstream status: 34b1a1ce1458f50ef27c54e28eb9b1947012907a
afa55e
    CVE: CVE-2021-3347
afa55e
afa55e
    Conflicts:
afa55e
    The original patch is intent to make the state of rtmutex and pi_state consistent
afa55e
    if the kernel is unable to update the user space futex word, rather than unlocking
afa55e
    the rtmutex and leaving pi_state out of synched. As a result, this original fix
afa55e
    removed part of the code which was introduced by 16ffa12d7 ("futex: Pull
afa55e
    rt_mutex_futex_unlock() out from under hb->lock") to the functions futex_lock_pi()
afa55e
    and futex_wait_requeue_pi() to avoid the inconsistency. So the conflicts are related
afa55e
    to the following two commits, though git blame displayed a much longer list which
afa55e
    shows the chain of dependency in the history.
afa55e
afa55e
    16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock")
afa55e
    c236c8e95a3d ("futex: Fix potential use-after-free in FUTEX_REQUEUE_PI")
afa55e
afa55e
    commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a
afa55e
    Author: Thomas Gleixner <tglx@linutronix.de>
afa55e
    Date:   Mon, 18 Jan 2021 19:01:21 +0100
afa55e
afa55e
        futex: Handle faults correctly for PI futexes
afa55e
afa55e
        fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
afa55e
        pi_state and the user space value related to the PI futex are consistent
afa55e
        before returning to user space. In case that the user space value update
afa55e
        faults and the fault cannot be resolved by faulting the page in via
afa55e
        fault_in_user_writeable() the function returns with -EFAULT and leaves
afa55e
        the rtmutex and pi_state owner state inconsistent.
afa55e
afa55e
        A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
afa55e
        releases the rtmutex despite not owning it which can corrupt the RB tree of
afa55e
        the rtmutex and cause a subsequent kernel stack use after free.
afa55e
afa55e
        It was suggested to loop forever in fixup_pi_state_owner() if the fault
afa55e
        cannot be resolved, but that results in runaway tasks which is especially
afa55e
        undesired when the problem happens due to a programming error and not due
afa55e
        to malice.
afa55e
afa55e
        As the user space value cannot be fixed up, the proper solution is to make
afa55e
        the rtmutex and the pi_state consistent so both have the same owner. This
afa55e
        leaves the user space value out of sync. Any subsequent operation on the
afa55e
        futex will fail because the 10th rule of PI futexes (pi_state owner and
afa55e
        user space value are consistent) has been violated.
afa55e
afa55e
        As a consequence this removes the inept attempts of 'fixing' the situation
afa55e
        in case that the current task owns the rtmutex when returning with an
afa55e
        unresolvable fault by unlocking the rtmutex which left pi_state::owner and
afa55e
        rtmutex::owner out of sync in a different and only slightly less dangerous
afa55e
        way.
afa55e
afa55e
        Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
afa55e
        Reported-by: gzobqq@gmail.com
afa55e
        Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
afa55e
        Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
afa55e
        Cc: stable@vger.kernel.org
afa55e
afa55e
    Signed-off-by: Donghai Qiao <dqiao@redhat.com>
afa55e
afa55e
commit 25077b49b47c1cdf224b54c837172ff820e8be88
afa55e
Author: Donghai Qiao <dqiao@redhat.com>
afa55e
Date:   Thu May 20 16:30:16 2021 -0400
afa55e
afa55e
    futex: Provide and use pi_state_update_owner()
afa55e
afa55e
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1935108
afa55e
    Upstream status: c5cade200ab9a2a3be9e7f32a752c8d86b502ec7
afa55e
    CVE: CVE-2021-3347
afa55e
afa55e
    Conflicts:
afa55e
    Updating the owner of pi_state requires that we remove the pi_state structure from
afa55e
    the old owner's pi_state_list then add it to the new owner's pi_state_list. Because
afa55e
    this action takes place in multiple occassions in the current upstream futex.c, so
afa55e
    the similar code is duplicated in all these places. The purpose of this patch is to
afa55e
    eliminate these code duplications with a new routine pi_state_update_owner().
afa55e
afa55e
    The conflicts in 7.9.z are caused by the differences in places where updating owner
afa55e
    takes place. After sorting out the details, the relevant commit IDs as below :
afa55e
afa55e
    734009e96d19 ("futex: Change locking rules")
afa55e
    b4abf91047cf ("rtmutex: Make wait_lock irq safe")
afa55e
afa55e
    commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7
afa55e
    Author: Thomas Gleixner <tglx@linutronix.de>
afa55e
    Date:   Tue, 19 Jan 2021 15:21:35 +0100
afa55e
afa55e
        futex: Provide and use pi_state_update_owner()
afa55e
afa55e
        Updating pi_state::owner is done at several places with the same
afa55e
        code. Provide a function for it and use that at the obvious places.
afa55e
afa55e
        This is also a preparation for a bug fix to avoid yet another copy of the
afa55e
        same code or alternatively introducing a completely unpenetratable mess of
afa55e
        gotos.
afa55e
afa55e
        Originally-by: Peter Zijlstra <peterz@infradead.org>
afa55e
        Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
afa55e
        Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
afa55e
