microblaze: uaccess: fix put_user and get_user macros
[linux-2.6.git] / kernel / futex.c
index 06938e5..e7a35f1 100644 (file)
@@ -203,8 +203,6 @@ static void drop_futex_key_refs(union futex_key *key)
  * @uaddr:     virtual address of the futex
  * @fshared:   0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
  * @key:       address where result is stored.
- * @rw:                mapping needs to be read/write (values: VERIFY_READ,
- *             VERIFY_WRITE)
  *
  * Returns a negative error code or 0
  * The key words are stored in *key on success.
@@ -216,7 +214,7 @@ static void drop_futex_key_refs(union futex_key *key)
  * lock_page() might sleep, the caller should not hold a spinlock.
  */
 static int
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
+get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
 {
        unsigned long address = (unsigned long)uaddr;
        struct mm_struct *mm = current->mm;
@@ -239,7 +237,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
         *        but access_ok() should be faster than find_vma()
         */
        if (!fshared) {
-               if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+               if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
                        return -EFAULT;
                key->private.mm = mm;
                key->private.address = address;
@@ -248,7 +246,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
        }
 
 again:
-       err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page);
+       err = get_user_pages_fast(address, 1, 1, &page);
        if (err < 0)
                return err;
 
@@ -304,8 +302,14 @@ void put_futex_key(int fshared, union futex_key *key)
  */
 static int fault_in_user_writeable(u32 __user *uaddr)
 {
-       int ret = get_user_pages(current, current->mm, (unsigned long)uaddr,
-                                1, 1, 0, NULL, NULL);
+       struct mm_struct *mm = current->mm;
+       int ret;
+
+       down_read(&mm->mmap_sem);
+       ret = get_user_pages(current, mm, (unsigned long)uaddr,
+                            1, 1, 0, NULL, NULL);
+       up_read(&mm->mmap_sem);
+
        return ret < 0 ? ret : 0;
 }
 
@@ -397,9 +401,9 @@ static void free_pi_state(struct futex_pi_state *pi_state)
         * and has cleaned up the pi_state already
         */
        if (pi_state->owner) {
-               spin_lock_irq(&pi_state->owner->pi_lock);
+               raw_spin_lock_irq(&pi_state->owner->pi_lock);
                list_del_init(&pi_state->list);
-               spin_unlock_irq(&pi_state->owner->pi_lock);
+               raw_spin_unlock_irq(&pi_state->owner->pi_lock);
 
                rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
        }
@@ -464,18 +468,18 @@ void exit_pi_state_list(struct task_struct *curr)
         * pi_state_list anymore, but we have to be careful
         * versus waiters unqueueing themselves:
         */
-       spin_lock_irq(&curr->pi_lock);
+       raw_spin_lock_irq(&curr->pi_lock);
        while (!list_empty(head)) {
 
                next = head->next;
                pi_state = list_entry(next, struct futex_pi_state, list);
                key = pi_state->key;
                hb = hash_futex(&key);
-               spin_unlock_irq(&curr->pi_lock);
+               raw_spin_unlock_irq(&curr->pi_lock);
 
                spin_lock(&hb->lock);
 
-               spin_lock_irq(&curr->pi_lock);
+               raw_spin_lock_irq(&curr->pi_lock);
                /*
                 * We dropped the pi-lock, so re-check whether this
                 * task still owns the PI-state:
@@ -489,15 +493,15 @@ void exit_pi_state_list(struct task_struct *curr)
                WARN_ON(list_empty(&pi_state->list));
                list_del_init(&pi_state->list);
                pi_state->owner = NULL;
-               spin_unlock_irq(&curr->pi_lock);
+               raw_spin_unlock_irq(&curr->pi_lock);
 
                rt_mutex_unlock(&pi_state->pi_mutex);
 
                spin_unlock(&hb->lock);
 
-               spin_lock_irq(&curr->pi_lock);
+               raw_spin_lock_irq(&curr->pi_lock);
        }
-       spin_unlock_irq(&curr->pi_lock);
+       raw_spin_unlock_irq(&curr->pi_lock);
 }
 
 static int
@@ -526,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                                return -EINVAL;
 
