Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull futex fix from Thomas Gleixner: "Single fix for a long standing futex race when taking over a futex whose owner died. You can end up with two owners, which violates quite some rules." * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Handle futex_pi OWNER_DIED take over correctly
This commit is contained in:
Linus Torvalds
commit
b0db954c04
|
|
@ -716,7 +716,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
|
||||||
struct futex_pi_state **ps,
|
struct futex_pi_state **ps,
|
||||||
struct task_struct *task, int set_waiters)
|
struct task_struct *task, int set_waiters)
|
||||||
{
|
{
|
||||||
int lock_taken, ret, ownerdied = 0;
|
int lock_taken, ret, force_take = 0;
|
||||||
u32 uval, newval, curval, vpid = task_pid_vnr(task);
|
u32 uval, newval, curval, vpid = task_pid_vnr(task);
|
||||||
|
|
||||||
retry:
|
retry:
|
||||||
|
|
@ -755,17 +755,15 @@ retry:
|
||||||
newval = curval | FUTEX_WAITERS;
|
newval = curval | FUTEX_WAITERS;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* There are two cases, where a futex might have no owner (the
|
* Should we force take the futex? See below.
|
||||||
* owner TID is 0): OWNER_DIED. We take over the futex in this
|
|
||||||
* case. We also do an unconditional take over, when the owner
|
|
||||||
* of the futex died.
|
|
||||||
*
|
|
||||||
* This is safe as we are protected by the hash bucket lock !
|
|
||||||
*/
|
*/
|
||||||
if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
|
if (unlikely(force_take)) {
|
||||||
/* Keep the OWNER_DIED bit */
|
/*
|
||||||
|
* Keep the OWNER_DIED and the WAITERS bit and set the
|
||||||
|
* new TID value.
|
||||||
|
*/
|
||||||
newval = (curval & ~FUTEX_TID_MASK) | vpid;
|
newval = (curval & ~FUTEX_TID_MASK) | vpid;
|
||||||
ownerdied = 0;
|
force_take = 0;
|
||||||
lock_taken = 1;
|
lock_taken = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -775,7 +773,7 @@ retry:
|
||||||
goto retry;
|
goto retry;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We took the lock due to owner died take over.
|
* We took the lock due to forced take over.
|
||||||
*/
|
*/
|
||||||
if (unlikely(lock_taken))
|
if (unlikely(lock_taken))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
@ -790,20 +788,25 @@ retry:
|
||||||
switch (ret) {
|
switch (ret) {
|
||||||
case -ESRCH:
|
case -ESRCH:
|
||||||
/*
|
/*
|
||||||
* No owner found for this futex. Check if the
|
* We failed to find an owner for this
|
||||||
* OWNER_DIED bit is set to figure out whether
|
* futex. So we have no pi_state to block
|
||||||
* this is a robust futex or not.
|
* on. This can happen in two cases:
|
||||||
|
*
|
||||||
|
* 1) The owner died
|
||||||
|
* 2) A stale FUTEX_WAITERS bit
|
||||||
|
*
|
||||||
|
* Re-read the futex value.
|
||||||
*/
|
*/
|
||||||
if (get_futex_value_locked(&curval, uaddr))
|
if (get_futex_value_locked(&curval, uaddr))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We simply start over in case of a robust
|
* If the owner died or we have a stale
|
||||||
* futex. The code above will take the futex
|
* WAITERS bit the owner TID in the user space
|
||||||
* and return happy.
|
* futex is 0.
|
||||||
*/
|
*/
|
||||||
if (curval & FUTEX_OWNER_DIED) {
|
if (!(curval & FUTEX_TID_MASK)) {
|
||||||
ownerdied = 1;
|
force_take = 1;
|
||||||
goto retry;
|
goto retry;
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
|
|
|
||||||
Reference in New Issue