        Cc: stable@vger.kernel.org
afa55e
afa55e
    Signed-off-by: Donghai Qiao <dqiao@redhat.com>
afa55e
afa55e
commit 69414a50f8bad2063b89981110fb374733209d9d
afa55e
Author: Donghai Qiao <dqiao@redhat.com>
afa55e
Date:   Wed May 19 14:24:04 2021 -0400
afa55e
afa55e
    futex: Replace pointless printk in fixup_owner()
afa55e
afa55e
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1935108
afa55e
    Upstream status: 04b79c55201f02ffd675e1231d731365e335c307
afa55e
    CVE: CVE-2021-3347
afa55e
afa55e
    commit 04b79c55201f02ffd675e1231d731365e335c307
afa55e
    Author: Thomas Gleixner <tglx@linutronix.de>
afa55e
    Date:   Tue, 19 Jan 2021 16:06:10 +0100
afa55e
afa55e
        futex: Replace pointless printk in fixup_owner()
afa55e
afa55e
        If that unexpected case of inconsistent arguments ever happens then the
afa55e
        futex state is left completely inconsistent and the printk is not really
afa55e
        helpful. Replace it with a warning and make the state consistent.
afa55e
afa55e
        Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
afa55e
        Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
afa55e
        Cc: stable@vger.kernel.org
afa55e
afa55e
    Signed-off-by: Donghai Qiao <dqiao@redhat.com>
afa55e
afa55e
commit 7e96fb06469c95628039ead2591f82e88af5da10
afa55e
Author: Donghai Qiao <dqiao@redhat.com>
afa55e
Date:   Wed May 19 14:19:05 2021 -0400
afa55e
afa55e
    futex: Ensure the correct return value from futex_lock_pi()
afa55e
afa55e
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1935108
afa55e
    Upstream status: 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9
afa55e
    CVE: CVE-2021-3347
afa55e
afa55e
    Conflicts:
afa55e
    This original upstream patch relies heavily on c1e2f0eaf015 ("futex: Avoid
afa55e
    violating the 10th rule of futex") which is one of the upstream commits listed
afa55e
    below. But the backport for c1e2f0eaf015 requires we resolve very complex chain
afa55e
    of dependencies across multiple critical kernel source files therefore the risk
afa55e
    is considered too high for 7.9.z.
afa55e
afa55e
    Instead of pulling together tons of the relevant commits in to 7.9.z, we just
afa55e
    want to take a light risk approach by digesting the fix 12bb3f7f1b03 ("futex:
afa55e
    Ensure the correct return value from futex_lock_pi()") for 7.9.z. All we need
afa55e
    to do is to make the changed functions fixup_owner() and fixup_pi_state_owner()
afa55e
    of 7.9.z return the required values as this upstream fix suggests in every
afa55e
    circumstance. This way, we can cleanly cut this CVE patch set with merely four
afa55e
    patches, without having to backport tons of patches in the chain of dependency.
afa55e
afa55e
    Besides, an extra change made to fixup_owner() (see HUNK -2063,13 +2062,11 in
afa55e
    this backport patch) is to eliminate a mistake made by upstream, where the
afa55e
    specification of a local variable "ret" was removed from that function, but
afa55e
    there was still a dereference to "ret" as shown by that HUNK.
afa55e
afa55e
    16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock")
afa55e
    c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
afa55e
    734009e96d19 ("futex: Change locking rules")
afa55e
    d7c5ed73b19c ("futex: Remove needless goto's")
afa55e
    6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN")
afa55e
afa55e
    commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9
afa55e
    Author: Thomas Gleixner <tglx@linutronix.de>
afa55e
    Date:   Wed, 20 Jan 2021 16:00:24 +0100
afa55e
afa55e
        futex: Ensure the correct return value from futex_lock_pi()
afa55e
afa55e
        In case that futex_lock_pi() was aborted by a signal or a timeout and the
afa55e
        task returned without acquiring the rtmutex, but is the designated owner of
afa55e
        the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to
afa55e
        establish consistent state. In that case it invokes fixup_pi_state_owner()
afa55e
        which in turn tries to acquire the rtmutex again. If that succeeds then it
afa55e
        does not propagate this success to fixup_owner() and futex_lock_pi()
afa55e
        returns -EINTR or -ETIMEOUT despite having the futex locked.
afa55e
afa55e
        Return success from fixup_pi_state_owner() in all cases where the current
afa55e
        task owns the rtmutex and therefore the futex and propagate it correctly
afa55e
        through fixup_owner(). Fixup the other callsite which does not expect a
afa55e
        positive return value.
afa55e
afa55e
        Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
afa55e
        Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
afa55e
        Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
afa55e
        Cc: stable@vger.kernel.org
afa55e
afa55e
    Signed-off-by: Donghai Qiao <dqiao@redhat.com>
afa55e
afa55e
Signed-off-by: Artem Savkov <asavkov@redhat.com>
afa55e
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
afa55e
Acked-by: Yannick Cote <ycote@redhat.com>
afa55e
---
afa55e
 kernel/futex.c | 123 +++++++++++++++++++++++++------------------------
afa55e
 1 file changed, 63 insertions(+), 60 deletions(-)
afa55e
afa55e
diff --git a/kernel/futex.c b/kernel/futex.c
afa55e
index 877831775d7aa..8ec57c357ca58 100644
afa55e
--- a/kernel/futex.c
afa55e
+++ b/kernel/futex.c
afa55e
@@ -640,6 +640,29 @@ static struct futex_pi_state * alloc_pi_state(void)
afa55e
 	return pi_state;
afa55e
 }
afa55e
 
