diff options
| -rw-r--r-- | kernel/futex.c | 51 |
1 files changed, 41 insertions, 10 deletions
diff --git a/kernel/futex.c b/kernel/futex.c index 172a1aeeafdb..db9824de8bf0 100644 --- a/kernel/futex.c +++ b/kernel/futex.c | |||
| @@ -1097,15 +1097,15 @@ static void unqueue_me_pi(struct futex_q *q) | |||
| 1097 | } | 1097 | } |
| 1098 | 1098 | ||
| 1099 | /* | 1099 | /* |
| 1100 | * Fixup the pi_state owner with current. | 1100 | * Fixup the pi_state owner with the new owner. |
| 1101 | * | 1101 | * |
| 1102 | * Must be called with hash bucket lock held and mm->sem held for non | 1102 | * Must be called with hash bucket lock held and mm->sem held for non |
| 1103 | * private futexes. | 1103 | * private futexes. |
| 1104 | */ | 1104 | */ |
| 1105 | static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, | 1105 | static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, |
| 1106 | struct task_struct *curr) | 1106 | struct task_struct *newowner) |
| 1107 | { | 1107 | { |
| 1108 | u32 newtid = task_pid_vnr(curr) | FUTEX_WAITERS; | 1108 | u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS; |
| 1109 | struct futex_pi_state *pi_state = q->pi_state; | 1109 | struct futex_pi_state *pi_state = q->pi_state; |
| 1110 | u32 uval, curval, newval; | 1110 | u32 uval, curval, newval; |
| 1111 | int ret; | 1111 | int ret; |
| @@ -1119,12 +1119,12 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, | |||
| 1119 | } else | 1119 | } else |
| 1120 | newtid |= FUTEX_OWNER_DIED; | 1120 | newtid |= FUTEX_OWNER_DIED; |
| 1121 | 1121 | ||
| 1122 | pi_state->owner = curr; | 1122 | pi_state->owner = newowner; |
| 1123 | 1123 | ||
| 1124 | spin_lock_irq(&curr->pi_lock); | 1124 | spin_lock_irq(&newowner->pi_lock); |
| 1125 | WARN_ON(!list_empty(&pi_state->list)); | 1125 | WARN_ON(!list_empty(&pi_state->list)); |
| 1126 | list_add(&pi_state->list, &curr->pi_state_list); | 1126 | list_add(&pi_state->list, &newowner->pi_state_list); |
| 1127 | spin_unlock_irq(&curr->pi_lock); | 1127 | spin_unlock_irq(&newowner->pi_lock); |
| 1128 | 1128 | ||
| 1129 | /* | 1129 | /* |
| 1130 | * We own it, so we have to replace the pending owner | 1130 | * We own it, so we have to replace the pending owner |
| @@ -1508,9 +1508,40 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared, | |||
| 1508 | * when we were on the way back before we locked the | 1508 | * when we were on the way back before we locked the |
| 1509 | * hash bucket. | 1509 | * hash bucket. |
| 1510 | */ | 1510 | */ |
| 1511 | if (q.pi_state->owner == curr && | 1511 | if (q.pi_state->owner == curr) { |
| 1512 | rt_mutex_trylock(&q.pi_state->pi_mutex)) { | 1512 | /* |
| 1513 | ret = 0; | 1513 | * Try to get the rt_mutex now. This might |
| 1514 | * fail as some other task acquired the | ||
| 1515 | * rt_mutex after we removed ourself from the | ||
| 1516 | * rt_mutex waiters list. | ||
| 1517 | */ | ||
| 1518 | if (rt_mutex_trylock(&q.pi_state->pi_mutex)) | ||
| 1519 | ret = 0; | ||
| 1520 | else { | ||
| 1521 | /* | ||
| 1522 | * pi_state is incorrect, some other | ||
| 1523 | * task did a lock steal and we | ||
| 1524 | * returned due to timeout or signal | ||
| 1525 | * without taking the rt_mutex. Too | ||
| 1526 | * late. We can access the | ||
| 1527 | * rt_mutex_owner without locking, as | ||
| 1528 | * the other task is now blocked on | ||
| 1529 | * the hash bucket lock. Fix the state | ||
| 1530 | * up. | ||
| 1531 | */ | ||
| 1532 | struct task_struct *owner; | ||
| 1533 | int res; | ||
| 1534 | |||
| 1535 | owner = rt_mutex_owner(&q.pi_state->pi_mutex); | ||
| 1536 | res = fixup_pi_state_owner(uaddr, &q, owner); | ||
| 1537 | |||
| 1538 | WARN_ON(rt_mutex_owner(&q.pi_state->pi_mutex) != | ||
| 1539 | owner); | ||
| 1540 | |||
| 1541 | /* propagate -EFAULT, if the fixup failed */ | ||
| 1542 | if (res) | ||
| 1543 | ret = res; | ||
| 1544 | } | ||
| 1514 | } else { | 1545 | } else { |
| 1515 | /* | 1546 | /* |
| 1516 | * Paranoia check. If we did not take the lock | 1547 | * Paranoia check. If we did not take the lock |