Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
authorLinus Torvalds <torvalds@linux-foundation.org>
Fri, 5 Feb 2010 00:07:41 +0000 (16:07 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 5 Feb 2010 00:07:41 +0000 (16:07 -0800)
* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  futex: Handle futex value corruption gracefully
  futex: Handle user space corruption gracefully
  futex_lock_pi() key refcnt fix
  softlockup: Add sched_clock_tick() to avoid kernel warning on kgdb resume

include/linux/sched.h
kernel/futex.c
kernel/kgdb.c
kernel/softlockup.c

index abdfacc58653e976b58af1cbe2b5d60821f0b931..78efe7c485ac9630f3866764e2eb8e54500f789c 100644 (file)
@@ -310,6 +310,7 @@ extern void sched_show_task(struct task_struct *p);
 #ifdef CONFIG_DETECT_SOFTLOCKUP
 extern void softlockup_tick(void);
 extern void touch_softlockup_watchdog(void);
+extern void touch_softlockup_watchdog_sync(void);
 extern void touch_all_softlockup_watchdogs(void);
 extern int proc_dosoftlockup_thresh(struct ctl_table *table, int write,
                                    void __user *buffer,
@@ -323,6 +324,9 @@ static inline void softlockup_tick(void)
 static inline void touch_softlockup_watchdog(void)
 {
 }
+static inline void touch_softlockup_watchdog_sync(void)
+{
+}
 static inline void touch_all_softlockup_watchdogs(void)
 {
 }
index d9b3a2228f9d8c184719ef5052f37e26b2913195..e7a35f1039e785464b318d3713557e9d2db6a591 100644 (file)
@@ -530,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                                return -EINVAL;
 
                        WARN_ON(!atomic_read(&pi_state->refcount));
-                       WARN_ON(pid && pi_state->owner &&
-                               pi_state->owner->pid != pid);
+
+                       /*
+                        * When pi_state->owner is NULL then the owner died
+                        * and another waiter is on the fly. pi_state->owner
+                        * is fixed up by the task which acquires
+                        * pi_state->rt_mutex.
+                        *
+                        * We do not check for pid == 0 which can happen when
+                        * the owner died and robust_list_exit() cleared the
+                        * TID.
+                        */
+                       if (pid && pi_state->owner) {
+                               /*
+                                * Bail out if user space manipulated the
+                                * futex value.
+                                */
+                               if (pid != task_pid_vnr(pi_state->owner))
+                                       return -EINVAL;
+                       }
 
                        atomic_inc(&pi_state->refcount);
                        *ps = pi_state;
@@ -758,6 +775,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
        if (!pi_state)
                return -EINVAL;
 
+       /*
+        * If current does not own the pi_state then the futex is
+        * inconsistent and user space fiddled with the futex value.
+        */
+       if (pi_state->owner != current)
+               return -EINVAL;
+
        raw_spin_lock(&pi_state->pi_mutex.wait_lock);
        new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
 
@@ -1971,7 +1995,7 @@ retry_private:
        /* Unqueue and drop the lock */
        unqueue_me_pi(&q);
 
-       goto out;
+       goto out_put_key;
 
 out_unlock_put_key:
        queue_unlock(&q, hb);
index c7ade62e4ef0e510f9636194af8d6f55844a7ffb..761fdd2b3034ae87272578fe1314680af5c0d71f 100644 (file)
@@ -599,7 +599,7 @@ static void kgdb_wait(struct pt_regs *regs)
 
        /* Signal the primary CPU that we are done: */
        atomic_set(&cpu_in_kgdb[cpu], 0);
-       touch_softlockup_watchdog();
+       touch_softlockup_watchdog_sync();
        clocksource_touch_watchdog();
        local_irq_restore(flags);
 }
@@ -1453,7 +1453,7 @@ acquirelock:
            (kgdb_info[cpu].task &&
             kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
                atomic_set(&kgdb_active, -1);
-               touch_softlockup_watchdog();
+               touch_softlockup_watchdog_sync();
                clocksource_touch_watchdog();
                local_irq_restore(flags);
 
@@ -1553,7 +1553,7 @@ kgdb_restore:
        }
        /* Free kgdb_active */
        atomic_set(&kgdb_active, -1);
-       touch_softlockup_watchdog();
+       touch_softlockup_watchdog_sync();
        clocksource_touch_watchdog();
        local_irq_restore(flags);
 
index d22579087e27a5bdb04e3962b117432c29497b33..0d4c7898ab805dd868880e7deca2d0d69d88fc67 100644 (file)
@@ -25,6 +25,7 @@ static DEFINE_SPINLOCK(print_lock);
 static DEFINE_PER_CPU(unsigned long, softlockup_touch_ts); /* touch timestamp */
 static DEFINE_PER_CPU(unsigned long, softlockup_print_ts); /* print timestamp */
 static DEFINE_PER_CPU(struct task_struct *, softlockup_watchdog);
+static DEFINE_PER_CPU(bool, softlock_touch_sync);
 
 static int __read_mostly did_panic;
 int __read_mostly softlockup_thresh = 60;
@@ -79,6 +80,12 @@ void touch_softlockup_watchdog(void)
 }
 EXPORT_SYMBOL(touch_softlockup_watchdog);
 
+void touch_softlockup_watchdog_sync(void)
+{
+       __raw_get_cpu_var(softlock_touch_sync) = true;
+       __raw_get_cpu_var(softlockup_touch_ts) = 0;
+}
+
 void touch_all_softlockup_watchdogs(void)
 {
        int cpu;
@@ -118,6 +125,14 @@ void softlockup_tick(void)
        }
 
        if (touch_ts == 0) {
+               if (unlikely(per_cpu(softlock_touch_sync, this_cpu))) {
+                       /*
+                        * If the time stamp was touched atomically
+                        * make sure the scheduler tick is up to date.
+                        */
+                       per_cpu(softlock_touch_sync, this_cpu) = false;
+                       sched_clock_tick();
+               }
                __touch_softlockup_watchdog();
                return;
        }