2 * Fast Userspace Mutexes (which I call "Futexes!").
3 * (C) Rusty Russell, IBM 2002
5 * Generalized futexes, futex requeueing, misc fixes by Ingo Molnar
6 * (C) Copyright 2003 Red Hat Inc, All Rights Reserved
8 * Removed page pinning, fix privately mapped COW pages and other cleanups
9 * (C) Copyright 2003, 2004 Jamie Lokier
11 * Robust futex support started by Ingo Molnar
12 * (C) Copyright 2006 Red Hat Inc, All Rights Reserved
13 * Thanks to Thomas Gleixner for suggestions, analysis and fixes.
15 * PI-futex support started by Ingo Molnar and Thomas Gleixner
16 * Copyright (C) 2006 Red Hat, Inc., Ingo Molnar <mingo@redhat.com>
17 * Copyright (C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
19 * PRIVATE futexes by Eric Dumazet
20 * Copyright (C) 2007 Eric Dumazet <dada1@cosmosbay.com>
22 * Requeue-PI support by Darren Hart <dvhltc@us.ibm.com>
23 * Copyright (C) IBM Corporation, 2009
24 * Thanks to Thomas Gleixner for conceptual design and careful reviews.
26 * Thanks to Ben LaHaise for yelling "hashed waitqueues" loudly
27 * enough at me, Linus for the original (flawed) idea, Matthew
28 * Kirkwood for proof-of-concept implementation.
30 * "The futexes are also cursed."
31 * "But they come in a choice of three flavours!"
33 * This program is free software; you can redistribute it and/or modify
34 * it under the terms of the GNU General Public License as published by
35 * the Free Software Foundation; either version 2 of the License, or
36 * (at your option) any later version.
38 * This program is distributed in the hope that it will be useful,
39 * but WITHOUT ANY WARRANTY; without even the implied warranty of
40 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41 * GNU General Public License for more details.
43 * You should have received a copy of the GNU General Public License
44 * along with this program; if not, write to the Free Software
45 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
47 #include <linux/slab.h>
48 #include <linux/poll.h>
50 #include <linux/file.h>
51 #include <linux/jhash.h>
52 #include <linux/init.h>
53 #include <linux/futex.h>
54 #include <linux/mount.h>
55 #include <linux/pagemap.h>
56 #include <linux/syscalls.h>
57 #include <linux/signal.h>
58 #include <linux/export.h>
59 #include <linux/magic.h>
60 #include <linux/pid.h>
61 #include <linux/nsproxy.h>
62 #include <linux/ptrace.h>
63 #include <linux/sched/rt.h>
64 #include <linux/hugetlb.h>
65 #include <linux/freezer.h>
66 #include <linux/bootmem.h>
67 #include <linux/fault-inject.h>
69 #include <asm/futex.h>
71 #include "locking/rtmutex_common.h"
74 * READ this before attempting to hack on futexes!
76 * Basic futex operation and ordering guarantees
77 * =============================================
79 * The waiter reads the futex value in user space and calls
80 * futex_wait(). This function computes the hash bucket and acquires
81 * the hash bucket lock. After that it reads the futex user space value
82 * again and verifies that the data has not changed. If it has not changed
83 * it enqueues itself into the hash bucket, releases the hash bucket lock
86 * The waker side modifies the user space value of the futex and calls
87 * futex_wake(). This function computes the hash bucket and acquires the
88 * hash bucket lock. Then it looks for waiters on that futex in the hash
89 * bucket and wakes them.
91 * In futex wake up scenarios where no tasks are blocked on a futex, taking
92 * the hb spinlock can be avoided and simply return. In order for this
93 * optimization to work, ordering guarantees must exist so that the waiter
94 * being added to the list is acknowledged when the list is concurrently being
95 * checked by the waker, avoiding scenarios like the following:
99 * sys_futex(WAIT, futex, val);
100 * futex_wait(futex, val);
103 * sys_futex(WAKE, futex);
108 * lock(hash_bucket(futex));
110 * unlock(hash_bucket(futex));
113 * This would cause the waiter on CPU 0 to wait forever because it
114 * missed the transition of the user space value from val to newval
115 * and the waker did not find the waiter in the hash bucket queue.
117 * The correct serialization ensures that a waiter either observes
118 * the changed user space value before blocking or is woken by a
123 * sys_futex(WAIT, futex, val);
124 * futex_wait(futex, val);
127 * smp_mb(); (A) <-- paired with -.
129 * lock(hash_bucket(futex)); |
133 * | sys_futex(WAKE, futex);
134 * | futex_wake(futex);
136 * `--------> smp_mb(); (B)
139 * unlock(hash_bucket(futex));
140 * schedule(); if (waiters)
141 * lock(hash_bucket(futex));
142 * else wake_waiters(futex);
143 * waiters--; (b) unlock(hash_bucket(futex));
145 * Where (A) orders the waiters increment and the futex value read through
146 * atomic operations (see hb_waiters_inc) and where (B) orders the write
147 * to futex and the waiters read -- this is done by the barriers for both
148 * shared and private futexes in get_futex_key_refs().
150 * This yields the following case (where X:=waiters, Y:=futex):
158 * Which guarantees that x==0 && y==0 is impossible; which translates back into
159 * the guarantee that we cannot both miss the futex variable change and the
162 * Note that a new waiter is accounted for in (a) even when it is possible that
163 * the wait call can return error, in which case we backtrack from it in (b).
164 * Refer to the comment in queue_lock().
166 * Similarly, in order to account for waiters being requeued on another
167 * address we always increment the waiters for the destination bucket before
168 * acquiring the lock. It then decrements them again after releasing it -
169 * the code that actually moves the futex(es) between hash buckets (requeue_futex)
170 * will do the additional required waiter count housekeeping. This is done for
171 * double_lock_hb() and double_unlock_hb(), respectively.
174 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
175 int __read_mostly futex_cmpxchg_enabled;
179 * Futex flags used to encode options to functions and preserve them across
182 #define FLAGS_SHARED 0x01
183 #define FLAGS_CLOCKRT 0x02
184 #define FLAGS_HAS_TIMEOUT 0x04
187 * Priority Inheritance state:
189 struct futex_pi_state {
191 * list of 'owned' pi_state instances - these have to be
192 * cleaned up in do_exit() if the task exits prematurely:
194 struct list_head list;
199 struct rt_mutex pi_mutex;
201 struct task_struct *owner;
208 * struct futex_q - The hashed futex queue entry, one per waiting task
209 * @list: priority-sorted list of tasks waiting on this futex
210 * @task: the task waiting on the futex
211 * @lock_ptr: the hash bucket lock
212 * @key: the key the futex is hashed on
213 * @pi_state: optional priority inheritance state
214 * @rt_waiter: rt_waiter storage for use with requeue_pi
215 * @requeue_pi_key: the requeue_pi target futex key
216 * @bitset: bitset for the optional bitmasked wakeup
218 * We use this hashed waitqueue, instead of a normal wait_queue_t, so
219 * we can wake only the relevant ones (hashed queues may be shared).
221 * A futex_q has a woken state, just like tasks have TASK_RUNNING.
222 * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0.
223 * The order of wakeup is always to make the first condition true, then
226 * PI futexes are typically woken before they are removed from the hash list via
227 * the rt_mutex code. See unqueue_me_pi().
230 struct plist_node list;
232 struct task_struct *task;
233 spinlock_t *lock_ptr;
235 struct futex_pi_state *pi_state;
236 struct rt_mutex_waiter *rt_waiter;
237 union futex_key *requeue_pi_key;
241 static const struct futex_q futex_q_init = {
242 /* list gets initialized in queue_me()*/
243 .key = FUTEX_KEY_INIT,
244 .bitset = FUTEX_BITSET_MATCH_ANY
248 * Hash buckets are shared by all the futex_keys that hash to the same
249 * location. Each key may have multiple futex_q structures, one for each task
250 * waiting on a futex.
252 struct futex_hash_bucket {
255 struct plist_head chain;
256 } ____cacheline_aligned_in_smp;
259 * The base of the bucket array and its size are always used together
260 * (after initialization only in hash_futex()), so ensure that they
261 * reside in the same cacheline.
264 struct futex_hash_bucket *queues;
265 unsigned long hashsize;
266 } __futex_data __read_mostly __aligned(2*sizeof(long));
267 #define futex_queues (__futex_data.queues)
268 #define futex_hashsize (__futex_data.hashsize)
272 * Fault injections for futexes.
274 #ifdef CONFIG_FAIL_FUTEX
277 struct fault_attr attr;
281 .attr = FAULT_ATTR_INITIALIZER,
282 .ignore_private = false,
285 static int __init setup_fail_futex(char *str)
287 return setup_fault_attr(&fail_futex.attr, str);
289 __setup("fail_futex=", setup_fail_futex);
291 static bool should_fail_futex(bool fshared)
293 if (fail_futex.ignore_private && !fshared)
296 return should_fail(&fail_futex.attr, 1);
299 #ifdef CONFIG_FAULT_INJECTION_DEBUG_FS
301 static int __init fail_futex_debugfs(void)
303 umode_t mode = S_IFREG | S_IRUSR | S_IWUSR;
306 dir = fault_create_debugfs_attr("fail_futex", NULL,
311 if (!debugfs_create_bool("ignore-private", mode, dir,
312 &fail_futex.ignore_private)) {
313 debugfs_remove_recursive(dir);
320 late_initcall(fail_futex_debugfs);
322 #endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */
325 static inline bool should_fail_futex(bool fshared)
329 #endif /* CONFIG_FAIL_FUTEX */
331 static inline void futex_get_mm(union futex_key *key)
333 atomic_inc(&key->private.mm->mm_count);
335 * Ensure futex_get_mm() implies a full barrier such that
336 * get_futex_key() implies a full barrier. This is relied upon
337 * as smp_mb(); (B), see the ordering comment above.
339 smp_mb__after_atomic();
343 * Reflects a new waiter being added to the waitqueue.
345 static inline void hb_waiters_inc(struct futex_hash_bucket *hb)
348 atomic_inc(&hb->waiters);
350 * Full barrier (A), see the ordering comment above.
352 smp_mb__after_atomic();
357 * Reflects a waiter being removed from the waitqueue by wakeup
360 static inline void hb_waiters_dec(struct futex_hash_bucket *hb)
363 atomic_dec(&hb->waiters);
367 static inline int hb_waiters_pending(struct futex_hash_bucket *hb)
370 return atomic_read(&hb->waiters);
377 * We hash on the keys returned from get_futex_key (see below).
