futex: futex_wake_op, do not fail on invalid op

[sfrench/cifs-2.6.git] / kernel / futex.c

diff --git a/kernel/futex.c b/kernel/futex.c
index 3d38eaf0549209ddb72e83780df6167a4423e8a2..0d638f008bb13a2d6e70d3aa607e09564f5aa1c4 100644 (file)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -821,8 +821,6 @@ static void get_pi_state(struct futex_pi_state *pi_state)
 /*
  * Drops a reference to the pi_state object and frees or caches it
  * when the last reference is gone.
- *
- * Must be called with the hb lock held.
  */
 static void put_pi_state(struct futex_pi_state *pi_state)
 {
@@ -837,16 +835,22 @@ static void put_pi_state(struct futex_pi_state *pi_state)
         * and has cleaned up the pi_state already
         */
        if (pi_state->owner) {
-               raw_spin_lock_irq(&pi_state->owner->pi_lock);
-               list_del_init(&pi_state->list);
-               raw_spin_unlock_irq(&pi_state->owner->pi_lock);
+               struct task_struct *owner;
 
-               rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
+               raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
+               owner = pi_state->owner;
+               if (owner) {
+                       raw_spin_lock(&owner->pi_lock);
+                       list_del_init(&pi_state->list);
+                       raw_spin_unlock(&owner->pi_lock);
+               }
+               rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner);
+               raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
        }
 
-       if (current->pi_state_cache)
+       if (current->pi_state_cache) {
                kfree(pi_state);
-       else {
+       } else {
                /*
                 * pi_state->list is already empty.
                 * clear pi_state->owner.
@@ -907,13 +911,14 @@ void exit_pi_state_list(struct task_struct *curr)
                raw_spin_unlock_irq(&curr->pi_lock);
 
                spin_lock(&hb->lock);
-
-               raw_spin_lock_irq(&curr->pi_lock);
+               raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
+               raw_spin_lock(&curr->pi_lock);
                /*
                 * We dropped the pi-lock, so re-check whether this
                 * task still owns the PI-state:
                 */
                if (head->next != next) {
+                       raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
                        spin_unlock(&hb->lock);
                        continue;
                }
@@ -922,9 +927,10 @@ void exit_pi_state_list(struct task_struct *curr)
                WARN_ON(list_empty(&pi_state->list));
                list_del_init(&pi_state->list);
                pi_state->owner = NULL;
-               raw_spin_unlock_irq(&curr->pi_lock);
+               raw_spin_unlock(&curr->pi_lock);
 
                get_pi_state(pi_state);
+               raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
                spin_unlock(&hb->lock);
 
                rt_mutex_futex_unlock(&pi_state->pi_mutex);
@@ -1208,6 +1214,10 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
 
        WARN_ON(!list_empty(&pi_state->list));
        list_add(&pi_state->list, &p->pi_state_list);
+       /*
+        * Assignment without holding pi_state->pi_mutex.wait_lock is safe
+        * because there is no concurrency as the object is not published yet.
+        */
        pi_state->owner = p;
        raw_spin_unlock_irq(&p->pi_lock);
 
@@ -1560,8 +1570,16 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
        int oldval, ret;
 
        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
-               if (oparg < 0 || oparg > 31)
-                       return -EINVAL;
+               if (oparg < 0 || oparg > 31) {
+                       char comm[sizeof(current->comm)];
+                       /*
+                        * kill this print and return -EINVAL when userspace
+                        * is sane again
+                        */
+                       pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d; fix this program\n",
+                                       get_task_comm(comm, current), oparg);
+                       oparg &= 31;
+               }
                oparg = 1 << oparg;
        }
 
@@ -2878,6 +2896,7 @@ retry:
                raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
                spin_unlock(&hb->lock);
 
+               /* drops pi_state->pi_mutex.wait_lock */
                ret = wake_futex_pi(uaddr, uval, pi_state);
 
                put_pi_state(pi_state);