Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c4e62d67 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull futex fixes from Ingo Molnar:
 "A couple of futex fixes from Darren Hart: two bugs reported by Dave
  Jones (found with his trinity test) and Dan Carpenter through static
  analysis.  The third found while debugging the first two."

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
  futex: Fix bug in WARN_ON for NULL q.pi_state
  futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
parents 1ca0049f 6f7b0a2a

kernel/futex.c

+10 −7
Original line number Original line Diff line number Diff line
@@ -2231,11 +2231,11 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb, 
 * @uaddr2:	the pi futex we will take prior to returning to user-space

 * @uaddr2:	the pi futex we will take prior to returning to user-space

 *

 *

 * The caller will wait on uaddr and will be requeued by futex_requeue() to

 * The caller will wait on uaddr and will be requeued by futex_requeue() to

 * uaddr2 which must be PI aware.  Normal wakeup will wake on uaddr2 and

 * uaddr2 which must be PI aware and unique from uaddr.  Normal wakeup will wake

 * complete the acquisition of the rt_mutex prior to returning to userspace.

 * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to

 * This ensures the rt_mutex maintains an owner when it has waiters; without

 * userspace.  This ensures the rt_mutex maintains an owner when it has waiters;

 * one, the pi logic wouldn't know which task to boost/deboost, if there was a

 * without one, the pi logic would not know which task to boost/deboost, if

 * need to.

 * there was a need to.

 *

 *

 * We call schedule in futex_wait_queue_me() when we enqueue and return there

 * We call schedule in futex_wait_queue_me() when we enqueue and return there

 * via the following:

 * via the following:
@@ -2272,6 +2272,9 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, 
	struct futex_q q = futex_q_init;

	struct futex_q q = futex_q_init;

	int res, ret;

	int res, ret;





	if (uaddr == uaddr2)

		return -EINVAL;



	if (!bitset)

	if (!bitset)

		return -EINVAL;

		return -EINVAL;
@@ -2343,7 +2346,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, 
		 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor

		 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor

		 * the pi_state.

		 * the pi_state.

		 */

		 */

		WARN_ON(!&q.pi_state);

		WARN_ON(!q.pi_state);

		pi_mutex = &q.pi_state->pi_mutex;

		pi_mutex = &q.pi_state->pi_mutex;

		ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);

		ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);

		debug_rt_mutex_free_waiter(&rt_waiter);

		debug_rt_mutex_free_waiter(&rt_waiter);
@@ -2370,7 +2373,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, 
	 * fault, unlock the rt_mutex and return the fault to userspace.

	 * fault, unlock the rt_mutex and return the fault to userspace.

	 */

	 */

	if (ret == -EFAULT) {

	if (ret == -EFAULT) {

		if (rt_mutex_owner(pi_mutex) == current)

		if (pi_mutex && rt_mutex_owner(pi_mutex) == current)

			rt_mutex_unlock(pi_mutex);

			rt_mutex_unlock(pi_mutex);

	} else if (ret == -EINTR) {

	} else if (ret == -EINTR) {

		/*

		/*