379 static struct futex_hash_bucket *hash_futex(union futex_key *key)
381 u32 hash = jhash2((u32*)&key->both.word,
382 (sizeof(key->both.word)+sizeof(key->both.ptr))/4,
384 return &futex_queues[hash & (futex_hashsize - 1)];
388 * Return 1 if two futex_keys are equal, 0 otherwise.
390 static inline int match_futex(union futex_key *key1, union futex_key *key2)
393 && key1->both.word == key2->both.word
394 && key1->both.ptr == key2->both.ptr
395 && key1->both.offset == key2->both.offset);
399 * Take a reference to the resource addressed by a key.
400 * Can be called while holding spinlocks.
403 static void get_futex_key_refs(union futex_key *key)
408 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
410 ihold(key->shared.inode); /* implies smp_mb(); (B) */
412 case FUT_OFF_MMSHARED:
413 futex_get_mm(key); /* implies smp_mb(); (B) */
417 * Private futexes do not hold reference on an inode or
418 * mm, therefore the only purpose of calling get_futex_key_refs
419 * is because we need the barrier for the lockless waiter check.
421 smp_mb(); /* explicit smp_mb(); (B) */
426 * Drop a reference to the resource addressed by a key.
427 * The hash bucket spinlock must not be held. This is
428 * a no-op for private futexes, see comment in the get
431 static void drop_futex_key_refs(union futex_key *key)
433 if (!key->both.ptr) {
434 /* If we're here then we tried to put a key we failed to get */
439 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
441 iput(key->shared.inode);
443 case FUT_OFF_MMSHARED:
444 mmdrop(key->private.mm);
450 * get_futex_key() - Get parameters which are the keys for a futex
451 * @uaddr: virtual address of the futex
452 * @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
453 * @key: address where result is stored.
454 * @rw: mapping needs to be read/write (values: VERIFY_READ,
457 * Return: a negative error code or 0
459 * The key words are stored in *key on success.
461 * For shared mappings, it's (page->index, file_inode(vma->vm_file),
462 * offset_within_page). For private mappings, it's (uaddr, current->mm).
463 * We can usually work out the index without swapping in the page.
465 * lock_page() might sleep, the caller should not hold a spinlock.
468 get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
470 unsigned long address = (unsigned long)uaddr;
471 struct mm_struct *mm = current->mm;
472 struct page *page, *tail;
473 struct address_space *mapping;
477 * The futex address must be "naturally" aligned.
479 key->both.offset = address % PAGE_SIZE;
480 if (unlikely((address % sizeof(u32)) != 0))
482 address -= key->both.offset;
484 if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
487 if (unlikely(should_fail_futex(fshared)))
491 * PROCESS_PRIVATE futexes are fast.
492 * As the mm cannot disappear under us and the 'key' only needs
493 * virtual address, we dont even have to find the underlying vma.
494 * Note : We do have to check 'uaddr' is a valid user address,
495 * but access_ok() should be faster than find_vma()
498 key->private.mm = mm;
499 key->private.address = address;
500 get_futex_key_refs(key); /* implies smp_mb(); (B) */
505 /* Ignore any VERIFY_READ mapping (futex common case) */
506 if (unlikely(should_fail_futex(fshared)))
509 err = get_user_pages_fast(address, 1, 1, &page);
511 * If write access is not required (eg. FUTEX_WAIT), try
512 * and get read-only access.
514 if (err == -EFAULT && rw == VERIFY_READ) {
515 err = get_user_pages_fast(address, 1, 0, &page);
524 * The treatment of mapping from this point on is critical. The page
525 * lock protects many things but in this context the page lock
526 * stabilizes mapping, prevents inode freeing in the shared
527 * file-backed region case and guards against movement to swap cache.
529 * Strictly speaking the page lock is not needed in all cases being
530 * considered here and page lock forces unnecessarily serialization
531 * From this point on, mapping will be re-verified if necessary and
532 * page lock will be acquired only if it is unavoidable
534 * Mapping checks require the head page for any compound page so the
535 * head page and mapping is looked up now. For anonymous pages, it
536 * does not matter if the page splits in the future as the key is
537 * based on the address. For filesystem-backed pages, the tail is
538 * required as the index of the page determines the key. For
539 * base pages, there is no tail page and tail == page.
542 page = compound_head(page);
543 mapping = READ_ONCE(page->mapping);
546 * If page->mapping is NULL, then it cannot be a PageAnon
547 * page; but it might be the ZERO_PAGE or in the gate area or
548 * in a special mapping (all cases which we are happy to fail);
549 * or it may have been a good file page when get_user_pages_fast
550 * found it, but truncated or holepunched or subjected to
551 * invalidate_complete_page2 before we got the page lock (also
552 * cases which we are happy to fail). And we hold a reference,
553 * so refcount care in invalidate_complete_page's remove_mapping
554 * prevents drop_caches from setting mapping to NULL beneath us.
556 * The case we do have to guard against is when memory pressure made
557 * shmem_writepage move it from filecache to swapcache beneath us:
558 * an unlikely race, but we do need to retry for page->mapping.
560 if (unlikely(!mapping)) {
564 * Page lock is required to identify which special case above
565 * applies. If this is really a shmem page then the page lock
566 * will prevent unexpected transitions.
569 shmem_swizzled = PageSwapCache(page) || page->mapping;
580 * Private mappings are handled in a simple way.
582 * If the futex key is stored on an anonymous page, then the associated
583 * object is the mm which is implicitly pinned by the calling process.
585 * NOTE: When userspace waits on a MAP_SHARED mapping, even if
586 * it's a read-only handle, it's expected that futexes attach to
587 * the object not the particular process.
589 if (PageAnon(page)) {
591 * A RO anonymous page will never change and thus doesn't make
592 * sense for futex operations.
594 if (unlikely(should_fail_futex(fshared)) || ro) {
599 key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
600 key->private.mm = mm;
601 key->private.address = address;
603 get_futex_key_refs(key); /* implies smp_mb(); (B) */
609 * The associated futex object in this case is the inode and
610 * the page->mapping must be traversed. Ordinarily this should
611 * be stabilised under page lock but it's not strictly
612 * necessary in this case as we just want to pin the inode, not
613 * update the radix tree or anything like that.
615 * The RCU read lock is taken as the inode is finally freed
616 * under RCU. If the mapping still matches expectations then the
617 * mapping->host can be safely accessed as being a valid inode.
621 if (READ_ONCE(page->mapping) != mapping) {
628 inode = READ_ONCE(mapping->host);
637 * Take a reference unless it is about to be freed. Previously
638 * this reference was taken by ihold under the page lock
639 * pinning the inode in place so i_lock was unnecessary. The
640 * only way for this check to fail is if the inode was
641 * truncated in parallel so warn for now if this happens.
643 * We are not calling into get_futex_key_refs() in file-backed
644 * cases, therefore a successful atomic_inc return below will
645 * guarantee that get_futex_key() will still imply smp_mb(); (B).
647 if (WARN_ON_ONCE(!atomic_inc_not_zero(&inode->i_count))) {
654 /* Should be impossible but lets be paranoid for now */
655 if (WARN_ON_ONCE(inode->i_mapping != mapping)) {
663 key->both.offset |= FUT_OFF_INODE; /* inode-based key */
664 key->shared.inode = inode;
665 key->shared.pgoff = basepage_index(tail);
674 static inline void put_futex_key(union futex_key *key)
676 drop_futex_key_refs(key);
680 * fault_in_user_writeable() - Fault in user address and verify RW access
681 * @uaddr: pointer to faulting user space address
683 * Slow path to fixup the fault we just took in the atomic write
686 * We have no generic implementation of a non-destructive write to the
687 * user address. We know that we faulted in the atomic pagefault
688 * disabled section so we can as well avoid the #PF overhead by
689 * calling get_user_pages() right away.
691 static int fault_in_user_writeable(u32 __user *uaddr)
693 struct mm_struct *mm = current->mm;
696 down_read(&mm->mmap_sem);
697 ret = fixup_user_fault(current, mm, (unsigned long)uaddr,
698 FAULT_FLAG_WRITE, NULL);
699 up_read(&mm->mmap_sem);
701 return ret < 0 ? ret : 0;
705 * futex_top_waiter() - Return the highest priority waiter on a futex
706 * @hb: the hash bucket the futex_q's reside in
707 * @key: the futex key (to distinguish it from other futex futex_q's)
709 * Must be called with the hb lock held.
711 static struct futex_q *futex_top_waiter(struct futex_hash_bucket *hb,
712 union futex_key *key)
714 struct futex_q *this;
716 plist_for_each_entry(this, &hb->chain, list) {
717 if (match_futex(&this->key, key))
723 static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
724 u32 uval, u32 newval)
729 ret = futex_atomic_cmpxchg_inatomic(curval, uaddr, uval, newval);
735 static int get_futex_value_locked(u32 *dest, u32 __user *from)
740 ret = __get_user(*dest, from);
743 return ret ? -EFAULT : 0;
750 static int refill_pi_state_cache(void)
752 struct futex_pi_state *pi_state;
754 if (likely(current->pi_state_cache))
757 pi_state = kzalloc(sizeof(*pi_state), GFP_KERNEL);
762 INIT_LIST_HEAD(&pi_state->list);
763 /* pi_mutex gets initialized later */
764 pi_state->owner = NULL;
765 atomic_set(&pi_state->refcount, 1);
766 pi_state->key = FUTEX_KEY_INIT;
768 current->pi_state_cache = pi_state;
773 static struct futex_pi_state * alloc_pi_state(void)
775 struct futex_pi_state *pi_state = current->pi_state_cache;
778 current->pi_state_cache = NULL;
784 * Drops a reference to the pi_state object and frees or caches it
785 * when the last reference is gone.
787 * Must be called with the hb lock held.
789 static void put_pi_state(struct futex_pi_state *pi_state)
794 if (!atomic_dec_and_test(&pi_state->refcount))
798 * If pi_state->owner is NULL, the owner is most probably dying
799 * and has cleaned up the pi_state already
801 if (pi_state->owner) {
802 raw_spin_lock_irq(&pi_state->owner->pi_lock);
803 list_del_init(&pi_state->list);
804 raw_spin_unlock_irq(&pi_state->owner->pi_lock);
806 rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
809 if (current->pi_state_cache)
813 * pi_state->list is already empty.
