aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Gleixner <tglx@linutronix.de>2008-02-01 17:45:14 +0100
committerIngo Molnar <mingo@elte.hu>2008-02-01 17:45:14 +0100
commit83e96c604e781098a2f61b8a294919bcf3abfab4 (patch)
tree67c5a97b30784cdc8297dc888b1135c4f127e964
parent9d55b9923a1b7ea8193b8875c57ec940dc2ff027 (diff)
downloadkernel_samsung_smdk4412-83e96c604e781098a2f61b8a294919bcf3abfab4.tar.gz
kernel_samsung_smdk4412-83e96c604e781098a2f61b8a294919bcf3abfab4.tar.bz2
kernel_samsung_smdk4412-83e96c604e781098a2f61b8a294919bcf3abfab4.zip
futex: Remove warn on in return fixup path
The WARN_ON() in the fixup return path of futex_lock_pi() can trigger with false positives. The following scenario happens: t1 holds the futex and t2 and t3 are blocked on the kernel side rt_mutex. t1 releases the futex (and the rt_mutex) and assigned t2 to be the next owner of the futex. t2 is interrupted and returns w/o acquiring the rt_mutex, before t1 can release the rtmutex. t1 releases the rtmutex and t3 becomes the pending owner of the rtmutex. t2 notices that it is the designated owner (user space variable) and fails to acquire the rt_mutex via trylock, because it is not allowed to steal the rt_mutex from t3. Now it looks at the rt_mutex pending owner (t3) and assigns the futex and the pi_state to it. During the fixup t4 steals the rtmutex from t3. t2 returns from the fixup and the owner of the rt_mutex has changed from t3 to t4. There is no need to do another round of fixups from t2. The important part (t2 is not returning as the user space visible owner) is done. The further fixups are done, before either t3 or t4 return to user space. For the user space it is not relevant which task (t3 or t4) is the real owner, as long as those are both in the kernel, which is guaranteed by the serialization of the hash bucket lock. Both tasks (which ever returns first to userspace - t4 because it locked the rt_mutex or t3 due to a signal) are going through the lock_futex_pi() return path where the ownership is fixed before the return to user space. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ingo Molnar <mingo@elte.hu>
-rw-r--r--kernel/futex.c3
1 files changed, 0 insertions, 3 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 0edd314798c..0006d64c448 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1537,9 +1537,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
owner = rt_mutex_owner(&q.pi_state->pi_mutex);
res = fixup_pi_state_owner(uaddr, &q, owner);
- WARN_ON(rt_mutex_owner(&q.pi_state->pi_mutex) !=
- owner);
-
/* propagate -EFAULT, if the fixup failed */
if (res)
ret = res;