afa55e
+static void pi_state_update_owner(struct futex_pi_state *pi_state,
afa55e
+				  struct task_struct *new_owner)
afa55e
+{
afa55e
+	struct task_struct *old_owner = pi_state->owner;
afa55e
+
afa55e
+	lockdep_assert_held(&pi_state->pi_mutex.wait_lock);
afa55e
+
afa55e
+	if (old_owner) {
afa55e
+		raw_spin_lock_irq(&old_owner->pi_lock);
afa55e
+		WARN_ON(list_empty(&pi_state->list));
afa55e
+		list_del_init(&pi_state->list);
afa55e
+		raw_spin_unlock_irq(&old_owner->pi_lock);
afa55e
+	}
afa55e
+
afa55e
+	if (new_owner) {
afa55e
+		raw_spin_lock_irq(&new_owner->pi_lock);
afa55e
+		WARN_ON(!list_empty(&pi_state->list));
afa55e
+		list_add(&pi_state->list, &new_owner->pi_state_list);
afa55e
+		pi_state->owner = new_owner;
afa55e
+		raw_spin_unlock_irq(&new_owner->pi_lock);
afa55e
+	}
afa55e
+}
afa55e
+
afa55e
 static void free_pi_state(struct futex_pi_state *pi_state)
afa55e
 {
afa55e
 	if (!atomic_dec_and_test(&pi_state->refcount))
afa55e
@@ -650,10 +673,7 @@ static void free_pi_state(struct futex_pi_state *pi_state)
afa55e
 	 * and has cleaned up the pi_state already
afa55e
 	 */
afa55e
 	if (pi_state->owner) {
afa55e
-		raw_spin_lock_irq(&pi_state->owner->pi_lock);
afa55e
-		list_del_init(&pi_state->list);
afa55e
-		raw_spin_unlock_irq(&pi_state->owner->pi_lock);
afa55e
-
afa55e
+		pi_state_update_owner(pi_state, NULL);
afa55e
 		rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
afa55e
 	}
afa55e
 
