Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull core kernel fixes from Ingo Molnar: "This is a complex task_work series from Oleg that fixes the bug that this VFS commit tried to fix: d35abdb28824 hold task_lock around checks in keyctl but solves the problem without the lockup regression that d35abdb28824 introduced in v3.6. This series came late in v3.6 and I did not feel confident about it so late in the cycle. Might be worth backporting to -stable if it proves itself upstream." * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: task_work: Simplify the usage in ptrace_notify() and get_signal_to_deliver() task_work: Revert "hold task_lock around checks in keyctl" task_work: task_work_add() should not succeed after exit_task_work() task_work: Make task_work_add() lockless
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-01 13:25:54 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-01 13:25:54 -0400
commit: 94095a1fff89dffe9451839deae4c6a40cf3ec21 (patch)
tree: c1beac5dc336d836c269253db3b00a302777598f
parent: 620e77533f29796df7aff861e79bd72e08554ebb (diff)
parent: f784e8a7989c0da3062d04bfea3db90f41e8f738 (diff)
4 files changed, 66 insertions, 68 deletions
diff --git a/include/linux/task_work.h b/include/linux/task_work.h
index fb46b03b1852..ca5a1cf27dae 100644
--- a/include/linux/task_work.h
+++ b/include/linux/task_work.h
@@ -18,8 +18,7 @@ void task_work_run(void);
 static inline void exit_task_work(struct task_struct *task)
 {
-        if (unlikely(task->task_works))
+        task_work_run();
-                task_work_run();
 }
 #endif  /* _LINUX_TASK_WORK_H */
diff --git a/kernel/signal.c b/kernel/signal.c
index be4f856d52f8..2c681f11b7d2 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1971,13 +1971,8 @@ static void ptrace_do_notify(int signr, int exit_code, int why)
 void ptrace_notify(int exit_code)
 {
        BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
-        if (unlikely(current->task_works)) {
+        if (unlikely(current->task_works))
-                if (test_and_clear_ti_thread_flag(current_thread_info(),
+                task_work_run();
-                                                   TIF_NOTIFY_RESUME)) {
-                        smp_mb__after_clear_bit();
-                        task_work_run();
-                }
-        }
        spin_lock_irq(&current->sighand->siglock);
        ptrace_do_notify(SIGTRAP, exit_code, CLD_TRAPPED);
@@ -2198,13 +2193,8 @@ int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka,
        struct signal_struct *signal = current->signal;
        int signr;
-        if (unlikely(current->task_works)) {
+        if (unlikely(current->task_works))
-                if (test_and_clear_ti_thread_flag(current_thread_info(),
+                task_work_run();
-                                                   TIF_NOTIFY_RESUME)) {
-                        smp_mb__after_clear_bit();
-                        task_work_run();
-                }
-        }
        if (unlikely(uprobe_deny_signal()))
                return 0;
diff --git a/kernel/task_work.c b/kernel/task_work.c
index d320d44903bd..65bd3c92d6f3 100644
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -2,26 +2,20 @@
 #include <linux/task_work.h>
 #include <linux/tracehook.h>
+static struct callback_head work_exited; /* all we need is ->next == NULL */
 int
-task_work_add(struct task_struct *task, struct callback_head *twork, bool notify)
+task_work_add(struct task_struct *task, struct callback_head *work, bool notify)
 {
-        struct callback_head *last, *first;
+        struct callback_head *head;
-        unsigned long flags;
-        /*
+        do {
-         * Not inserting the new work if the task has already passed
+                head = ACCESS_ONCE(task->task_works);
-         * exit_task_work() is the responisbility of callers.
+                if (unlikely(head == &work_exited))
-         */
+                        return -ESRCH;
-        raw_spin_lock_irqsave(&task->pi_lock, flags);
+                work->next = head;
-        last = task->task_works;
+        } while (cmpxchg(&task->task_works, head, work) != head);
-        first = last ? last->next : twork;
-        twork->next = first;
-        if (last)
-                last->next = twork;
-        task->task_works = twork;
-        raw_spin_unlock_irqrestore(&task->pi_lock, flags);
-        /* test_and_set_bit() implies mb(), see tracehook_notify_resume(). */
        if (notify)
                set_notify_resume(task);
        return 0;
@@ -30,52 +24,69 @@ task_work_add(struct task_struct *task, struct callback_head *twork, bool notify
 struct callback_head *
 task_work_cancel(struct task_struct *task, task_work_func_t func)
 {
+        struct callback_head **pprev = &task->task_works;
+        struct callback_head *work = NULL;
        unsigned long flags;
-        struct callback_head *last, *res = NULL;
+        /*
+         * If cmpxchg() fails we continue without updating pprev.
