3 files changed, 52 insertions, 30 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 4cdc603b00c3..628be42296eb 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2654,20 +2654,33 @@ retry_private:
                goto no_block;
        }
+        rt_mutex_init_waiter(&rt_waiter);
        /*
-         * We must add ourselves to the rt_mutex waitlist while holding hb->lock
+         * On PREEMPT_RT_FULL, when hb->lock becomes an rt_mutex, we must not
-         * such that the hb and rt_mutex wait lists match.
+         * hold it while doing rt_mutex_start_proxy(), because then it will
+         * include hb->lock in the blocking chain, even through we'll not in
+         * fact hold it while blocking. This will lead it to report -EDEADLK
+         * and BUG when futex_unlock_pi() interleaves with this.
+         *
+         * Therefore acquire wait_lock while holding hb->lock, but drop the
+         * latter before calling rt_mutex_start_proxy_lock(). This still fully
+         * serializes against futex_unlock_pi() as that does the exact same
+         * lock handoff sequence.
         */
-        rt_mutex_init_waiter(&rt_waiter);
+        raw_spin_lock_irq(&q.pi_state->pi_mutex.wait_lock);
-        ret = rt_mutex_start_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter, current);
+        spin_unlock(q.lock_ptr);
+        ret = __rt_mutex_start_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter, current);
+        raw_spin_unlock_irq(&q.pi_state->pi_mutex.wait_lock);
        if (ret) {
                if (ret == 1)
                        ret = 0;
+                spin_lock(q.lock_ptr);
                goto no_block;
        }
-        spin_unlock(q.lock_ptr);
        if (unlikely(to))
                hrtimer_start_expires(&to->timer, HRTIMER_MODE_ABS);
@@ -2680,6 +2693,9 @@ retry_private:
         * first acquire the hb->lock before removing the lock from the
         * rt_mutex waitqueue, such that we can keep the hb and rt_mutex
         * wait lists consistent.
+         *
+         * In particular; it is important that futex_unlock_pi() can not
+         * observe this inconsistency.
         */
        if (ret && !rt_mutex_cleanup_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter))
                ret = 0;
@@ -2791,10 +2807,6 @@ retry:
                get_pi_state(pi_state);
                /*
-                 * Since modifying the wait_list is done while holding both
-                 * hb->lock and wait_lock, holding either is sufficient to
-                 * observe it.
-                 *
                 * By taking wait_lock while still holding hb->lock, we ensure
                 * there is no point where we hold neither; and therefore
                 * wake_futex_pi() must observe a state consistent with what we
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 48418a1733b8..dd103124166b 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1669,31 +1669,14 @@ void rt_mutex_proxy_unlock(struct rt_mutex *lock,
        rt_mutex_set_owner(lock, NULL);
 }
-/**
+int __rt_mutex_start_proxy_lock(struct rt_mutex *lock,
- * rt_mutex_start_proxy_lock() - Start lock acquisition for another task
- * @lock:               the rt_mutex to take
- * @waiter:             the pre-initialized rt_mutex_waiter
- * @task:               the task to prepare
- *
- * Returns:
- *  0 - task blocked on lock
- *  1 - acquired the lock for task, caller should wake it up
- * <0 - error
- *
- * Special API call for FUTEX_REQUEUE_PI support.
- */
-int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
                              struct rt_mutex_waiter *waiter,
                              struct task_struct *task)
 {
        int ret;
-        raw_spin_lock_irq(&lock->wait_lock);
+        if (try_to_take_rt_mutex(lock, task, NULL))
-        if (try_to_take_rt_mutex(lock, task, NULL)) {
-                raw_spin_unlock_irq(&lock->wait_lock);
                return 1;
-        }
        /* We enforce deadlock detection for futexes */
        ret = task_blocks_on_rt_mutex(lock, waiter, task,
@@ -1712,14 +1695,38 @@ int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
        if (unlikely(ret))
                remove_waiter(lock, waiter);
-        raw_spin_unlock_irq(&lock->wait_lock);
        debug_rt_mutex_print_deadlock(waiter);
        return ret;
 }
 /**
+ * rt_mutex_start_proxy_lock() - Start lock acquisition for another task
+ * @lock:               the rt_mutex to take
+ * @waiter:             the pre-initialized rt_mutex_waiter
+ * @task:               the task to prepare
+ *
+ * Returns:
+ *  0 - task blocked on lock
+ *  1 - acquired the lock for task, caller should wake it up
+ * <0 - error
+ *
+ * Special API call for FUTEX_REQUEUE_PI support.
+ */
+int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
+                              struct rt_mutex_waiter *waiter,
+                              struct task_struct *task)
+{
+        int ret;
+        raw_spin_lock_irq(&lock->wait_lock);
+        ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+        raw_spin_unlock_irq(&lock->wait_lock);
+        return ret;
+}
+/**
 * rt_mutex_next_owner - return the next owner of the lock
 *
 * @lock: the rt lock query
diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h
index 1e93e15a0e45..b1ccfea2effe 100644
--- a/kernel/locking/rtmutex_common.h
+++ b/kernel/locking/rtmutex_common.h
@@ -104,6 +104,9 @@ extern void rt_mutex_init_proxy_locked(struct rt_mutex *lock,
 extern void rt_mutex_proxy_unlock(struct rt_mutex *lock,
                                  struct task_struct *proxy_owner);
 extern void rt_mutex_init_waiter(struct rt_mutex_waiter *waiter);
+extern int __rt_mutex_start_proxy_lock(struct rt_mutex *lock,
+                                     struct rt_mutex_waiter *waiter,
+                                     struct task_struct *task);
 extern int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
                                     struct rt_mutex_waiter *waiter,
                                     struct task_struct *task);