[patch][Lucid] UBUNTU: SAUCE: (no-up) Fix regression introduced by patch, for CVE-2014-3153

[John Johansen]

>From 0695328167baa4241b1f17b4d0d0a38c7b06981e Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Fri, 6 Jun 2014 17:41:09 +0100
Subject: [PATCH] UBUNTU: SAUCE: (no-up) Fix regression introduced by patch
 for CVE-2014-3153

Phil Turnbull reported a problem with the Lucid (2.6.32) backport of
  futex: Always cleanup owner tid in unlock_pi
  commit: 8e4e453d548e3c24e9070eda23c52f210951b921

In patches-2.6.32.tgz:patches/0003-futex-Always-cleanup-owner-tid-in-unlock_pi.patch
there is this change (ignoring whitespace changes):

        curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
-
-               if (curval == -EFAULT)
+       if (curval)
                ret = -EFAULT;

which seems to change the behaviour of the function.

The purpose of the return value of cmpxchg_futex_value_locked changed in

37a9d912b24f96a0591 "futex: Sanitize cmpxchg_futex_value_locked API"

which is not included in 2.6.32. This patch changes the return value to a
status code, but in 2.6.32 the return value is the value of the futex or
-EFAULT. With this backported patch, any futex with a non-zero value will
return -EFAULT.

BugLink: http://bugs.launchpad.net/bugs/1327300

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 kernel/futex.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index ae85d66..cd50a44 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -932,7 +932,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
 	newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
 
 	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
-	if (curval)
+	if (curval == -EFAULT)
 		ret = -EFAULT;
 	else if (curval != uval)
 		ret = -EINVAL;
-- 
1.7.9.5