[ 3.5.y.z extended stable ] Patch "futex: avoid wake_futex() for a PI futex_q" has been added to staging queue

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Mon Dec 10 17:00:51 UTC 2012

This is a note to let you know that I have just added a patch titled

    futex: avoid wake_futex() for a PI futex_q

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



>From 4c9efd0f69b90c46776e1db0769f17ef1c9be264 Mon Sep 17 00:00:00 2001
From: Darren Hart <dvhart at linux.intel.com>
Date: Mon, 26 Nov 2012 16:29:56 -0800
Subject: [PATCH] futex: avoid wake_futex() for a PI futex_q

commit aa10990e028cac3d5e255711fb9fb47e00700e35 upstream.

Dave Jones reported a bug with futex_lock_pi() that his trinity test
exposed.  Sometime between queue_me() and taking the q.lock_ptr, the
lock_ptr became NULL, resulting in a crash.

While futex_wake() is careful to not call wake_futex() on futex_q's with
a pi_state or an rt_waiter (which are either waiting for a
futex_unlock_pi() or a PI futex_requeue()), futex_wake_op() and
futex_requeue() do not perform the same test.

Update futex_wake_op() and futex_requeue() to test for q.pi_state and
q.rt_waiter and abort with -EINVAL if detected.  To ensure any future
breakage is caught, add a WARN() to wake_futex() if the same condition
is true.

This fix has seen 3 hours of testing with "trinity -c futex" on an
x86_64 VM with 4 CPUS.

[akpm at linux-foundation.org: tidy up the WARN()]
Signed-off-by: Darren Hart <dvhart at linux.intel.com>
Reported-by: Dave Jones <davej at redat.com>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Ingo Molnar <mingo at elte.hu>
Cc: John Kacur <jkacur at redhat.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
 kernel/futex.c |   18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index 20ef219..19eb089 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -843,6 +843,9 @@ static void wake_futex(struct futex_q *q)
 	struct task_struct *p = q->task;

+	if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
+		return;
 	 * We set q->lock_ptr = NULL _before_ we wake up the task. If
 	 * a non-futex wake up happens on another CPU then the task
@@ -1078,6 +1081,10 @@ retry_private:

 	plist_for_each_entry_safe(this, next, head, list) {
 		if (match_futex (&this->key, &key1)) {
+			if (this->pi_state || this->rt_waiter) {
+				ret = -EINVAL;
+				goto out_unlock;
+			}
 			if (++ret >= nr_wake)
@@ -1090,6 +1097,10 @@ retry_private:
 		op_ret = 0;
 		plist_for_each_entry_safe(this, next, head, list) {
 			if (match_futex (&this->key, &key2)) {
+				if (this->pi_state || this->rt_waiter) {
+					ret = -EINVAL;
+					goto out_unlock;
+				}
 				if (++op_ret >= nr_wake2)
@@ -1098,6 +1109,7 @@ retry_private:
 		ret += op_ret;

 	double_unlock_hb(hb1, hb2);
@@ -1387,9 +1399,13 @@ retry_private:
 		 * be paired with each other and no other futex ops.
+		 *
+		 * We should never be requeueing a futex_q with a pi_state,
+		 * which is awaiting a futex_unlock_pi().
 		if ((requeue_pi && !this->rt_waiter) ||
-		    (!requeue_pi && this->rt_waiter)) {
+		    (!requeue_pi && this->rt_waiter) ||
+		    this->pi_state) {
 			ret = -EINVAL;

More information about the kernel-team mailing list