Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull futex fixes from Ingo Molnar: "A couple of futex fixes from Darren Hart: two bugs reported by Dave Jones (found with his trinity test) and Dan Carpenter through static analysis. The third found while debugging the first two." * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() futex: Fix bug in WARN_ON for NULL q.pi_state futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-08-03 14:00:26 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-08-03 14:00:26 -0400
commit: c4e62d67854e247b09ffe763163057237c8b1614 (patch)
tree: ddcdca15427671ab44334320e91b67877aa95f1a /kernel
parent: 1ca0049f2c8b28611f30798aa75858763c9fcbea (diff)
parent: 6f7b0a2a5c0fb03be7c25bd1745baa50582348ef (diff)
1 files changed, 10 insertions, 7 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index e2b0fb9a0b3b..3717e7b306e0 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2231,11 +2231,11 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
 * @uaddr2:     the pi futex we will take prior to returning to user-space
 *
 * The caller will wait on uaddr and will be requeued by futex_requeue() to
- * uaddr2 which must be PI aware.  Normal wakeup will wake on uaddr2 and
+ * uaddr2 which must be PI aware and unique from uaddr.  Normal wakeup will wake
- * complete the acquisition of the rt_mutex prior to returning to userspace.
+ * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
- * This ensures the rt_mutex maintains an owner when it has waiters; without
+ * userspace.  This ensures the rt_mutex maintains an owner when it has waiters;
- * one, the pi logic wouldn't know which task to boost/deboost, if there was a
+ * without one, the pi logic would not know which task to boost/deboost, if
- * need to.
+ * there was a need to.
 *
 * We call schedule in futex_wait_queue_me() when we enqueue and return there
 * via the following:
@@ -2272,6 +2272,9 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
        struct futex_q q = futex_q_init;
        int res, ret;
+        if (uaddr == uaddr2)
+                return -EINVAL;
        if (!bitset)
                return -EINVAL;
@@ -2343,7 +2346,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
                 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor
                 * the pi_state.
                 */
-                WARN_ON(!&q.pi_state);
+                WARN_ON(!q.pi_state);
                pi_mutex = &q.pi_state->pi_mutex;
                ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
                debug_rt_mutex_free_waiter(&rt_waiter);
@@ -2370,7 +2373,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
         * fault, unlock the rt_mutex and return the fault to userspace.
         */
        if (ret == -EFAULT) {
-                if (rt_mutex_owner(pi_mutex) == current)
+                if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
                        rt_mutex_unlock(pi_mutex);
        } else if (ret == -EINTR) {
                /*
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-08-03 14:00:26 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-08-03 14:00:26 -0400
commit	c4e62d67854e247b09ffe763163057237c8b1614 (patch)
tree	ddcdca15427671ab44334320e91b67877aa95f1a /kernel
parent	1ca0049f2c8b28611f30798aa75858763c9fcbea (diff)
parent	6f7b0a2a5c0fb03be7c25bd1745baa50582348ef (diff)