1 files changed, 33 insertions, 27 deletions

diff --git a/kernel/futex.c b/kernel/futex.c
index fb65e822fc41..8e3c3ffe1b9a 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -304,8 +304,14 @@ void put_futex_key(int fshared, union futex_key *key)
  */
 static int fault_in_user_writeable(u32 __user *uaddr)
 {
-        int ret = get_user_pages(current, current->mm, (unsigned long)uaddr,
-                                 1, 1, 0, NULL, NULL);
+        struct mm_struct *mm = current->mm;
+        int ret;
+
+        down_read(&mm->mmap_sem);
+        ret = get_user_pages(current, mm, (unsigned long)uaddr,
+                             1, 1, 0, NULL, NULL);
+        up_read(&mm->mmap_sem);
+
         return ret < 0 ? ret : 0;
 }
 
@@ -397,9 +403,9 @@ static void free_pi_state(struct futex_pi_state *pi_state)
          * and has cleaned up the pi_state already
          */
         if (pi_state->owner) {
-                spin_lock_irq(&pi_state->owner->pi_lock);
+                raw_spin_lock_irq(&pi_state->owner->pi_lock);
                 list_del_init(&pi_state->list);
-                spin_unlock_irq(&pi_state->owner->pi_lock);
+                raw_spin_unlock_irq(&pi_state->owner->pi_lock);
 
                 rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
         }
@@ -464,18 +470,18 @@ void exit_pi_state_list(struct task_struct *curr)
          * pi_state_list anymore, but we have to be careful
          * versus waiters unqueueing themselves:
          */
-        spin_lock_irq(&curr->pi_lock);
+        raw_spin_lock_irq(&curr->pi_lock);
         while (!list_empty(head)) {
 
                 next = head->next;
                 pi_state = list_entry(next, struct futex_pi_state, list);
                 key = pi_state->key;
                 hb = hash_futex(&key);
-                spin_unlock_irq(&curr->pi_lock);
+                raw_spin_unlock_irq(&curr->pi_lock);
 
                 spin_lock(&hb->lock);
 
-                spin_lock_irq(&curr->pi_lock);
+                raw_spin_lock_irq(&curr->pi_lock);
                 /*
                  * We dropped the pi-lock, so re-check whether this
                  * task still owns the PI-state:
@@ -489,15 +495,15 @@ void exit_pi_state_list(struct task_struct *curr)
                 WARN_ON(list_empty(&pi_state->list));
                 list_del_init(&pi_state->list);
                 pi_state->owner = NULL;
-                spin_unlock_irq(&curr->pi_lock);
+                raw_spin_unlock_irq(&curr->pi_lock);
 
                 rt_mutex_unlock(&pi_state->pi_mutex);
 
                 spin_unlock(&hb->lock);
 
-                spin_lock_irq(&curr->pi_lock);
+                raw_spin_lock_irq(&curr->pi_lock);
         }
-        spin_unlock_irq(&curr->pi_lock);
+        raw_spin_unlock_irq(&curr->pi_lock);
 }
 
 static int
@@ -552,7 +558,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
          * change of the task flags, we do this protected by
          * p->pi_lock:
          */
-        spin_lock_irq(&p->pi_lock);
+        raw_spin_lock_irq(&p->pi_lock);
         if (unlikely(p->flags & PF_EXITING)) {
                 /*
                  * The task is on the way out. When PF_EXITPIDONE is
@@ -561,7 +567,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                  */
                 int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
 
-                spin_unlock_irq(&p->pi_lock);
+                raw_spin_unlock_irq(&p->pi_lock);
                 put_task_struct(p);
                 return ret;
         }
@@ -580,7 +586,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
         WARN_ON(!list_empty(&pi_state->list));
         list_add(&pi_state->list, &p->pi_state_list);
         pi_state->owner = p;
-        spin_unlock_irq(&p->pi_lock);
+        raw_spin_unlock_irq(&p->pi_lock);
 
         put_task_struct(p);
 
@@ -754,7 +760,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
         if (!pi_state)
                 return -EINVAL;
 
-        spin_lock(&pi_state->pi_mutex.wait_lock);
+        raw_spin_lock(&pi_state->pi_mutex.wait_lock);
         new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
 
         /*
@@ -783,23 +789,23 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
                 else if (curval != uval)
                         ret = -EINVAL;
                 if (ret) {
-                        spin_unlock(&pi_state->pi_mutex.wait_lock);
+                        raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
                         return ret;
                 }
         }
 
-        spin_lock_irq(&pi_state->owner->pi_lock);
+        raw_spin_lock_irq(&pi_state->owner->pi_lock);
         WARN_ON(list_empty(&pi_state->list));
         list_del_init(&pi_state->list);
-        spin_unlock_irq(&pi_state->owner->pi_lock);
+        raw_spin_unlock_irq(&pi_state->owner->pi_lock);
 
-        spin_lock_irq(&new_owner->pi_lock);
+        raw_spin_lock_irq(&new_owner->pi_lock);
         WARN_ON(!list_empty(&pi_state->list));
         list_add(&pi_state->list, &new_owner->pi_state_list);
         pi_state->owner = new_owner;
-        spin_unlock_irq(&new_owner->pi_lock);
+        raw_spin_unlock_irq(&new_owner->pi_lock);
 
-        spin_unlock(&pi_state->pi_mutex.wait_lock);
+        raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
         rt_mutex_unlock(&pi_state->pi_mutex);
 
         return 0;
@@ -1004,7 +1010,7 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
                 plist_add(&q->list, &hb2->chain);
                 q->lock_ptr = &hb2->lock;
 #ifdef CONFIG_DEBUG_PI_LIST
-                q->list.plist.lock = &hb2->lock;
+                q->list.plist.spinlock = &hb2->lock;
 #endif
         }
         get_futex_key_refs(key2);
@@ -1040,7 +1046,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
 
         q->lock_ptr = &hb->lock;
 #ifdef CONFIG_DEBUG_PI_LIST
-        q->list.plist.lock = &hb->lock;
+        q->list.plist.spinlock = &hb->lock;
 #endif
 
         wake_up_state(q->task, TASK_NORMAL);
@@ -1388,7 +1394,7 @@ static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
 
         plist_node_init(&q->list, prio);
 #ifdef CONFIG_DEBUG_PI_LIST
-        q->list.plist.lock = &hb->lock;
+        q->list.plist.spinlock = &hb->lock;
 #endif
         plist_add(&q->list, &hb->chain);
         q->task = current;
@@ -1523,18 +1529,18 @@ retry:
          * itself.
          */
         if (pi_state->owner != NULL) {
-                spin_lock_irq(&pi_state->owner->pi_lock);
+                raw_spin_lock_irq(&pi_state->owner->pi_lock);
                 WARN_ON(list_empty(&pi_state->list));
                 list_del_init(&pi_state->list);
-                spin_unlock_irq(&pi_state->owner->pi_lock);
+                raw_spin_unlock_irq(&pi_state->owner->pi_lock);
         }
 
         pi_state->owner = newowner;
 
-        spin_lock_irq(&newowner->pi_lock);
+        raw_spin_lock_irq(&newowner->pi_lock);
         WARN_ON(!list_empty(&pi_state->list));
         list_add(&pi_state->list, &newowner->pi_state_list);
-        spin_unlock_irq(&newowner->pi_lock);
+        raw_spin_unlock_irq(&newowner->pi_lock);
         return 0;
 
         /*