814 * clear pi_state->owner.
815 * refcount is at 0 - put it back to 1.
817 pi_state->owner = NULL;
818 atomic_set(&pi_state->refcount, 1);
819 current->pi_state_cache = pi_state;
824 * Look up the task based on what TID userspace gave us.
827 static struct task_struct * futex_find_get_task(pid_t pid)
829 struct task_struct *p;
832 p = find_task_by_vpid(pid);
842 * This task is holding PI mutexes at exit time => bad.
843 * Kernel cleans up PI-state, but userspace is likely hosed.
844 * (Robust-futex cleanup is separate and might save the day for userspace.)
846 void exit_pi_state_list(struct task_struct *curr)
848 struct list_head *next, *head = &curr->pi_state_list;
849 struct futex_pi_state *pi_state;
850 struct futex_hash_bucket *hb;
851 union futex_key key = FUTEX_KEY_INIT;
853 if (!futex_cmpxchg_enabled)
856 * We are a ZOMBIE and nobody can enqueue itself on
857 * pi_state_list anymore, but we have to be careful
858 * versus waiters unqueueing themselves:
860 raw_spin_lock_irq(&curr->pi_lock);
861 while (!list_empty(head)) {
864 pi_state = list_entry(next, struct futex_pi_state, list);
866 hb = hash_futex(&key);
867 raw_spin_unlock_irq(&curr->pi_lock);
869 spin_lock(&hb->lock);
871 raw_spin_lock_irq(&curr->pi_lock);
873 * We dropped the pi-lock, so re-check whether this
874 * task still owns the PI-state:
876 if (head->next != next) {
877 spin_unlock(&hb->lock);
881 WARN_ON(pi_state->owner != curr);
882 WARN_ON(list_empty(&pi_state->list));
883 list_del_init(&pi_state->list);
884 pi_state->owner = NULL;
885 raw_spin_unlock_irq(&curr->pi_lock);
887 rt_mutex_unlock(&pi_state->pi_mutex);
889 spin_unlock(&hb->lock);
891 raw_spin_lock_irq(&curr->pi_lock);
893 raw_spin_unlock_irq(&curr->pi_lock);
897 * We need to check the following states:
899 * Waiter | pi_state | pi->owner | uTID | uODIED | ?
901 * [1] NULL | --- | --- | 0 | 0/1 | Valid
902 * [2] NULL | --- | --- | >0 | 0/1 | Valid
904 * [3] Found | NULL | -- | Any | 0/1 | Invalid
906 * [4] Found | Found | NULL | 0 | 1 | Valid
907 * [5] Found | Found | NULL | >0 | 1 | Invalid
909 * [6] Found | Found | task | 0 | 1 | Valid
911 * [7] Found | Found | NULL | Any | 0 | Invalid
913 * [8] Found | Found | task | ==taskTID | 0/1 | Valid
914 * [9] Found | Found | task | 0 | 0 | Invalid
915 * [10] Found | Found | task | !=taskTID | 0/1 | Invalid
917 * [1] Indicates that the kernel can acquire the futex atomically. We
918 * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
920 * [2] Valid, if TID does not belong to a kernel thread. If no matching
921 * thread is found then it indicates that the owner TID has died.
923 * [3] Invalid. The waiter is queued on a non PI futex
925 * [4] Valid state after exit_robust_list(), which sets the user space
926 * value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
928 * [5] The user space value got manipulated between exit_robust_list()
929 * and exit_pi_state_list()
931 * [6] Valid state after exit_pi_state_list() which sets the new owner in
932 * the pi_state but cannot access the user space value.
934 * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
936 * [8] Owner and user space value match
938 * [9] There is no transient state which sets the user space TID to 0
939 * except exit_robust_list(), but this is indicated by the
940 * FUTEX_OWNER_DIED bit. See [4]
942 * [10] There is no transient state which leaves owner and user space
947 * Validate that the existing waiter has a pi_state and sanity check
948 * the pi_state against the user space value. If correct, attach to
951 static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
952 struct futex_pi_state **ps)
954 pid_t pid = uval & FUTEX_TID_MASK;
957 * Userspace might have messed up non-PI and PI futexes [3]
959 if (unlikely(!pi_state))
962 WARN_ON(!atomic_read(&pi_state->refcount));
965 * Handle the owner died case:
967 if (uval & FUTEX_OWNER_DIED) {
969 * exit_pi_state_list sets owner to NULL and wakes the
970 * topmost waiter. The task which acquires the
971 * pi_state->rt_mutex will fixup owner.
973 if (!pi_state->owner) {
975 * No pi state owner, but the user space TID
976 * is not 0. Inconsistent state. [5]
981 * Take a ref on the state and return success. [4]
987 * If TID is 0, then either the dying owner has not
988 * yet executed exit_pi_state_list() or some waiter
989 * acquired the rtmutex in the pi state, but did not
990 * yet fixup the TID in user space.
992 * Take a ref on the state and return success. [6]
998 * If the owner died bit is not set, then the pi_state
999 * must have an owner. [7]
1001 if (!pi_state->owner)
1006 * Bail out if user space manipulated the futex value. If pi
1007 * state exists then the owner TID must be the same as the
1008 * user space TID. [9/10]
1010 if (pid != task_pid_vnr(pi_state->owner))
1013 atomic_inc(&pi_state->refcount);
1019 * Lookup the task for the TID provided from user space and attach to
1020 * it after doing proper sanity checks.
1022 static int attach_to_pi_owner(u32 uval, union futex_key *key,
1023 struct futex_pi_state **ps)
1025 pid_t pid = uval & FUTEX_TID_MASK;
1026 struct futex_pi_state *pi_state;
1027 struct task_struct *p;
1030 * We are the first waiter - try to look up the real owner and attach
1031 * the new pi_state to it, but bail out when TID = 0 [1]
1035 p = futex_find_get_task(pid);
1039 if (unlikely(p->flags & PF_KTHREAD)) {
1045 * We need to look at the task state flags to figure out,
1046 * whether the task is exiting. To protect against the do_exit
1047 * change of the task flags, we do this protected by
1050 raw_spin_lock_irq(&p->pi_lock);
1051 if (unlikely(p->flags & PF_EXITING)) {
1053 * The task is on the way out. When PF_EXITPIDONE is
1054 * set, we know that the task has finished the
1057 int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
1059 raw_spin_unlock_irq(&p->pi_lock);
1065 * No existing pi state. First waiter. [2]
1067 pi_state = alloc_pi_state();
1070 * Initialize the pi_mutex in locked state and make @p
1073 rt_mutex_init_proxy_locked(&pi_state->pi_mutex, p);
1075 /* Store the key for possible exit cleanups: */
1076 pi_state->key = *key;
1078 WARN_ON(!list_empty(&pi_state->list));
1079 list_add(&pi_state->list, &p->pi_state_list);
1080 pi_state->owner = p;
1081 raw_spin_unlock_irq(&p->pi_lock);
1090 static int lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
1091 union futex_key *key, struct futex_pi_state **ps)
1093 struct futex_q *match = futex_top_waiter(hb, key);
1096 * If there is a waiter on that futex, validate it and
1097 * attach to the pi_state when the validation succeeds.
1100 return attach_to_pi_state(uval, match->pi_state, ps);
1103 * We are the first waiter - try to look up the owner based on
1104 * @uval and attach to it.
1106 return attach_to_pi_owner(uval, key, ps);
1109 static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
1111 u32 uninitialized_var(curval);
1113 if (unlikely(should_fail_futex(true)))
1116 if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)))
1119 /*If user space value changed, let the caller retry */
1120 return curval != uval ? -EAGAIN : 0;
1124 * futex_lock_pi_atomic() - Atomic work required to acquire a pi aware futex
1125 * @uaddr: the pi futex user address
1126 * @hb: the pi futex hash bucket
1127 * @key: the futex key associated with uaddr and hb
1128 * @ps: the pi_state pointer where we store the result of the
1130 * @task: the task to perform the atomic lock work for. This will
1131 * be "current" except in the case of requeue pi.
1132 * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0)
1135 * 0 - ready to wait;
1136 * 1 - acquired the lock;
1139 * The hb->lock and futex_key refs shall be held by the caller.
1141 static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1142 union futex_key *key,
1143 struct futex_pi_state **ps,
1144 struct task_struct *task, int set_waiters)
1146 u32 uval, newval, vpid = task_pid_vnr(task);
1147 struct futex_q *match;
1151 * Read the user space value first so we can validate a few
1152 * things before proceeding further.
1154 if (get_futex_value_locked(&uval, uaddr))
1157 if (unlikely(should_fail_futex(true)))
1163 if ((unlikely((uval & FUTEX_TID_MASK) == vpid)))
1166 if ((unlikely(should_fail_futex(true))))
1170 * Lookup existing state first. If it exists, try to attach to
1173 match = futex_top_waiter(hb, key);
1175 return attach_to_pi_state(uval, match->pi_state, ps);
1178 * No waiter and user TID is 0. We are here because the
1179 * waiters or the owner died bit is set or called from
1180 * requeue_cmp_pi or for whatever reason something took the
1183 if (!(uval & FUTEX_TID_MASK)) {
1185 * We take over the futex. No other waiters and the user space
1186 * TID is 0. We preserve the owner died bit.
1188 newval = uval & FUTEX_OWNER_DIED;
1191 /* The futex requeue_pi code can enforce the waiters bit */
1193 newval |= FUTEX_WAITERS;
1195 ret = lock_pi_update_atomic(uaddr, uval, newval);
1196 /* If the take over worked, return 1 */
1197 return ret < 0 ? ret : 1;
1201 * First waiter. Set the waiters bit before attaching ourself to
1202 * the owner. If owner tries to unlock, it will be forced into
1203 * the kernel and blocked on hb->lock.
1205 newval = uval | FUTEX_WAITERS;
1206 ret = lock_pi_update_atomic(uaddr, uval, newval);
1210 * If the update of the user space value succeeded, we try to
1211 * attach to the owner. If that fails, no harm done, we only
1212 * set the FUTEX_WAITERS bit in the user space variable.
1214 return attach_to_pi_owner(uval, key, ps);
1218 * __unqueue_futex() - Remove the futex_q from its futex_hash_bucket
1219 * @q: The futex_q to unqueue
1221 * The q->lock_ptr must not be NULL and must be held by the caller.