+         * Either we raced with task_work_add() which added the
+         * new entry before this work, we will find it again. Or
+         * we raced with task_work_run(), *pprev == NULL/exited.
+         */
        raw_spin_lock_irqsave(&task->pi_lock, flags);
-        last = task->task_works;
+        while ((work = ACCESS_ONCE(*pprev))) {
-        if (last) {
+                read_barrier_depends();
-                struct callback_head *q = last, *p = q->next;
+                if (work->func != func)
-                while (1) {
+                        pprev = &work->next;
-                        if (p->func == func) {
+                else if (cmpxchg(pprev, work, work->next) == work)
-                                q->next = p->next;
+                        break;
-                                if (p == last)
-                                        task->task_works = q == p ? NULL : q;
-                                res = p;
-                                break;
-                        }
-                        if (p == last)
-                                break;
-                        q = p;
-                        p = q->next;
-                }
        }
        raw_spin_unlock_irqrestore(&task->pi_lock, flags);
-        return res;
+        return work;
 }
 void task_work_run(void)
 {
        struct task_struct *task = current;
-        struct callback_head *p, *q;
+        struct callback_head *work, *head, *next;
+        for (;;) {
+                /*
+                 * work->func() can do task_work_add(), do not set
+                 * work_exited unless the list is empty.
+                 */
+                do {
+                        work = ACCESS_ONCE(task->task_works);
+                        head = !work && (task->flags & PF_EXITING) ?
+                                &work_exited : NULL;
+                } while (cmpxchg(&task->task_works, work, head) != work);
-        while (1) {
+                if (!work)
-                raw_spin_lock_irq(&task->pi_lock);
+                        break;
-                p = task->task_works;
+                /*
-                task->task_works = NULL;
+                 * Synchronize with task_work_cancel(). It can't remove
-                raw_spin_unlock_irq(&task->pi_lock);
+                 * the first entry == work, cmpxchg(task_works) should
+                 * fail, but it can play with *work and other entries.
+                 */
+                raw_spin_unlock_wait(&task->pi_lock);
+                smp_mb();
-                if (unlikely(!p))
+                /* Reverse the list to run the works in fifo order */
-                        return;
+                head = NULL;
+                do {
+                        next = work->next;
+                        work->next = head;
+                        head = work;
+                        work = next;
+                } while (work);
-                q = p->next; /* head */
+                work = head;
-                p->next = NULL; /* cut it */
+                do {
-                while (q) {
+                        next = work->next;
-                        p = q->next;
+                        work->func(work);
-                        q->func(q);
+                        work = next;
-                        q = p;
                        cond_resched();
-                }
+                } while (work);
        }
 }
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 3364fbf46807..6cfc6478863e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1486,7 +1486,6 @@ long keyctl_session_to_parent(void)
        oldwork = NULL;
        parent = me->real_parent;
-        task_lock(parent);
        /* the parent mustn't be init and mustn't be a kernel thread */
        if (parent->pid <= 1 || !parent->mm)
                goto unlock;
@@ -1530,7 +1529,6 @@ long keyctl_session_to_parent(void)
        if (!ret)
                newwork = NULL;
 unlock:
-        task_unlock(parent);
        write_unlock_irq(&tasklist_lock);
        rcu_read_unlock();
        if (oldwork)
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-01 13:25:54 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-01 13:25:54 -0400
