Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3a0f91fd authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Greg Kroah-Hartman
Browse files

UPSTREAM: futex: Ensure the correct return value from futex_lock_pi() 



commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 upstream

In case that futex_lock_pi() was aborted by a signal or a timeout and the
task returned without acquiring the rtmutex, but is the designated owner of
the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to
establish consistent state. In that case it invokes fixup_pi_state_owner()
which in turn tries to acquire the rtmutex again. If that succeeds then it
does not propagate this success to fixup_owner() and futex_lock_pi()
returns -EINTR or -ETIMEOUT despite having the futex locked.

Return success from fixup_pi_state_owner() in all cases where the current
task owns the rtmutex and therefore the futex and propagate it correctly
through fixup_owner(). Fixup the other callsite which does not expect a
positive return value.

Fixes: c1e2f0ea ("futex: Avoid violating the 10th rule of futex")
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9)
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
Change-Id: I6dfb7407620fdf8293edbfbe54463f0c8ff63a57
parent 19193ef5

kernel/futex.c

+16 −16
Original line number Diff line number Diff line
@@ -2510,8 +2510,8 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 
		}



		if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {

			/* We got the lock after all, nothing to fix. */

			ret = 0;

			/* We got the lock. pi_state is correct. Tell caller. */

			ret = 1;

			goto out_unlock;

		}
@@ -2539,7 +2539,7 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 
			 * We raced against a concurrent self; things are

			 * already fixed up. Nothing to do.

			 */

			ret = 0;

			ret = 1;

			goto out_unlock;

		}

		newowner = argowner;
@@ -2585,7 +2585,7 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 
	raw_spin_unlock(&newowner->pi_lock);

	raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);



	return 0;

	return argowner == current;



	/*

	 * In order to reschedule or handle a page fault, we need to drop the
@@ -2627,7 +2627,7 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 
	 * Check if someone else fixed it for us:

	 */

	if (pi_state->owner != oldowner) {

		ret = 0;

		ret = argowner == current;

		goto out_unlock;

	}
@@ -2660,8 +2660,6 @@ static long futex_wait_restart(struct restart_block *restart); 
 */

static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)

{

	int ret = 0;



	if (locked) {

		/*

		 * Got the lock. We might not be the anticipated owner if we
@@ -2672,8 +2670,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) 
		 * stable state, anything else needs more attention.

		 */

		if (q->pi_state->owner != current)

			ret = fixup_pi_state_owner(uaddr, q, current);

		goto out;

			return fixup_pi_state_owner(uaddr, q, current);

		return 1;

	}



	/*
@@ -2684,10 +2682,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) 
	 * Another speculative read; pi_state->owner == current is unstable

	 * but needs our attention.

	 */

	if (q->pi_state->owner == current) {

		ret = fixup_pi_state_owner(uaddr, q, NULL);

		goto out;

	}

	if (q->pi_state->owner == current)

		return fixup_pi_state_owner(uaddr, q, NULL);



	/*

	 * Paranoia check. If we did not take the lock, then we should not be
@@ -2700,8 +2696,7 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) 
				q->pi_state->owner);

	}



out:

	return ret ? ret : locked;

	return 0;

}



/**
@@ -3410,7 +3405,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, 
		if (q.pi_state && (q.pi_state->owner != current)) {

			spin_lock(q.lock_ptr);

			ret = fixup_pi_state_owner(uaddr2, &q, current);

			if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {

			if (ret < 0 && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {

				pi_state = q.pi_state;

				get_pi_state(pi_state);

			}
@@ -3420,6 +3415,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, 
			 */

			put_pi_state(q.pi_state);

			spin_unlock(q.lock_ptr);

			/*

			 * Adjust the return value. It's either -EFAULT or

			 * success (1) but the caller expects 0 for success.

			 */

			ret = ret < 0 ? ret : 0;

		}

	} else {

		struct rt_mutex *pi_mutex;