1223 static void __unqueue_futex(struct futex_q *q)
1225 struct futex_hash_bucket *hb;
1227 if (WARN_ON_SMP(!q->lock_ptr || !spin_is_locked(q->lock_ptr))
1228 || WARN_ON(plist_node_empty(&q->list)))
1231 hb = container_of(q->lock_ptr, struct futex_hash_bucket, lock);
1232 plist_del(&q->list, &hb->chain);
1237 * The hash bucket lock must be held when this is called.
1238 * Afterwards, the futex_q must not be accessed. Callers
1239 * must ensure to later call wake_up_q() for the actual
1242 static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q)
1244 struct task_struct *p = q->task;
1246 if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
1250 * Queue the task for later wakeup for after we've released
1251 * the hb->lock. wake_q_add() grabs reference to p.
1253 wake_q_add(wake_q, p);
1256 * The waiting task can free the futex_q as soon as
1257 * q->lock_ptr = NULL is written, without taking any locks. A
1258 * memory barrier is required here to prevent the following
1259 * store to lock_ptr from getting ahead of the plist_del.
1265 static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this,
1266 struct futex_hash_bucket *hb)
1268 struct task_struct *new_owner;
1269 struct futex_pi_state *pi_state = this->pi_state;
1270 u32 uninitialized_var(curval), newval;
1279 * If current does not own the pi_state then the futex is
1280 * inconsistent and user space fiddled with the futex value.
1282 if (pi_state->owner != current)
1285 raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
1286 new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
1289 * It is possible that the next waiter (the one that brought
1290 * this owner to the kernel) timed out and is no longer
1291 * waiting on the lock.
1294 new_owner = this->task;
1297 * We pass it to the next owner. The WAITERS bit is always
1298 * kept enabled while there is PI state around. We cleanup the
1299 * owner died bit, because we are the owner.
1301 newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
1303 if (unlikely(should_fail_futex(true)))
1306 if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) {
1308 } else if (curval != uval) {
1310 * If a unconditional UNLOCK_PI operation (user space did not
1311 * try the TID->0 transition) raced with a waiter setting the
1312 * FUTEX_WAITERS flag between get_user() and locking the hash
1313 * bucket lock, retry the operation.
1315 if ((FUTEX_TID_MASK & curval) == uval)
1321 raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1325 raw_spin_lock(&pi_state->owner->pi_lock);
1326 WARN_ON(list_empty(&pi_state->list));
1327 list_del_init(&pi_state->list);
1328 raw_spin_unlock(&pi_state->owner->pi_lock);
1330 raw_spin_lock(&new_owner->pi_lock);
1331 WARN_ON(!list_empty(&pi_state->list));
1332 list_add(&pi_state->list, &new_owner->pi_state_list);
1333 pi_state->owner = new_owner;
1334 raw_spin_unlock(&new_owner->pi_lock);
1336 raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1338 deboost = rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q);
1341 * First unlock HB so the waiter does not spin on it once he got woken
1342 * up. Second wake up the waiter before the priority is adjusted. If we
1343 * deboost first (and lose our higher priority), then the task might get
1344 * scheduled away before the wake up can take place.
1346 spin_unlock(&hb->lock);
1349 rt_mutex_adjust_prio(current);
1355 * Express the locking dependencies for lockdep:
1358 double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
1361 spin_lock(&hb1->lock);
1363 spin_lock_nested(&hb2->lock, SINGLE_DEPTH_NESTING);
1364 } else { /* hb1 > hb2 */
1365 spin_lock(&hb2->lock);
1366 spin_lock_nested(&hb1->lock, SINGLE_DEPTH_NESTING);
1371 double_unlock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
1373 spin_unlock(&hb1->lock);
1375 spin_unlock(&hb2->lock);
1379 * Wake up waiters matching bitset queued on this futex (uaddr).
1382 futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
1384 struct futex_hash_bucket *hb;
1385 struct futex_q *this, *next;
1386 union futex_key key = FUTEX_KEY_INIT;
1393 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_READ);
1394 if (unlikely(ret != 0))
1397 hb = hash_futex(&key);
1399 /* Make sure we really have tasks to wakeup */
1400 if (!hb_waiters_pending(hb))
1403 spin_lock(&hb->lock);
1405 plist_for_each_entry_safe(this, next, &hb->chain, list) {
1406 if (match_futex (&this->key, &key)) {
1407 if (this->pi_state || this->rt_waiter) {
1412 /* Check if one of the bits is set in both bitsets */
1413 if (!(this->bitset & bitset))
1416 mark_wake_futex(&wake_q, this);
1417 if (++ret >= nr_wake)
1422 spin_unlock(&hb->lock);
1425 put_futex_key(&key);
1431 * Wake up all waiters hashed on the physical page that is mapped
1432 * to this virtual address:
1435 futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
1436 int nr_wake, int nr_wake2, int op)
1438 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
1439 struct futex_hash_bucket *hb1, *hb2;
1440 struct futex_q *this, *next;
1445 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
1446 if (unlikely(ret != 0))
1448 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
1449 if (unlikely(ret != 0))
1452 hb1 = hash_futex(&key1);
1453 hb2 = hash_futex(&key2);
1456 double_lock_hb(hb1, hb2);
1457 op_ret = futex_atomic_op_inuser(op, uaddr2);
1458 if (unlikely(op_ret < 0)) {
1460 double_unlock_hb(hb1, hb2);
1464 * we don't get EFAULT from MMU faults if we don't have an MMU,
1465 * but we might get them from range checking
1471 if (unlikely(op_ret != -EFAULT)) {
1476 ret = fault_in_user_writeable(uaddr2);
1480 if (!(flags & FLAGS_SHARED))
1483 put_futex_key(&key2);
1484 put_futex_key(&key1);
1488 plist_for_each_entry_safe(this, next, &hb1->chain, list) {
1489 if (match_futex (&this->key, &key1)) {
1490 if (this->pi_state || this->rt_waiter) {
1494 mark_wake_futex(&wake_q, this);
1495 if (++ret >= nr_wake)
1502 plist_for_each_entry_safe(this, next, &hb2->chain, list) {
1503 if (match_futex (&this->key, &key2)) {
1504 if (this->pi_state || this->rt_waiter) {
1508 mark_wake_futex(&wake_q, this);
1509 if (++op_ret >= nr_wake2)
1517 double_unlock_hb(hb1, hb2);
1520 put_futex_key(&key2);
1522 put_futex_key(&key1);
1528 * requeue_futex() - Requeue a futex_q from one hb to another
1529 * @q: the futex_q to requeue
1530 * @hb1: the source hash_bucket
1531 * @hb2: the target hash_bucket
1532 * @key2: the new key for the requeued futex_q
1535 void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
1536 struct futex_hash_bucket *hb2, union futex_key *key2)
1540 * If key1 and key2 hash to the same bucket, no need to
1543 if (likely(&hb1->chain != &hb2->chain)) {
1544 plist_del(&q->list, &hb1->chain);
1545 hb_waiters_dec(hb1);
1546 hb_waiters_inc(hb2);
1547 plist_add(&q->list, &hb2->chain);
1548 q->lock_ptr = &hb2->lock;
1550 get_futex_key_refs(key2);
1555 * requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue
1557 * @key: the key of the requeue target futex
1558 * @hb: the hash_bucket of the requeue target futex
1560 * During futex_requeue, with requeue_pi=1, it is possible to acquire the
1561 * target futex if it is uncontended or via a lock steal. Set the futex_q key
1562 * to the requeue target futex so the waiter can detect the wakeup on the right
1563 * futex, but remove it from the hb and NULL the rt_waiter so it can detect
1564 * atomic lock acquisition. Set the q->lock_ptr to the requeue target hb->lock
1565 * to protect access to the pi_state to fixup the owner later. Must be called
1566 * with both q->lock_ptr and hb->lock held.
1569 void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
1570 struct futex_hash_bucket *hb)
1572 get_futex_key_refs(key);
1577 WARN_ON(!q->rt_waiter);
1578 q->rt_waiter = NULL;
1580 q->lock_ptr = &hb->lock;
1582 wake_up_state(q->task, TASK_NORMAL);
1586 * futex_proxy_trylock_atomic() - Attempt an atomic lock for the top waiter
1587 * @pifutex: the user address of the to futex
1588 * @hb1: the from futex hash bucket, must be locked by the caller
1589 * @hb2: the to futex hash bucket, must be locked by the caller
1590 * @key1: the from futex key
1591 * @key2: the to futex key
1592 * @ps: address to store the pi_state pointer
1593 * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0)
1595 * Try and get the lock on behalf of the top waiter if we can do it atomically.
1596 * Wake the top waiter if we succeed. If the caller specified set_waiters,
1597 * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit.
1598 * hb1 and hb2 must be held by the caller.
1601 * 0 - failed to acquire the lock atomically;
1602 * >0 - acquired the lock, return value is vpid of the top_waiter
1605 static int futex_proxy_trylock_atomic(u32 __user *pifutex,
1606 struct futex_hash_bucket *hb1,
1607 struct futex_hash_bucket *hb2,
1608 union futex_key *key1, union futex_key *key2,
1609 struct futex_pi_state **ps, int set_waiters)
1611 struct futex_q *top_waiter = NULL;
1615 if (get_futex_value_locked(&curval, pifutex))
1618 if (unlikely(should_fail_futex(true)))
1622 * Find the top_waiter and determine if there are additional waiters.
1623 * If the caller intends to requeue more than 1 waiter to pifutex,
1624 * force futex_lock_pi_atomic() to set the FUTEX_WAITERS bit now,
1625 * as we have means to handle the possible fault. If not, don't set
1626 * the bit unecessarily as it will force the subsequent unlock to enter
1629 top_waiter = futex_top_waiter(hb1, key1);
1631 /* There are no waiters, nothing for us to do. */
1635 /* Ensure we requeue to the expected futex. */
1636 if (!match_futex(top_waiter->requeue_pi_key, key2))
1640 * Try to take the lock for top_waiter. Set the FUTEX_WAITERS bit in
1641 * the contended case or if set_waiters is 1. The pi_state is returned
1642 * in ps in contended cases.
1644 vpid = task_pid_vnr(top_waiter->task);
1645 ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
1648 requeue_pi_wake_futex(top_waiter, key2, hb2);
1655 * futex_requeue() - Requeue waiters from uaddr1 to uaddr2
1656 * @uaddr1: source futex user address
1657 * @flags: futex flags (FLAGS_SHARED, etc.)