commit	94095a1fff89dffe9451839deae4c6a40cf3ec21 (patch)
tree	c1beac5dc336d836c269253db3b00a302777598f
parent	620e77533f29796df7aff861e79bd72e08554ebb (diff)
parent	f784e8a7989c0da3062d04bfea3db90f41e8f738 (diff)

diff --git a/include/linux/task_work.h b/include/linux/task_work.h index fb46b03b1852..ca5a1cf27dae 100644 --- a/include/linux/task_work.h +++ b/include/linux/task_work.h
@@ -18,8 +18,7 @@ void task_work_run(void);
18		18
19	static inline void exit_task_work(struct task_struct *task)	19	static inline void exit_task_work(struct task_struct *task)
20	{	20	{
21	if (unlikely(task->task_works))	21	task_work_run();
22	task_work_run();
23	}	22	}
24		23
25	#endif /* _LINUX_TASK_WORK_H */	24	#endif /* _LINUX_TASK_WORK_H */


diff --git a/kernel/signal.c b/kernel/signal.c index be4f856d52f8..2c681f11b7d2 100644 --- a/kernel/signal.c +++ b/kernel/signal.c
@@ -1971,13 +1971,8 @@ static void ptrace_do_notify(int signr, int exit_code, int why)
1971	void ptrace_notify(int exit_code)	1971	void ptrace_notify(int exit_code)
1972	{	1972	{
1973	BUG_ON((exit_code & (0x7f \| ~0xffff)) != SIGTRAP);	1973	BUG_ON((exit_code & (0x7f \| ~0xffff)) != SIGTRAP);
1974	if (unlikely(current->task_works)) {	1974	if (unlikely(current->task_works))
1975	if (test_and_clear_ti_thread_flag(current_thread_info(),	1975	task_work_run();
1976	TIF_NOTIFY_RESUME)) {
1977	smp_mb__after_clear_bit();
1978	task_work_run();
1979	}
1980	}
1981		1976
1982	spin_lock_irq(&current->sighand->siglock);	1977	spin_lock_irq(&current->sighand->siglock);
1983	ptrace_do_notify(SIGTRAP, exit_code, CLD_TRAPPED);	1978	ptrace_do_notify(SIGTRAP, exit_code, CLD_TRAPPED);
@@ -2198,13 +2193,8 @@ int get_signal_to_deliver(siginfo_t info, struct k_sigaction return_ka,
2198	struct signal_struct *signal = current->signal;	2193	struct signal_struct *signal = current->signal;
2199	int signr;	2194	int signr;
2200		2195
2201	if (unlikely(current->task_works)) {	2196	if (unlikely(current->task_works))
2202	if (test_and_clear_ti_thread_flag(current_thread_info(),	2197	task_work_run();
2203	TIF_NOTIFY_RESUME)) {
2204	smp_mb__after_clear_bit();
2205	task_work_run();
2206	}
2207	}
2208		2198
2209	if (unlikely(uprobe_deny_signal()))	2199	if (unlikely(uprobe_deny_signal()))
2210	return 0;	2200	return 0;


diff --git a/kernel/task_work.c b/kernel/task_work.c index d320d44903bd..65bd3c92d6f3 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c
@@ -2,26 +2,20 @@
2	#include <linux/task_work.h>	2	#include <linux/task_work.h>
3	#include <linux/tracehook.h>	3	#include <linux/tracehook.h>
4		4
		5	static struct callback_head work_exited; /* all we need is ->next == NULL */
		6
5	int	7	int
6	task_work_add(struct task_struct task, struct callback_head twork, bool notify)	8	task_work_add(struct task_struct task, struct callback_head work, bool notify)
7	{	9	{
8	struct callback_head last, first;	10	struct callback_head *head;
9	unsigned long flags;
10		11
11	/*	12	do {
12	* Not inserting the new work if the task has already passed	13	head = ACCESS_ONCE(task->task_works);
13	* exit_task_work() is the responisbility of callers.	14	if (unlikely(head == &work_exited))
14	*/	15	return -ESRCH;
15	raw_spin_lock_irqsave(&task->pi_lock, flags);	16	work->next = head;
16	last = task->task_works;	17	} while (cmpxchg(&task->task_works, head, work) != head);
17	first = last ? last->next : twork;
18	twork->next = first;
19	if (last)
20	last->next = twork;
21	task->task_works = twork;
22	raw_spin_unlock_irqrestore(&task->pi_lock, flags);
23		18
24	/* test_and_set_bit() implies mb(), see tracehook_notify_resume(). */
25	if (notify)	19	if (notify)
26	set_notify_resume(task);	20	set_notify_resume(task);
27	return 0;	21	return 0;
@@ -30,52 +24,69 @@ task_work_add(struct task_struct task, struct callback_head twork, bool notify
30	struct callback_head *	24	struct callback_head *
31	task_work_cancel(struct task_struct *task, task_work_func_t func)	25	task_work_cancel(struct task_struct *task, task_work_func_t func)
32	{	26	{
		27	struct callback_head **pprev = &task->task_works;
		28	struct callback_head *work = NULL;
33	unsigned long flags;	29	unsigned long flags;
34	struct callback_head last, res = NULL;	30	/*
35		31	* If cmpxchg() fails we continue without updating pprev.
