Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull futex fixes from Ingo Molnar:
 "This contains two futex fixes: one fixes a race condition, the other
  clarifies shared/private futex comments"

* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Fix a race condition between REQUEUE_PI and task death
  futex: Mention key referencing differences between shared and private futexes

1 files changed, 21 insertions, 15 deletions

diff --git a/kernel/futex.c b/kernel/futex.c
index f3a3a071283c..63678b573d61 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -143,9 +143,8 @@
  *
  * Where (A) orders the waiters increment and the futex value read through
  * atomic operations (see hb_waiters_inc) and where (B) orders the write
- * to futex and the waiters read -- this is done by the barriers in
- * get_futex_key_refs(), through either ihold or atomic_inc, depending on the
- * futex type.
+ * to futex and the waiters read -- this is done by the barriers for both
+ * shared and private futexes in get_futex_key_refs().
  *
  * This yields the following case (where X:=waiters, Y:=futex):
  *
@@ -344,13 +343,20 @@ static void get_futex_key_refs(union futex_key *key)
                 futex_get_mm(key); /* implies MB (B) */
                 break;
         default:
+                /*
+                 * Private futexes do not hold reference on an inode or
+                 * mm, therefore the only purpose of calling get_futex_key_refs
+                 * is because we need the barrier for the lockless waiter check.
+                 */
                 smp_mb(); /* explicit MB (B) */
         }
 }
 
 /*
  * Drop a reference to the resource addressed by a key.
- * The hash bucket spinlock must not be held.
+ * The hash bucket spinlock must not be held. This is
+ * a no-op for private futexes, see comment in the get
+ * counterpart.
  */
 static void drop_futex_key_refs(union futex_key *key)
 {
@@ -641,8 +647,14 @@ static struct futex_pi_state * alloc_pi_state(void)
         return pi_state;
 }
 
+/*
+ * Must be called with the hb lock held.
+ */
 static void free_pi_state(struct futex_pi_state *pi_state)
 {
+        if (!pi_state)
+                return;
+
         if (!atomic_dec_and_test(&pi_state->refcount))
                 return;
 
@@ -1521,15 +1533,6 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
         }
 
 retry:
-        if (pi_state != NULL) {
-                /*
-                 * We will have to lookup the pi_state again, so free this one
-                 * to keep the accounting correct.
-                 */
-                free_pi_state(pi_state);
-                pi_state = NULL;
-        }
-
         ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
         if (unlikely(ret != 0))
                 goto out;
@@ -1619,6 +1622,8 @@ retry_private:
                 case 0:
                         break;
                 case -EFAULT:
+                        free_pi_state(pi_state);
+                        pi_state = NULL;
                         double_unlock_hb(hb1, hb2);
                         hb_waiters_dec(hb2);
                         put_futex_key(&key2);
@@ -1634,6 +1639,8 @@ retry_private:
                          *   exit to complete.
                          * - The user space value changed.
                          */
+                        free_pi_state(pi_state);
+                        pi_state = NULL;
                         double_unlock_hb(hb1, hb2);
                         hb_waiters_dec(hb2);
                         put_futex_key(&key2);
@@ -1710,6 +1717,7 @@ retry_private:
         }
 
 out_unlock:
+        free_pi_state(pi_state);
         double_unlock_hb(hb1, hb2);
         hb_waiters_dec(hb2);
 
@@ -1727,8 +1735,6 @@ out_put_keys:
 out_put_key1:
         put_futex_key(&key1);
 out:
-        if (pi_state != NULL)
-                free_pi_state(pi_state);
         return ret ? ret : task_count;
 }