1658 * @uaddr2: target futex user address
1659 * @nr_wake: number of waiters to wake (must be 1 for requeue_pi)
1660 * @nr_requeue: number of waiters to requeue (0-INT_MAX)
1661 * @cmpval: @uaddr1 expected value (or %NULL)
1662 * @requeue_pi: if we are attempting to requeue from a non-pi futex to a
1663 * pi futex (pi to pi requeue is not supported)
1665 * Requeue waiters on uaddr1 to uaddr2. In the requeue_pi case, try to acquire
1666 * uaddr2 atomically on behalf of the top waiter.
1669 * >=0 - on success, the number of tasks requeued or woken;
1672 static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
1673 u32 __user *uaddr2, int nr_wake, int nr_requeue,
1674 u32 *cmpval, int requeue_pi)
1676 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
1677 int drop_count = 0, task_count = 0, ret;
1678 struct futex_pi_state *pi_state = NULL;
1679 struct futex_hash_bucket *hb1, *hb2;
1680 struct futex_q *this, *next;
1685 * Requeue PI only works on two distinct uaddrs. This
1686 * check is only valid for private futexes. See below.
1688 if (uaddr1 == uaddr2)
1692 * requeue_pi requires a pi_state, try to allocate it now
1693 * without any locks in case it fails.
1695 if (refill_pi_state_cache())
1698 * requeue_pi must wake as many tasks as it can, up to nr_wake
1699 * + nr_requeue, since it acquires the rt_mutex prior to
1700 * returning to userspace, so as to not leave the rt_mutex with
1701 * waiters and no owner. However, second and third wake-ups
1702 * cannot be predicted as they involve race conditions with the
1703 * first wake and a fault while looking up the pi_state. Both
1704 * pthread_cond_signal() and pthread_cond_broadcast() should
1712 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
1713 if (unlikely(ret != 0))
1715 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
1716 requeue_pi ? VERIFY_WRITE : VERIFY_READ);
1717 if (unlikely(ret != 0))
1721 * The check above which compares uaddrs is not sufficient for
1722 * shared futexes. We need to compare the keys:
1724 if (requeue_pi && match_futex(&key1, &key2)) {
1729 hb1 = hash_futex(&key1);
1730 hb2 = hash_futex(&key2);
1733 hb_waiters_inc(hb2);
1734 double_lock_hb(hb1, hb2);
1736 if (likely(cmpval != NULL)) {
1739 ret = get_futex_value_locked(&curval, uaddr1);
1741 if (unlikely(ret)) {
1742 double_unlock_hb(hb1, hb2);
1743 hb_waiters_dec(hb2);
1745 ret = get_user(curval, uaddr1);
1749 if (!(flags & FLAGS_SHARED))
1752 put_futex_key(&key2);
1753 put_futex_key(&key1);
1756 if (curval != *cmpval) {
1762 if (requeue_pi && (task_count - nr_wake < nr_requeue)) {
1764 * Attempt to acquire uaddr2 and wake the top waiter. If we
1765 * intend to requeue waiters, force setting the FUTEX_WAITERS
1766 * bit. We force this here where we are able to easily handle
1767 * faults rather in the requeue loop below.
1769 ret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1,
1770 &key2, &pi_state, nr_requeue);
1773 * At this point the top_waiter has either taken uaddr2 or is
1774 * waiting on it. If the former, then the pi_state will not
1775 * exist yet, look it up one more time to ensure we have a
1776 * reference to it. If the lock was taken, ret contains the
1777 * vpid of the top waiter task.
1778 * If the lock was not taken, we have pi_state and an initial
1779 * refcount on it. In case of an error we have nothing.
1786 * If we acquired the lock, then the user space value
1787 * of uaddr2 should be vpid. It cannot be changed by
1788 * the top waiter as it is blocked on hb2 lock if it
1789 * tries to do so. If something fiddled with it behind
1790 * our back the pi state lookup might unearth it. So
1791 * we rather use the known value than rereading and
1792 * handing potential crap to lookup_pi_state.
1794 * If that call succeeds then we have pi_state and an
1795 * initial refcount on it.
1797 ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
1802 /* We hold a reference on the pi state. */
1805 /* If the above failed, then pi_state is NULL */
1807 double_unlock_hb(hb1, hb2);
1808 hb_waiters_dec(hb2);
1809 put_futex_key(&key2);
1810 put_futex_key(&key1);
1811 ret = fault_in_user_writeable(uaddr2);
1817 * Two reasons for this:
1818 * - Owner is exiting and we just wait for the
1820 * - The user space value changed.
1822 double_unlock_hb(hb1, hb2);
1823 hb_waiters_dec(hb2);
1824 put_futex_key(&key2);
1825 put_futex_key(&key1);
1833 plist_for_each_entry_safe(this, next, &hb1->chain, list) {
1834 if (task_count - nr_wake >= nr_requeue)
1837 if (!match_futex(&this->key, &key1))
1841 * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
1842 * be paired with each other and no other futex ops.
1844 * We should never be requeueing a futex_q with a pi_state,
1845 * which is awaiting a futex_unlock_pi().
1847 if ((requeue_pi && !this->rt_waiter) ||
1848 (!requeue_pi && this->rt_waiter) ||
1855 * Wake nr_wake waiters. For requeue_pi, if we acquired the
1856 * lock, we already woke the top_waiter. If not, it will be
1857 * woken by futex_unlock_pi().
1859 if (++task_count <= nr_wake && !requeue_pi) {
1860 mark_wake_futex(&wake_q, this);
1864 /* Ensure we requeue to the expected futex for requeue_pi. */
1865 if (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) {
1871 * Requeue nr_requeue waiters and possibly one more in the case
1872 * of requeue_pi if we couldn't acquire the lock atomically.
1876 * Prepare the waiter to take the rt_mutex. Take a
1877 * refcount on the pi_state and store the pointer in
1878 * the futex_q object of the waiter.
1880 atomic_inc(&pi_state->refcount);
1881 this->pi_state = pi_state;
1882 ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
1887 * We got the lock. We do neither drop the
1888 * refcount on pi_state nor clear
1889 * this->pi_state because the waiter needs the
1890 * pi_state for cleaning up the user space
1891 * value. It will drop the refcount after
1894 requeue_pi_wake_futex(this, &key2, hb2);
1899 * rt_mutex_start_proxy_lock() detected a
1900 * potential deadlock when we tried to queue
1901 * that waiter. Drop the pi_state reference
1902 * which we took above and remove the pointer
1903 * to the state from the waiters futex_q
1906 this->pi_state = NULL;
1907 put_pi_state(pi_state);
1909 * We stop queueing more waiters and let user
1910 * space deal with the mess.
1915 requeue_futex(this, hb1, hb2, &key2);
1920 * We took an extra initial reference to the pi_state either
1921 * in futex_proxy_trylock_atomic() or in lookup_pi_state(). We
1922 * need to drop it here again.
1924 put_pi_state(pi_state);
1927 double_unlock_hb(hb1, hb2);
1929 hb_waiters_dec(hb2);
1932 * drop_futex_key_refs() must be called outside the spinlocks. During
1933 * the requeue we moved futex_q's from the hash bucket at key1 to the
1934 * one at key2 and updated their key pointer. We no longer need to
1935 * hold the references to key1.
1937 while (--drop_count >= 0)
1938 drop_futex_key_refs(&key1);
1941 put_futex_key(&key2);
1943 put_futex_key(&key1);
1945 return ret ? ret : task_count;
1948 /* The key must be already stored in q->key. */
1949 static inline struct futex_hash_bucket *queue_lock(struct futex_q *q)
1950 __acquires(&hb->lock)
1952 struct futex_hash_bucket *hb;
1954 hb = hash_futex(&q->key);
1957 * Increment the counter before taking the lock so that
1958 * a potential waker won't miss a to-be-slept task that is
1959 * waiting for the spinlock. This is safe as all queue_lock()
1960 * users end up calling queue_me(). Similarly, for housekeeping,
1961 * decrement the counter at queue_unlock() when some error has
1962 * occurred and we don't end up adding the task to the list.
1966 q->lock_ptr = &hb->lock;
1968 spin_lock(&hb->lock); /* implies smp_mb(); (A) */
1973 queue_unlock(struct futex_hash_bucket *hb)
1974 __releases(&hb->lock)
1976 spin_unlock(&hb->lock);
1981 * queue_me() - Enqueue the futex_q on the futex_hash_bucket
1982 * @q: The futex_q to enqueue
1983 * @hb: The destination hash bucket
1985 * The hb->lock must be held by the caller, and is released here. A call to
1986 * queue_me() is typically paired with exactly one call to unqueue_me(). The
1987 * exceptions involve the PI related operations, which may use unqueue_me_pi()
1988 * or nothing if the unqueue is done as part of the wake process and the unqueue
1989 * state is implicit in the state of woken task (see futex_wait_requeue_pi() for
1992 static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
1993 __releases(&hb->lock)
1998 * The priority used to register this element is
1999 * - either the real thread-priority for the real-time threads
2000 * (i.e. threads with a priority lower than MAX_RT_PRIO)
2001 * - or MAX_RT_PRIO for non-RT threads.
2002 * Thus, all RT-threads are woken first in priority order, and
2003 * the others are woken last, in FIFO order.
2005 prio = min(current->normal_prio, MAX_RT_PRIO);
2007 plist_node_init(&q->list, prio);
2008 plist_add(&q->list, &hb->chain);
2010 spin_unlock(&hb->lock);
2014 * unqueue_me() - Remove the futex_q from its futex_hash_bucket
2015 * @q: The futex_q to unqueue
2017 * The q->lock_ptr must not be held by the caller. A call to unqueue_me() must
2018 * be paired with exactly one earlier call to queue_me().
2021 * 1 - if the futex_q was still queued (and we removed unqueued it);
2022 * 0 - if the futex_q was already removed by the waking thread
2024 static int unqueue_me(struct futex_q *q)
2026 spinlock_t *lock_ptr;
2029 /* In the common case we don't take the spinlock, which is nice. */
2032 * q->lock_ptr can change between this read and the following spin_lock.
2033 * Use READ_ONCE to forbid the compiler from reloading q->lock_ptr and
2034 * optimizing lock_ptr out of the logic below.