		32	* Either we raced with task_work_add() which added the
		33	* new entry before this work, we will find it again. Or
		34	* we raced with task_work_run(), *pprev == NULL/exited.
		35	*/
36	raw_spin_lock_irqsave(&task->pi_lock, flags);	36	raw_spin_lock_irqsave(&task->pi_lock, flags);
37	last = task->task_works;	37	while ((work = ACCESS_ONCE(*pprev))) {
38	if (last) {	38	read_barrier_depends();
39	struct callback_head q = last, p = q->next;	39	if (work->func != func)
40	while (1) {	40	pprev = &work->next;
41	if (p->func == func) {	41	else if (cmpxchg(pprev, work, work->next) == work)
42	q->next = p->next;	42	break;
43	if (p == last)
44	task->task_works = q == p ? NULL : q;
45	res = p;
46	break;
47	}
48	if (p == last)
49	break;
50	q = p;
51	p = q->next;
52	}
53	}	43	}
54	raw_spin_unlock_irqrestore(&task->pi_lock, flags);	44	raw_spin_unlock_irqrestore(&task->pi_lock, flags);
55	return res;	45
		46	return work;
56	}	47	}
57		48
58	void task_work_run(void)	49	void task_work_run(void)
59	{	50	{
60	struct task_struct *task = current;	51	struct task_struct *task = current;
61	struct callback_head p, q;	52	struct callback_head work, head, *next;
		53
		54	for (;;) {
		55	/*
		56	* work->func() can do task_work_add(), do not set
		57	* work_exited unless the list is empty.
		58	*/
		59	do {
		60	work = ACCESS_ONCE(task->task_works);
		61	head = !work && (task->flags & PF_EXITING) ?
		62	&work_exited : NULL;
		63	} while (cmpxchg(&task->task_works, work, head) != work);
62		64
63	while (1) {	65	if (!work)
64	raw_spin_lock_irq(&task->pi_lock);	66	break;
65	p = task->task_works;	67	/*
66	task->task_works = NULL;	68	* Synchronize with task_work_cancel(). It can't remove
67	raw_spin_unlock_irq(&task->pi_lock);	69	* the first entry == work, cmpxchg(task_works) should
		70	* fail, but it can play with *work and other entries.
		71	*/
		72	raw_spin_unlock_wait(&task->pi_lock);
		73	smp_mb();
68		74
69	if (unlikely(!p))	75	/* Reverse the list to run the works in fifo order */
70	return;	76	head = NULL;
		77	do {
		78	next = work->next;
		79	work->next = head;
		80	head = work;
		81	work = next;
		82	} while (work);
71		83
72	q = p->next; /* head */	84	work = head;
73	p->next = NULL; /* cut it */	85	do {
74	while (q) {	86	next = work->next;
75	p = q->next;	87	work->func(work);
76	q->func(q);	88	work = next;
77	q = p;
78	cond_resched();	89	cond_resched();
79	}	90	} while (work);
80	}	91	}
81	}	92	}


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 3364fbf46807..6cfc6478863e 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -1486,7 +1486,6 @@ long keyctl_session_to_parent(void)
1486	oldwork = NULL;	1486	oldwork = NULL;
1487	parent = me->real_parent;	1487	parent = me->real_parent;
1488		1488
1489	task_lock(parent);
1490	/* the parent mustn't be init and mustn't be a kernel thread */	1489	/* the parent mustn't be init and mustn't be a kernel thread */
1491	if (parent->pid <= 1 \|\| !parent->mm)	1490	if (parent->pid <= 1 \|\| !parent->mm)
1492	goto unlock;	1491	goto unlock;
@@ -1530,7 +1529,6 @@ long keyctl_session_to_parent(void)
1530	if (!ret)	1529	if (!ret)
1531	newwork = NULL;	1530	newwork = NULL;
1532	unlock:	1531	unlock:
1533	task_unlock(parent);
1534	write_unlock_irq(&tasklist_lock);	1532	write_unlock_irq(&tasklist_lock);
1535	rcu_read_unlock();	1533	rcu_read_unlock();
1536	if (oldwork)	1534	if (oldwork)