afa55e
@@ -791,7 +811,8 @@ void exit_pi_state_list(struct task_struct *curr)
afa55e
  *	FUTEX_OWNER_DIED bit. See [4]
afa55e
  *
afa55e
  * [10] There is no transient state which leaves owner and user space
afa55e
- *	TID out of sync.
afa55e
+ *	TID out of sync. Except one error case where the kernel is denied
afa55e
+ *	write access to the user address, see fixup_pi_state_owner().
afa55e
  */
afa55e
 static int
afa55e
 lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
afa55e
@@ -1168,16 +1189,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
afa55e
 		return ret;
afa55e
 	}
afa55e
 
afa55e
-	raw_spin_lock_irq(&pi_state->owner->pi_lock);
afa55e
-	WARN_ON(list_empty(&pi_state->list));
afa55e
-	list_del_init(&pi_state->list);
afa55e
-	raw_spin_unlock_irq(&pi_state->owner->pi_lock);
afa55e
-
afa55e
-	raw_spin_lock_irq(&new_owner->pi_lock);
afa55e
-	WARN_ON(!list_empty(&pi_state->list));
afa55e
-	list_add(&pi_state->list, &new_owner->pi_state_list);
afa55e
-	pi_state->owner = new_owner;
afa55e
-	raw_spin_unlock_irq(&new_owner->pi_lock);
afa55e
+	pi_state_update_owner(pi_state, new_owner);
afa55e
 
afa55e
 	raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
afa55e
 	rt_mutex_unlock(&pi_state->pi_mutex);
afa55e
@@ -1953,20 +1965,9 @@ retry:
afa55e
 	 * We fixed up user space. Now we need to fix the pi_state
afa55e
 	 * itself.
afa55e
 	 */
afa55e
-	if (pi_state->owner != NULL) {
afa55e
-		raw_spin_lock_irq(&pi_state->owner->pi_lock);
afa55e
-		WARN_ON(list_empty(&pi_state->list));
afa55e
-		list_del_init(&pi_state->list);
afa55e
-		raw_spin_unlock_irq(&pi_state->owner->pi_lock);
afa55e
-	}
afa55e
+	pi_state_update_owner(pi_state, newowner);
afa55e
 
afa55e
-	pi_state->owner = newowner;
afa55e
-
afa55e
-	raw_spin_lock_irq(&newowner->pi_lock);
afa55e
-	WARN_ON(!list_empty(&pi_state->list));
afa55e
-	list_add(&pi_state->list, &newowner->pi_state_list);
afa55e
-	raw_spin_unlock_irq(&newowner->pi_lock);
afa55e
-	return 0;
afa55e
+	return newowner == current;
afa55e
 
afa55e
 	/*
afa55e
 	 * To handle the page fault we need to drop the hash bucket
afa55e
@@ -1989,10 +1990,26 @@ handle_fault:
afa55e
 	 * Check if someone else fixed it for us:
afa55e
 	 */
afa55e
 	if (pi_state->owner != oldowner)
afa55e
-		return 0;
afa55e
+		return newowner == current;
afa55e
+
afa55e
+	if (ret) {
afa55e
+		/*
afa55e
+		 * fault_in_user_writeable() failed so user state is immutable. At
afa55e
+		 * best we can make the kernel state consistent but user state will
afa55e
+		 * be most likely hosed and any subsequent unlock operation will be
afa55e
+		 * rejected due to PI futex rule [10].
afa55e
+		 *
afa55e
+		 * Ensure that the rtmutex owner is also the pi_state owner despite
afa55e
+		 * the user space value claiming something different. There is no
afa55e
+		 * point in unlocking the rtmutex if current is the owner as it
afa55e
+		 * would need to wait until the next waiter has taken the rtmutex
afa55e
+		 * to guarantee consistent state. Keep it simple. Userspace asked
afa55e
+		 * for this wreckaged state.
afa55e
+		 */
afa55e
+		pi_state_update_owner(pi_state, rt_mutex_owner(&pi_state->pi_mutex));
afa55e
 
afa55e
-	if (ret)
afa55e
 		return ret;
afa55e
+	}
afa55e
 
afa55e
 	goto retry;
afa55e
 }
afa55e
@@ -2014,10 +2031,10 @@ static long futex_wait_restart(struct restart_block *restart);
afa55e
  *  0 - success, lock not taken;
afa55e
  * <0 - on error (-EFAULT)
afa55e
  */
afa55e
+__attribute__((optimize("-fno-optimize-sibling-calls")))
afa55e
 static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
afa55e
 {
afa55e
 	struct task_struct *owner;
afa55e
-	int ret = 0;
afa55e
 