2036 lock_ptr = READ_ONCE(q->lock_ptr);
2037 if (lock_ptr != NULL) {
2038 spin_lock(lock_ptr);
2040 * q->lock_ptr can change between reading it and
2041 * spin_lock(), causing us to take the wrong lock. This
2042 * corrects the race condition.
2044 * Reasoning goes like this: if we have the wrong lock,
2045 * q->lock_ptr must have changed (maybe several times)
2046 * between reading it and the spin_lock(). It can
2047 * change again after the spin_lock() but only if it was
2048 * already changed before the spin_lock(). It cannot,
2049 * however, change back to the original value. Therefore
2050 * we can detect whether we acquired the correct lock.
2052 if (unlikely(lock_ptr != q->lock_ptr)) {
2053 spin_unlock(lock_ptr);
2058 BUG_ON(q->pi_state);
2060 spin_unlock(lock_ptr);
2064 drop_futex_key_refs(&q->key);
2069 * PI futexes can not be requeued and must remove themself from the
2070 * hash bucket. The hash bucket lock (i.e. lock_ptr) is held on entry
2073 static void unqueue_me_pi(struct futex_q *q)
2074 __releases(q->lock_ptr)
2078 BUG_ON(!q->pi_state);
2079 put_pi_state(q->pi_state);
2082 spin_unlock(q->lock_ptr);
2086 * Fixup the pi_state owner with the new owner.
2088 * Must be called with hash bucket lock held and mm->sem held for non
2091 static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
2092 struct task_struct *newowner)
2094 u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
2095 struct futex_pi_state *pi_state = q->pi_state;
2096 struct task_struct *oldowner = pi_state->owner;
2097 u32 uval, uninitialized_var(curval), newval;
2101 if (!pi_state->owner)
2102 newtid |= FUTEX_OWNER_DIED;
2105 * We are here either because we stole the rtmutex from the
2106 * previous highest priority waiter or we are the highest priority
2107 * waiter but failed to get the rtmutex the first time.
2108 * We have to replace the newowner TID in the user space variable.
2109 * This must be atomic as we have to preserve the owner died bit here.
2111 * Note: We write the user space value _before_ changing the pi_state
2112 * because we can fault here. Imagine swapped out pages or a fork
2113 * that marked all the anonymous memory readonly for cow.
2115 * Modifying pi_state _before_ the user space value would
2116 * leave the pi_state in an inconsistent state when we fault
2117 * here, because we need to drop the hash bucket lock to
2118 * handle the fault. This might be observed in the PID check
2119 * in lookup_pi_state.
2122 if (get_futex_value_locked(&uval, uaddr))
2126 newval = (uval & FUTEX_OWNER_DIED) | newtid;
2128 if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
2136 * We fixed up user space. Now we need to fix the pi_state
2139 if (pi_state->owner != NULL) {
2140 raw_spin_lock_irq(&pi_state->owner->pi_lock);
2141 WARN_ON(list_empty(&pi_state->list));
2142 list_del_init(&pi_state->list);
2143 raw_spin_unlock_irq(&pi_state->owner->pi_lock);
2146 pi_state->owner = newowner;
2148 raw_spin_lock_irq(&newowner->pi_lock);
2149 WARN_ON(!list_empty(&pi_state->list));
2150 list_add(&pi_state->list, &newowner->pi_state_list);
2151 raw_spin_unlock_irq(&newowner->pi_lock);
2155 * To handle the page fault we need to drop the hash bucket
2156 * lock here. That gives the other task (either the highest priority
2157 * waiter itself or the task which stole the rtmutex) the
2158 * chance to try the fixup of the pi_state. So once we are
2159 * back from handling the fault we need to check the pi_state
2160 * after reacquiring the hash bucket lock and before trying to
2161 * do another fixup. When the fixup has been done already we
2165 spin_unlock(q->lock_ptr);
2167 ret = fault_in_user_writeable(uaddr);
2169 spin_lock(q->lock_ptr);
2172 * Check if someone else fixed it for us:
2174 if (pi_state->owner != oldowner)
2183 static long futex_wait_restart(struct restart_block *restart);
2186 * fixup_owner() - Post lock pi_state and corner case management
2187 * @uaddr: user address of the futex
2188 * @q: futex_q (contains pi_state and access to the rt_mutex)
2189 * @locked: if the attempt to take the rt_mutex succeeded (1) or not (0)
2191 * After attempting to lock an rt_mutex, this function is called to cleanup
2192 * the pi_state owner as well as handle race conditions that may allow us to
2193 * acquire the lock. Must be called with the hb lock held.
2196 * 1 - success, lock taken;
2197 * 0 - success, lock not taken;
2198 * <0 - on error (-EFAULT)
2200 static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
2202 struct task_struct *owner;
2207 * Got the lock. We might not be the anticipated owner if we
2208 * did a lock-steal - fix up the PI-state in that case:
2210 if (q->pi_state->owner != current)
2211 ret = fixup_pi_state_owner(uaddr, q, current);
2216 * Catch the rare case, where the lock was released when we were on the
2217 * way back before we locked the hash bucket.
2219 if (q->pi_state->owner == current) {
2221 * Try to get the rt_mutex now. This might fail as some other
2222 * task acquired the rt_mutex after we removed ourself from the
2223 * rt_mutex waiters list.
2225 if (rt_mutex_trylock(&q->pi_state->pi_mutex)) {
2231 * pi_state is incorrect, some other task did a lock steal and
2232 * we returned due to timeout or signal without taking the
2233 * rt_mutex. Too late.
2235 raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock);
2236 owner = rt_mutex_owner(&q->pi_state->pi_mutex);
2238 owner = rt_mutex_next_owner(&q->pi_state->pi_mutex);
2239 raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock);
2240 ret = fixup_pi_state_owner(uaddr, q, owner);
2245 * Paranoia check. If we did not take the lock, then we should not be
2246 * the owner of the rt_mutex.
2248 if (rt_mutex_owner(&q->pi_state->pi_mutex) == current)
2249 printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p "
2250 "pi-state %p\n", ret,
2251 q->pi_state->pi_mutex.owner,
2252 q->pi_state->owner);
2255 return ret ? ret : locked;
2259 * futex_wait_queue_me() - queue_me() and wait for wakeup, timeout, or signal
2260 * @hb: the futex hash bucket, must be locked by the caller
2261 * @q: the futex_q to queue up on
2262 * @timeout: the prepared hrtimer_sleeper, or null for no timeout
2264 static void futex_wait_queue_me(struct futex_hash_bucket *hb, struct futex_q *q,
2265 struct hrtimer_sleeper *timeout)
2268 * The task state is guaranteed to be set before another task can
2269 * wake it. set_current_state() is implemented using smp_store_mb() and
2270 * queue_me() calls spin_unlock() upon completion, both serializing
2271 * access to the hash list and forcing another memory barrier.
2273 set_current_state(TASK_INTERRUPTIBLE);
2278 hrtimer_start_expires(&timeout->timer, HRTIMER_MODE_ABS);
2281 * If we have been removed from the hash list, then another task
2282 * has tried to wake us, and we can skip the call to schedule().
2284 if (likely(!plist_node_empty(&q->list))) {
2286 * If the timer has already expired, current will already be
2287 * flagged for rescheduling. Only call schedule if there
2288 * is no timeout, or if it has yet to expire.
2290 if (!timeout || timeout->task)
2291 freezable_schedule();
2293 __set_current_state(TASK_RUNNING);
2297 * futex_wait_setup() - Prepare to wait on a futex
2298 * @uaddr: the futex userspace address
2299 * @val: the expected value
2300 * @flags: futex flags (FLAGS_SHARED, etc.)
2301 * @q: the associated futex_q
2302 * @hb: storage for hash_bucket pointer to be returned to caller
2304 * Setup the futex_q and locate the hash_bucket. Get the futex value and
2305 * compare it with the expected value. Handle atomic faults internally.
2306 * Return with the hb lock held and a q.key reference on success, and unlocked
2307 * with no q.key reference on failure.
2310 * 0 - uaddr contains val and hb has been locked;
2311 * <1 - -EFAULT or -EWOULDBLOCK (uaddr does not contain val) and hb is unlocked
2313 static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
2314 struct futex_q *q, struct futex_hash_bucket **hb)
2320 * Access the page AFTER the hash-bucket is locked.
2321 * Order is important:
2323 * Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
2324 * Userspace waker: if (cond(var)) { var = new; futex_wake(&var); }
2326 * The basic logical guarantee of a futex is that it blocks ONLY
2327 * if cond(var) is known to be true at the time of blocking, for
2328 * any cond. If we locked the hash-bucket after testing *uaddr, that
2329 * would open a race condition where we could block indefinitely with
2330 * cond(var) false, which would violate the guarantee.
2332 * On the other hand, we insert q and release the hash-bucket only
2333 * after testing *uaddr. This guarantees that futex_wait() will NOT
2334 * absorb a wakeup if *uaddr does not match the desired values
2335 * while the syscall executes.
2338 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, VERIFY_READ);
2339 if (unlikely(ret != 0))
2343 *hb = queue_lock(q);
2345 ret = get_futex_value_locked(&uval, uaddr);
2350 ret = get_user(uval, uaddr);
2354 if (!(flags & FLAGS_SHARED))
2357 put_futex_key(&q->key);
2368 put_futex_key(&q->key);
2372 static int futex_wait(u32 __user *uaddr, unsigned int flags, u32 val,
2373 ktime_t *abs_time, u32 bitset)
2375 struct hrtimer_sleeper timeout, *to = NULL;
2376 struct restart_block *restart;
2377 struct futex_hash_bucket *hb;
2378 struct futex_q q = futex_q_init;
2388 hrtimer_init_on_stack(&to->timer, (flags & FLAGS_CLOCKRT) ?
2389 CLOCK_REALTIME : CLOCK_MONOTONIC,
2391 hrtimer_init_sleeper(to, current);
2392 hrtimer_set_expires_range_ns(&to->timer, *abs_time,
2393 current->timer_slack_ns);
2398 * Prepare to wait on uaddr. On success, holds hb lock and increments
2401 ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
2405 /* queue_me and wait for wakeup, timeout, or a signal. */
2406 futex_wait_queue_me(hb, &q, to);
2408 /* If we were woken (and unqueued), we succeeded, whatever. */
2410 /* unqueue_me() drops q.key ref */
2411 if (!unqueue_me(&q))
2414 if (to && !to->task)
2418 * We expect signal_pending(current), but we might be the
2419 * victim of a spurious wakeup as well.