                        WARN_ON(!atomic_read(&pi_state->refcount));
-                       WARN_ON(pid && pi_state->owner &&
-                               pi_state->owner->pid != pid);
+
+                       /*
+                        * When pi_state->owner is NULL then the owner died
+                        * and another waiter is on the fly. pi_state->owner
+                        * is fixed up by the task which acquires
+                        * pi_state->rt_mutex.
+                        *
+                        * We do not check for pid == 0 which can happen when
+                        * the owner died and robust_list_exit() cleared the
+                        * TID.
+                        */
+                       if (pid && pi_state->owner) {
+                               /*
+                                * Bail out if user space manipulated the
+                                * futex value.
+                                */
+                               if (pid != task_pid_vnr(pi_state->owner))
+                                       return -EINVAL;
+                       }
 
                        atomic_inc(&pi_state->refcount);
                        *ps = pi_state;
@@ -552,7 +573,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
         * change of the task flags, we do this protected by
         * p->pi_lock:
         */
-       spin_lock_irq(&p->pi_lock);
+       raw_spin_lock_irq(&p->pi_lock);
        if (unlikely(p->flags & PF_EXITING)) {
                /*
                 * The task is on the way out. When PF_EXITPIDONE is
@@ -561,7 +582,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                 */
                int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
 
-               spin_unlock_irq(&p->pi_lock);
+               raw_spin_unlock_irq(&p->pi_lock);
                put_task_struct(p);
                return ret;
        }
@@ -580,7 +601,7 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
        WARN_ON(!list_empty(&pi_state->list));
        list_add(&pi_state->list, &p->pi_state_list);
        pi_state->owner = p;
-       spin_unlock_irq(&p->pi_lock);
+       raw_spin_unlock_irq(&p->pi_lock);
 
        put_task_struct(p);
 
@@ -754,7 +775,14 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
        if (!pi_state)
                return -EINVAL;
 
-       spin_lock(&pi_state->pi_mutex.wait_lock);
+       /*
+        * If current does not own the pi_state then the futex is
+        * inconsistent and user space fiddled with the futex value.
+        */
+       if (pi_state->owner != current)
+               return -EINVAL;
+
+       raw_spin_lock(&pi_state->pi_mutex.wait_lock);
        new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
 
        /*
@@ -783,23 +811,23 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
                else if (curval != uval)
                        ret = -EINVAL;
                if (ret) {
-                       spin_unlock(&pi_state->pi_mutex.wait_lock);
+                       raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
                        return ret;
                }
        }
 
-       spin_lock_irq(&pi_state->owner->pi_lock);
+       raw_spin_lock_irq(&pi_state->owner->pi_lock);
        WARN_ON(list_empty(&pi_state->list));
        list_del_init(&pi_state->list);
-       spin_unlock_irq(&pi_state->owner->pi_lock);
+       raw_spin_unlock_irq(&pi_state->owner->pi_lock);
 
-       spin_lock_irq(&new_owner->pi_lock);
+       raw_spin_lock_irq(&new_owner->pi_lock);
        WARN_ON(!list_empty(&pi_state->list));
        list_add(&pi_state->list, &new_owner->pi_state_list);
        pi_state->owner = new_owner;
-       spin_unlock_irq(&new_owner->pi_lock);
+       raw_spin_unlock_irq(&new_owner->pi_lock);
 
-       spin_unlock(&pi_state->pi_mutex.wait_lock);
+       raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
        rt_mutex_unlock(&pi_state->pi_mutex);
 
        return 0;
@@ -861,7 +889,7 @@ static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
        if (!bitset)
                return -EINVAL;
 
-       ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ);
+       ret = get_futex_key(uaddr, fshared, &key);
        if (unlikely(ret != 0))
                goto out;
 
@@ -907,10 +935,10 @@ futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
        int ret, op_ret;
 
 retry:
-       ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+       ret = get_futex_key(uaddr1, fshared, &key1);
        if (unlikely(ret != 0))
                goto out;
-       ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+       ret = get_futex_key(uaddr2, fshared, &key2);
        if (unlikely(ret != 0))
                goto out_put_key1;
 
@@ -1004,7 +1032,7 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
                plist_add(&q->list, &hb2->chain);
                q->lock_ptr = &hb2->lock;
 #ifdef CONFIG_DEBUG_PI_LIST
-               q->list.plist.lock = &hb2->lock;
+               q->list.plist.spinlock = &hb2->lock;
 #endif
        }
        get_futex_key_refs(key2);
@@ -1029,7 +1057,6 @@ static inline
 void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
                           struct futex_hash_bucket *hb)
 {
-       drop_futex_key_refs(&q->key);
        get_futex_key_refs(key);
        q->key = *key;
 
