]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blobdiff - kernel/futex.c
projects / mirror_ubuntu-artful-kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
userns: prevent speculative execution
[mirror_ubuntu-artful-kernel.git] / kernel / futex.c
diff --git a/kernel/futex.c b/kernel/futex.c
index f50b434756c18eb0c200ec6e3b4db16231062f24..a6639b3463733caa99a6f662b69cfbc59a97a9b8 100644 (file)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -821,8 +821,6 @@ static void get_pi_state(struct futex_pi_state *pi_state)
 /*
  * Drops a reference to the pi_state object and frees or caches it
  * when the last reference is gone.
- *
- * Must be called with the hb lock held.
  */
 static void put_pi_state(struct futex_pi_state *pi_state)
 {
@@ -837,16 +835,22 @@ static void put_pi_state(struct futex_pi_state *pi_state)
         * and has cleaned up the pi_state already
         */
        if (pi_state->owner) {
-               raw_spin_lock_irq(&pi_state->owner->pi_lock);
-               list_del_init(&pi_state->list);
-               raw_spin_unlock_irq(&pi_state->owner->pi_lock);
+               struct task_struct *owner;
 
-               rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
+               raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
+               owner = pi_state->owner;
+               if (owner) {
+                       raw_spin_lock(&owner->pi_lock);
+                       list_del_init(&pi_state->list);
+                       raw_spin_unlock(&owner->pi_lock);
+               }
+               rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner);
+               raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
        }
 
-       if (current->pi_state_cache)
+       if (current->pi_state_cache) {
                kfree(pi_state);
-       else {
+       else {
                /*
                 * pi_state->list is already empty.
                 * clear pi_state->owner.
@@ -897,22 +901,41 @@ void exit_pi_state_list(struct task_struct *curr)
         */
        raw_spin_lock_irq(&curr->pi_lock);
        while (!list_empty(head)) {
-
                next = head->next;
                pi_state = list_entry(next, struct futex_pi_state, list);
                key = pi_state->key;
                hb = hash_futex(&key);
+
+               /*
+                * We can race against put_pi_state() removing itself from the
+                * list (a waiter going away). put_pi_state() will first
+                * decrement the reference count and then modify the list, so
+                * its possible to see the list entry but fail this reference
+                * acquire.
+                *
+                * In that case; drop the locks to let put_pi_state() make
+                * progress and retry the loop.
+                */
+               if (!atomic_inc_not_zero(&pi_state->refcount)) {
+                       raw_spin_unlock_irq(&curr->pi_lock);
+                       cpu_relax();
+                       raw_spin_lock_irq(&curr->pi_lock);
+                       continue;
+               }
                raw_spin_unlock_irq(&curr->pi_lock);
 
                spin_lock(&hb->lock);
-
-               raw_spin_lock_irq(&curr->pi_lock);
+               raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
+               raw_spin_lock(&curr->pi_lock);
                /*
                 * We dropped the pi-lock, so re-check whether this
                 * task still owns the PI-state:
                 */
                if (head->next != next) {
+                       /* retain curr->pi_lock for the loop invariant */
+                       raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
                        spin_unlock(&hb->lock);
+                       put_pi_state(pi_state);
                        continue;
                }
 
@@ -920,9 +943,9 @@ void exit_pi_state_list(struct task_struct *curr)
                WARN_ON(list_empty(&pi_state->list));
                list_del_init(&pi_state->list);
                pi_state->owner = NULL;
-               raw_spin_unlock_irq(&curr->pi_lock);
 
-               get_pi_state(pi_state);
+               raw_spin_unlock(&curr->pi_lock);
+               raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
                spin_unlock(&hb->lock);
 
                rt_mutex_futex_unlock(&pi_state->pi_mutex);
@@ -1204,6 +1227,10 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
 
        WARN_ON(!list_empty(&pi_state->list));
        list_add(&pi_state->list, &p->pi_state_list);
+       /*
+        * Assignment without holding pi_state->pi_mutex.wait_lock is safe
+        * because there is no concurrency as the object is not published yet.
+        */
        pi_state->owner = p;
        raw_spin_unlock_irq(&p->pi_lock);
 
@@ -2820,6 +2847,7 @@ retry:
                raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
                spin_unlock(&hb->lock);
 
+               /* drops pi_state->pi_mutex.wait_lock */
                ret = wake_futex_pi(uaddr, uval, pi_state);
 
                put_pi_state(pi_state);
Ubuntu Artful kernel mirror