2421 if (!signal_pending(current))
2428 restart = ¤t->restart_block;
2429 restart->fn = futex_wait_restart;
2430 restart->futex.uaddr = uaddr;
2431 restart->futex.val = val;
2432 restart->futex.time = abs_time->tv64;
2433 restart->futex.bitset = bitset;
2434 restart->futex.flags = flags | FLAGS_HAS_TIMEOUT;
2436 ret = -ERESTART_RESTARTBLOCK;
2440 hrtimer_cancel(&to->timer);
2441 destroy_hrtimer_on_stack(&to->timer);
2447 static long futex_wait_restart(struct restart_block *restart)
2449 u32 __user *uaddr = restart->futex.uaddr;
2450 ktime_t t, *tp = NULL;
2452 if (restart->futex.flags & FLAGS_HAS_TIMEOUT) {
2453 t.tv64 = restart->futex.time;
2456 restart->fn = do_no_restart_syscall;
2458 return (long)futex_wait(uaddr, restart->futex.flags,
2459 restart->futex.val, tp, restart->futex.bitset);
2464 * Userspace tried a 0 -> TID atomic transition of the futex value
2465 * and failed. The kernel side here does the whole locking operation:
2466 * if there are waiters then it will block as a consequence of relying
2467 * on rt-mutexes, it does PI, etc. (Due to races the kernel might see
2468 * a 0 value of the futex too.).
2470 * Also serves as futex trylock_pi()'ing, and due semantics.
2472 static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
2473 ktime_t *time, int trylock)
2475 struct hrtimer_sleeper timeout, *to = NULL;
2476 struct futex_hash_bucket *hb;
2477 struct futex_q q = futex_q_init;
2480 if (refill_pi_state_cache())
2485 hrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,
2487 hrtimer_init_sleeper(to, current);
2488 hrtimer_set_expires(&to->timer, *time);
2492 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE);
2493 if (unlikely(ret != 0))
2497 hb = queue_lock(&q);
2499 ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);
2500 if (unlikely(ret)) {
2502 * Atomic work succeeded and we got the lock,
2503 * or failed. Either way, we do _not_ block.
2507 /* We got the lock. */
2509 goto out_unlock_put_key;
2514 * Two reasons for this:
2515 * - Task is exiting and we just wait for the
2517 * - The user space value changed.
2520 put_futex_key(&q.key);
2524 goto out_unlock_put_key;
2529 * Only actually queue now that the atomic ops are done:
2533 WARN_ON(!q.pi_state);
2535 * Block on the PI mutex:
2538 ret = rt_mutex_timed_futex_lock(&q.pi_state->pi_mutex, to);
2540 ret = rt_mutex_trylock(&q.pi_state->pi_mutex);
2541 /* Fixup the trylock return value: */
2542 ret = ret ? 0 : -EWOULDBLOCK;
2545 spin_lock(q.lock_ptr);
2547 * Fixup the pi_state owner and possibly acquire the lock if we
2550 res = fixup_owner(uaddr, &q, !ret);
2552 * If fixup_owner() returned an error, proprogate that. If it acquired
2553 * the lock, clear our -ETIMEDOUT or -EINTR.
2556 ret = (res < 0) ? res : 0;
2559 * If fixup_owner() faulted and was unable to handle the fault, unlock
2560 * it and return the fault to userspace.
2562 if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
2563 rt_mutex_unlock(&q.pi_state->pi_mutex);
2565 /* Unqueue and drop the lock */
2574 put_futex_key(&q.key);
2577 destroy_hrtimer_on_stack(&to->timer);
2578 return ret != -EINTR ? ret : -ERESTARTNOINTR;
2583 ret = fault_in_user_writeable(uaddr);
2587 if (!(flags & FLAGS_SHARED))
2590 put_futex_key(&q.key);
2595 * Userspace attempted a TID -> 0 atomic transition, and failed.
2596 * This is the in-kernel slowpath: we look up the PI state (if any),
2597 * and do the rt-mutex unlock.
2599 static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
2601 u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
2602 union futex_key key = FUTEX_KEY_INIT;
2603 struct futex_hash_bucket *hb;
2604 struct futex_q *match;
2608 if (get_user(uval, uaddr))
2611 * We release only a lock we actually own:
2613 if ((uval & FUTEX_TID_MASK) != vpid)
2616 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
2620 hb = hash_futex(&key);
2621 spin_lock(&hb->lock);
2624 * Check waiters first. We do not trust user space values at
2625 * all and we at least want to know if user space fiddled
2626 * with the futex value instead of blindly unlocking.
2628 match = futex_top_waiter(hb, &key);
2630 ret = wake_futex_pi(uaddr, uval, match, hb);
2632 * In case of success wake_futex_pi dropped the hash
2638 * The atomic access to the futex value generated a
2639 * pagefault, so retry the user-access and the wakeup:
2644 * A unconditional UNLOCK_PI op raced against a waiter
2645 * setting the FUTEX_WAITERS bit. Try again.
2647 if (ret == -EAGAIN) {
2648 spin_unlock(&hb->lock);
2649 put_futex_key(&key);
2653 * wake_futex_pi has detected invalid state. Tell user
2660 * We have no kernel internal state, i.e. no waiters in the
2661 * kernel. Waiters which are about to queue themselves are stuck
2662 * on hb->lock. So we can safely ignore them. We do neither
2663 * preserve the WAITERS bit not the OWNER_DIED one. We are the
2666 if (cmpxchg_futex_value_locked(&curval, uaddr, uval, 0))
2670 * If uval has changed, let user space handle it.
2672 ret = (curval == uval) ? 0 : -EAGAIN;
2675 spin_unlock(&hb->lock);
2677 put_futex_key(&key);
2681 spin_unlock(&hb->lock);
2682 put_futex_key(&key);
2684 ret = fault_in_user_writeable(uaddr);
2692 * handle_early_requeue_pi_wakeup() - Detect early wakeup on the initial futex
2693 * @hb: the hash_bucket futex_q was original enqueued on
2694 * @q: the futex_q woken while waiting to be requeued
2695 * @key2: the futex_key of the requeue target futex
2696 * @timeout: the timeout associated with the wait (NULL if none)
2698 * Detect if the task was woken on the initial futex as opposed to the requeue
2699 * target futex. If so, determine if it was a timeout or a signal that caused
2700 * the wakeup and return the appropriate error code to the caller. Must be
2701 * called with the hb lock held.
2704 * 0 = no early wakeup detected;
2705 * <0 = -ETIMEDOUT or -ERESTARTNOINTR
2708 int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
2709 struct futex_q *q, union futex_key *key2,
2710 struct hrtimer_sleeper *timeout)
2715 * With the hb lock held, we avoid races while we process the wakeup.
2716 * We only need to hold hb (and not hb2) to ensure atomicity as the
2717 * wakeup code can't change q.key from uaddr to uaddr2 if we hold hb.
2718 * It can't be requeued from uaddr2 to something else since we don't
2719 * support a PI aware source futex for requeue.
2721 if (!match_futex(&q->key, key2)) {
2722 WARN_ON(q->lock_ptr && (&hb->lock != q->lock_ptr));
2724 * We were woken prior to requeue by a timeout or a signal.
2725 * Unqueue the futex_q and determine which it was.
2727 plist_del(&q->list, &hb->chain);
2730 /* Handle spurious wakeups gracefully */
2732 if (timeout && !timeout->task)
2734 else if (signal_pending(current))
2735 ret = -ERESTARTNOINTR;
2741 * futex_wait_requeue_pi() - Wait on uaddr and take uaddr2
2742 * @uaddr: the futex we initially wait on (non-pi)
2743 * @flags: futex flags (FLAGS_SHARED, FLAGS_CLOCKRT, etc.), they must be
2744 * the same type, no requeueing from private to shared, etc.
2745 * @val: the expected value of uaddr
2746 * @abs_time: absolute timeout
2747 * @bitset: 32 bit wakeup bitset set by userspace, defaults to all
2748 * @uaddr2: the pi futex we will take prior to returning to user-space
2750 * The caller will wait on uaddr and will be requeued by futex_requeue() to
2751 * uaddr2 which must be PI aware and unique from uaddr. Normal wakeup will wake
2752 * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
2753 * userspace. This ensures the rt_mutex maintains an owner when it has waiters;
2754 * without one, the pi logic would not know which task to boost/deboost, if
2755 * there was a need to.
2757 * We call schedule in futex_wait_queue_me() when we enqueue and return there
2758 * via the following--
2759 * 1) wakeup on uaddr2 after an atomic lock acquisition by futex_requeue()
2760 * 2) wakeup on uaddr2 after a requeue
2764 * If 3, cleanup and return -ERESTARTNOINTR.
2766 * If 2, we may then block on trying to take the rt_mutex and return via:
2767 * 5) successful lock
2770 * 8) other lock acquisition failure
2772 * If 6, return -EWOULDBLOCK (restarting the syscall would do the same).
2774 * If 4 or 7, we cleanup and return with -ETIMEDOUT.
2780 static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
2781 u32 val, ktime_t *abs_time, u32 bitset,
2784 struct hrtimer_sleeper timeout, *to = NULL;
2785 struct rt_mutex_waiter rt_waiter;
2786 struct rt_mutex *pi_mutex = NULL;
2787 struct futex_hash_bucket *hb;
2788 union futex_key key2 = FUTEX_KEY_INIT;
2789 struct futex_q q = futex_q_init;
2792 if (uaddr == uaddr2)
2800 hrtimer_init_on_stack(&to->timer, (flags & FLAGS_CLOCKRT) ?
2801 CLOCK_REALTIME : CLOCK_MONOTONIC,
2803 hrtimer_init_sleeper(to, current);
2804 hrtimer_set_expires_range_ns(&to->timer, *abs_time,
2805 current->timer_slack_ns);
2809 * The waiter is allocated on our stack, manipulated by the requeue
2810 * code while we sleep on uaddr.