@@ -1041,7 +1068,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
 
        q->lock_ptr = &hb->lock;
 #ifdef CONFIG_DEBUG_PI_LIST
-       q->list.plist.lock = &hb->lock;
+       q->list.plist.spinlock = &hb->lock;
 #endif
 
        wake_up_state(q->task, TASK_NORMAL);
@@ -1170,11 +1197,10 @@ retry:
                pi_state = NULL;
        }
 
-       ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+       ret = get_futex_key(uaddr1, fshared, &key1);
        if (unlikely(ret != 0))
                goto out;
-       ret = get_futex_key(uaddr2, fshared, &key2,
-                           requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+       ret = get_futex_key(uaddr2, fshared, &key2);
        if (unlikely(ret != 0))
                goto out_put_key1;
 
@@ -1227,6 +1253,7 @@ retry_private:
                 */
                if (ret == 1) {
                        WARN_ON(pi_state);
+                       drop_count++;
                        task_count++;
                        ret = get_futex_value_locked(&curval2, uaddr2);
                        if (!ret)
@@ -1305,6 +1332,7 @@ retry_private:
                        if (ret == 1) {
                                /* We got the lock. */
                                requeue_pi_wake_futex(this, &key2, hb2);
+                               drop_count++;
                                continue;
                        } else if (ret) {
                                /* -EDEADLK */
@@ -1387,7 +1415,7 @@ static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
 
        plist_node_init(&q->list, prio);
 #ifdef CONFIG_DEBUG_PI_LIST
-       q->list.plist.lock = &hb->lock;
+       q->list.plist.spinlock = &hb->lock;
 #endif
        plist_add(&q->list, &hb->chain);
        q->task = current;
@@ -1522,18 +1550,18 @@ retry:
         * itself.
         */
        if (pi_state->owner != NULL) {
-               spin_lock_irq(&pi_state->owner->pi_lock);
+               raw_spin_lock_irq(&pi_state->owner->pi_lock);
                WARN_ON(list_empty(&pi_state->list));
                list_del_init(&pi_state->list);
-               spin_unlock_irq(&pi_state->owner->pi_lock);
+               raw_spin_unlock_irq(&pi_state->owner->pi_lock);
        }
 
        pi_state->owner = newowner;
 
-       spin_lock_irq(&newowner->pi_lock);
+       raw_spin_lock_irq(&newowner->pi_lock);
        WARN_ON(!list_empty(&pi_state->list));
        list_add(&pi_state->list, &newowner->pi_state_list);
-       spin_unlock_irq(&newowner->pi_lock);
+       raw_spin_unlock_irq(&newowner->pi_lock);
        return 0;
 
        /*
@@ -1731,7 +1759,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,
         */
 retry:
        q->key = FUTEX_KEY_INIT;
-       ret = get_futex_key(uaddr, fshared, &q->key, VERIFY_READ);
+       ret = get_futex_key(uaddr, fshared, &q->key);
        if (unlikely(ret != 0))
                return ret;
 
@@ -1897,7 +1925,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
        q.requeue_pi_key = NULL;
 retry:
        q.key = FUTEX_KEY_INIT;
-       ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);
+       ret = get_futex_key(uaddr, fshared, &q.key);
        if (unlikely(ret != 0))
                goto out;
 
@@ -1967,7 +1995,7 @@ retry_private:
        /* Unqueue and drop the lock */
        unqueue_me_pi(&q);
 
-       goto out;
+       goto out_put_key;
 
 out_unlock_put_key:
        queue_unlock(&q, hb);
@@ -2016,7 +2044,7 @@ retry:
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
                return -EPERM;
 
-       ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE);
+       ret = get_futex_key(uaddr, fshared, &key);
        if (unlikely(ret != 0))
                goto out;
 
@@ -2126,7 +2154,7 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
                plist_del(&q->list, &q->list.plist);
 
                /* Handle spurious wakeups gracefully */
-               ret = -EAGAIN;
+               ret = -EWOULDBLOCK;
                if (timeout && !timeout->task)
                        ret = -ETIMEDOUT;
                else if (signal_pending(current))
@@ -2207,9 +2235,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
        debug_rt_mutex_init_waiter(&rt_waiter);
        rt_waiter.task = NULL;
 
-retry:
        key2 = FUTEX_KEY_INIT;
-       ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+       ret = get_futex_key(uaddr2, fshared, &key2);
        if (unlikely(ret != 0))
                goto out;
 
@@ -2302,9 +2329,6 @@ out_put_keys:
 out_key2:
        put_futex_key(fshared, &key2);
 
-       /* Spurious wakeup ? */
-       if (ret == -EAGAIN)
-               goto retry;
 out:
        if (to) {
                hrtimer_cancel(&to->timer);