Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull futex fixes from Ingo Molnar: "A couple of futex fixes from Darren Hart: two bugs reported by Dave Jones (found with his trinity test) and Dan Carpenter through static analysis. The third found while debugging the first two." * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() futex: Fix bug in WARN_ON for NULL q.pi_state futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
This commit is contained in:
commit
c4e62d6785
1 changed files with 10 additions and 7 deletions
|
@ -2231,11 +2231,11 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
|
|||
* @uaddr2: the pi futex we will take prior to returning to user-space
|
||||
*
|
||||
* The caller will wait on uaddr and will be requeued by futex_requeue() to
|
||||
* uaddr2 which must be PI aware. Normal wakeup will wake on uaddr2 and
|
||||
* complete the acquisition of the rt_mutex prior to returning to userspace.
|
||||
* This ensures the rt_mutex maintains an owner when it has waiters; without
|
||||
* one, the pi logic wouldn't know which task to boost/deboost, if there was a
|
||||
* need to.
|
||||
* uaddr2 which must be PI aware and unique from uaddr. Normal wakeup will wake
|
||||
* on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
|
||||
* userspace. This ensures the rt_mutex maintains an owner when it has waiters;
|
||||
* without one, the pi logic would not know which task to boost/deboost, if
|
||||
* there was a need to.
|
||||
*
|
||||
* We call schedule in futex_wait_queue_me() when we enqueue and return there
|
||||
* via the following:
|
||||
|
@ -2272,6 +2272,9 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
|
|||
struct futex_q q = futex_q_init;
|
||||
int res, ret;
|
||||
|
||||
if (uaddr == uaddr2)
|
||||
return -EINVAL;
|
||||
|
||||
if (!bitset)
|
||||
return -EINVAL;
|
||||
|
||||
|
@ -2343,7 +2346,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
|
|||
* signal. futex_unlock_pi() will not destroy the lock_ptr nor
|
||||
* the pi_state.
|
||||
*/
|
||||
WARN_ON(!&q.pi_state);
|
||||
WARN_ON(!q.pi_state);
|
||||
pi_mutex = &q.pi_state->pi_mutex;
|
||||
ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
|
||||
debug_rt_mutex_free_waiter(&rt_waiter);
|
||||
|
@ -2370,7 +2373,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
|
|||
* fault, unlock the rt_mutex and return the fault to userspace.
|
||||
*/
|
||||
if (ret == -EFAULT) {
|
||||
if (rt_mutex_owner(pi_mutex) == current)
|
||||
if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
|
||||
rt_mutex_unlock(pi_mutex);
|
||||
} else if (ret == -EINTR) {
|
||||
/*
|
||||
|
|
Loading…
Reference in a new issue