afa55e
 	if (locked) {
afa55e
 		/*
afa55e
@@ -2025,8 +2042,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
afa55e
 		 * did a lock-steal - fix up the PI-state in that case:
afa55e
 		 */
afa55e
 		if (q->pi_state->owner != current)
afa55e
-			ret = fixup_pi_state_owner(uaddr, q, current);
afa55e
-		goto out;
afa55e
+			return fixup_pi_state_owner(uaddr, q, current);
afa55e
+		return 1;
afa55e
 	}
afa55e
 
afa55e
 	/*
afa55e
@@ -2040,8 +2057,7 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
afa55e
 		 * rt_mutex waiters list.
afa55e
 		 */
afa55e
 		if (rt_mutex_trylock(&q->pi_state->pi_mutex)) {
afa55e
-			locked = 1;
afa55e
-			goto out;
afa55e
+			return 1;
afa55e
 		}
afa55e
 
afa55e
 		/*
afa55e
@@ -2054,22 +2070,18 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
afa55e
 		if (!owner)
afa55e
 			owner = rt_mutex_next_owner(&q->pi_state->pi_mutex);
afa55e
 		raw_spin_unlock(&q->pi_state->pi_mutex.wait_lock);
afa55e
-		ret = fixup_pi_state_owner(uaddr, q, owner);
afa55e
-		goto out;
afa55e
+
afa55e
+		return fixup_pi_state_owner(uaddr, q, owner);
afa55e
 	}
afa55e
 
afa55e
 	/*
afa55e
 	 * Paranoia check. If we did not take the lock, then we should not be
afa55e
-	 * the owner of the rt_mutex.
afa55e
+	 * the owner of the rt_mutex. Warn and establish consistent state.
afa55e
 	 */
afa55e
-	if (rt_mutex_owner(&q->pi_state->pi_mutex) == current)
afa55e
-		printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p "
afa55e
-				"pi-state %p\n", ret,
afa55e
-				q->pi_state->pi_mutex.owner,
afa55e
-				q->pi_state->owner);
afa55e
+	if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current))
afa55e
+		return fixup_pi_state_owner(uaddr, q, current);
afa55e
 
afa55e
-out:
afa55e
-	return ret ? ret : locked;
afa55e
+	return 0;
afa55e
 }
afa55e
 
afa55e
 /**
afa55e
@@ -2363,13 +2375,6 @@ retry_private:
afa55e
 	if (res)
afa55e
 		ret = (res < 0) ? res : 0;
afa55e
 
afa55e
-	/*
afa55e
-	 * If fixup_owner() faulted and was unable to handle the fault, unlock
afa55e
-	 * it and return the fault to userspace.
afa55e
-	 */
afa55e
-	if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
afa55e
-		rt_mutex_unlock(&q.pi_state->pi_mutex);
afa55e
-
afa55e
 	/* Unqueue and drop the lock */
afa55e
 	unqueue_me_pi(&q);
afa55e
 
afa55e
@@ -2666,6 +2671,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
afa55e
 			spin_lock(q.lock_ptr);
afa55e
 			ret = fixup_pi_state_owner(uaddr2, &q, current);
afa55e
 			spin_unlock(q.lock_ptr);
afa55e
+			/*
afa55e
+			 * Adjust the return value. It's either -EFAULT or
afa55e
+			 * success (1) but the caller expects 0 for success.
afa55e
+			 */
afa55e
+			ret = ret < 0 ? ret : 0;
afa55e
 		}
afa55e
 	} else {
afa55e
 		/*
afa55e
@@ -2695,14 +2705,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
afa55e
 		unqueue_me_pi(&q);
afa55e
 	}
afa55e
 
afa55e
-	/*
afa55e
-	 * If fixup_pi_state_owner() faulted and was unable to handle the
afa55e
-	 * fault, unlock the rt_mutex and return the fault to userspace.
afa55e
-	 */
afa55e
-	if (ret == -EFAULT) {
afa55e
-		if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
afa55e
-			rt_mutex_unlock(pi_mutex);
afa55e
-	} else if (ret == -EINTR) {
afa55e
+	if (ret == -EINTR) {
afa55e
 		/*
afa55e
 		 * We've already been requeued, but cannot restart by calling
afa55e
 		 * futex_lock_pi() directly. We could restart this syscall, but
afa55e
-- 
afa55e
2.26.3
afa55e