2812 debug_rt_mutex_init_waiter(&rt_waiter);
2813 RB_CLEAR_NODE(&rt_waiter.pi_tree_entry);
2814 RB_CLEAR_NODE(&rt_waiter.tree_entry);
2815 rt_waiter.task = NULL;
2817 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
2818 if (unlikely(ret != 0))
2822 q.rt_waiter = &rt_waiter;
2823 q.requeue_pi_key = &key2;
2826 * Prepare to wait on uaddr. On success, increments q.key (key1) ref
2829 ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
2834 * The check above which compares uaddrs is not sufficient for
2835 * shared futexes. We need to compare the keys:
2837 if (match_futex(&q.key, &key2)) {
2843 /* Queue the futex_q, drop the hb lock, wait for wakeup. */
2844 futex_wait_queue_me(hb, &q, to);
2846 spin_lock(&hb->lock);
2847 ret = handle_early_requeue_pi_wakeup(hb, &q, &key2, to);
2848 spin_unlock(&hb->lock);
2853 * In order for us to be here, we know our q.key == key2, and since
2854 * we took the hb->lock above, we also know that futex_requeue() has
2855 * completed and we no longer have to concern ourselves with a wakeup
2856 * race with the atomic proxy lock acquisition by the requeue code. The
2857 * futex_requeue dropped our key1 reference and incremented our key2
2861 /* Check if the requeue code acquired the second futex for us. */
2864 * Got the lock. We might not be the anticipated owner if we
2865 * did a lock-steal - fix up the PI-state in that case.
2867 if (q.pi_state && (q.pi_state->owner != current)) {
2868 spin_lock(q.lock_ptr);
2869 ret = fixup_pi_state_owner(uaddr2, &q, current);
2871 * Drop the reference to the pi state which
2872 * the requeue_pi() code acquired for us.
2874 put_pi_state(q.pi_state);
2875 spin_unlock(q.lock_ptr);
2879 * We have been woken up by futex_unlock_pi(), a timeout, or a
2880 * signal. futex_unlock_pi() will not destroy the lock_ptr nor
2883 WARN_ON(!q.pi_state);
2884 pi_mutex = &q.pi_state->pi_mutex;
2885 ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter);
2886 debug_rt_mutex_free_waiter(&rt_waiter);
2888 spin_lock(q.lock_ptr);
2890 * Fixup the pi_state owner and possibly acquire the lock if we
2893 res = fixup_owner(uaddr2, &q, !ret);
2895 * If fixup_owner() returned an error, proprogate that. If it
2896 * acquired the lock, clear -ETIMEDOUT or -EINTR.
2899 ret = (res < 0) ? res : 0;
2901 /* Unqueue and drop the lock. */
2906 * If fixup_pi_state_owner() faulted and was unable to handle the
2907 * fault, unlock the rt_mutex and return the fault to userspace.
2909 if (ret == -EFAULT) {
2910 if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
2911 rt_mutex_unlock(pi_mutex);
2912 } else if (ret == -EINTR) {
2914 * We've already been requeued, but cannot restart by calling
2915 * futex_lock_pi() directly. We could restart this syscall, but
2916 * it would detect that the user space "val" changed and return
2917 * -EWOULDBLOCK. Save the overhead of the restart and return
2918 * -EWOULDBLOCK directly.
2924 put_futex_key(&q.key);
2926 put_futex_key(&key2);
2930 hrtimer_cancel(&to->timer);
2931 destroy_hrtimer_on_stack(&to->timer);
2937 * Support for robust futexes: the kernel cleans up held futexes at
2940 * Implementation: user-space maintains a per-thread list of locks it
2941 * is holding. Upon do_exit(), the kernel carefully walks this list,
2942 * and marks all locks that are owned by this thread with the
2943 * FUTEX_OWNER_DIED bit, and wakes up a waiter (if any). The list is
2944 * always manipulated with the lock held, so the list is private and
2945 * per-thread. Userspace also maintains a per-thread 'list_op_pending'
2946 * field, to allow the kernel to clean up if the thread dies after
2947 * acquiring the lock, but just before it could have added itself to
2948 * the list. There can only be one such pending lock.
2952 * sys_set_robust_list() - Set the robust-futex list head of a task
2953 * @head: pointer to the list-head
2954 * @len: length of the list-head, as userspace expects
2956 SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
2959 if (!futex_cmpxchg_enabled)
2962 * The kernel knows only one size for now:
2964 if (unlikely(len != sizeof(*head)))
2967 current->robust_list = head;
2973 * sys_get_robust_list() - Get the robust-futex list head of a task
2974 * @pid: pid of the process [zero for current task]
2975 * @head_ptr: pointer to a list-head pointer, the kernel fills it in
2976 * @len_ptr: pointer to a length field, the kernel fills in the header size
2978 SYSCALL_DEFINE3(get_robust_list, int, pid,
2979 struct robust_list_head __user * __user *, head_ptr,
2980 size_t __user *, len_ptr)
2982 struct robust_list_head __user *head;
2984 struct task_struct *p;
2986 if (!futex_cmpxchg_enabled)
2995 p = find_task_by_vpid(pid);
3001 if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
3004 head = p->robust_list;
3007 if (put_user(sizeof(*head), len_ptr))
3009 return put_user(head, head_ptr);
3018 * Process a futex-list entry, check whether it's owned by the
3019 * dying task, and do notification if so:
3021 int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
3023 u32 uval, uninitialized_var(nval), mval;
3026 if (get_user(uval, uaddr))
3029 if ((uval & FUTEX_TID_MASK) == task_pid_vnr(curr)) {
3031 * Ok, this dying thread is truly holding a futex
3032 * of interest. Set the OWNER_DIED bit atomically
3033 * via cmpxchg, and if the value had FUTEX_WAITERS
3034 * set, wake up a waiter (if any). (We have to do a
3035 * futex_wake() even if OWNER_DIED is already set -
3036 * to handle the rare but possible case of recursive
3037 * thread-death.) The rest of the cleanup is done in
3040 mval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;
3042 * We are not holding a lock here, but we want to have
3043 * the pagefault_disable/enable() protection because
3044 * we want to handle the fault gracefully. If the
3045 * access fails we try to fault in the futex with R/W
3046 * verification via get_user_pages. get_user() above
3047 * does not guarantee R/W access. If that fails we
3048 * give up and leave the futex locked.
3050 if (cmpxchg_futex_value_locked(&nval, uaddr, uval, mval)) {
3051 if (fault_in_user_writeable(uaddr))
3059 * Wake robust non-PI futexes here. The wakeup of
3060 * PI futexes happens in exit_pi_state():
3062 if (!pi && (uval & FUTEX_WAITERS))
3063 futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
3069 * Fetch a robust-list pointer. Bit 0 signals PI futexes:
3071 static inline int fetch_robust_entry(struct robust_list __user **entry,
3072 struct robust_list __user * __user *head,
3075 unsigned long uentry;
3077 if (get_user(uentry, (unsigned long __user *)head))
3080 *entry = (void __user *)(uentry & ~1UL);
3087 * Walk curr->robust_list (very carefully, it's a userspace list!)
3088 * and mark any locks found there dead, and notify any waiters.
3090 * We silently return on any sign of list-walking problem.
3092 void exit_robust_list(struct task_struct *curr)
3094 struct robust_list_head __user *head = curr->robust_list;
3095 struct robust_list __user *entry, *next_entry, *pending;
3096 unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
3097 unsigned int uninitialized_var(next_pi);
3098 unsigned long futex_offset;
3101 if (!futex_cmpxchg_enabled)
3105 * Fetch the list head (which was registered earlier, via
3106 * sys_set_robust_list()):
3108 if (fetch_robust_entry(&entry, &head->list.next, &pi))
3111 * Fetch the relative futex offset:
3113 if (get_user(futex_offset, &head->futex_offset))
3116 * Fetch any possibly pending lock-add first, and handle it
3119 if (fetch_robust_entry(&pending, &head->list_op_pending, &pip))
3122 next_entry = NULL; /* avoid warning with gcc */
3123 while (entry != &head->list) {
3125 * Fetch the next entry in the list before calling
3126 * handle_futex_death:
3128 rc = fetch_robust_entry(&next_entry, &entry->next, &next_pi);
3130 * A pending lock might already be on the list, so
3131 * don't process it twice:
3133 if (entry != pending)
3134 if (handle_futex_death((void __user *)entry + futex_offset,
3142 * Avoid excessively long or circular lists:
3151 handle_futex_death((void __user *)pending + futex_offset,
3155 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
3156 u32 __user *uaddr2, u32 val2, u32 val3)
3158 int cmd = op & FUTEX_CMD_MASK;
3159 unsigned int flags = 0;
3161 if (!(op & FUTEX_PRIVATE_FLAG))
3162 flags |= FLAGS_SHARED;
3164 if (op & FUTEX_CLOCK_REALTIME) {
3165 flags |= FLAGS_CLOCKRT;
3166 if (cmd != FUTEX_WAIT && cmd != FUTEX_WAIT_BITSET && \
3167 cmd != FUTEX_WAIT_REQUEUE_PI)
3173 case FUTEX_UNLOCK_PI:
3174 case FUTEX_TRYLOCK_PI:
3175 case FUTEX_WAIT_REQUEUE_PI:
3176 case FUTEX_CMP_REQUEUE_PI:
3177 if (!futex_cmpxchg_enabled)
3183 val3 = FUTEX_BITSET_MATCH_ANY;
3184 case FUTEX_WAIT_BITSET:
3185 return futex_wait(uaddr, flags, val, timeout, val3);
3187 val3 = FUTEX_BITSET_MATCH_ANY;
3188 case FUTEX_WAKE_BITSET:
3189 return futex_wake(uaddr, flags, val, val3);
3191 return futex_requeue(uaddr, flags, uaddr2, val, val2, NULL, 0);
3192 case FUTEX_CMP_REQUEUE:
3193 return futex_requeue(uaddr, flags, uaddr2, val, val2, &val3, 0);
3195 return futex_wake_op(uaddr, flags, uaddr2, val, val2, val3);
3197 return futex_lock_pi(uaddr, flags, timeout, 0);
3198 case FUTEX_UNLOCK_PI:
3199 return futex_unlock_pi(uaddr, flags);
3200 case FUTEX_TRYLOCK_PI:
3201 return futex_lock_pi(uaddr, flags, NULL, 1);
3202 case FUTEX_WAIT_REQUEUE_PI:
3203 val3 = FUTEX_BITSET_MATCH_ANY;
3204 return futex_wait_requeue_pi(uaddr, flags, val, timeout, val3,
3206 case FUTEX_CMP_REQUEUE_PI:
3207 return futex_requeue(uaddr, flags, uaddr2, val, val2, &val3, 1);
3213 SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
3214 struct timespec __user *, utime, u32 __user *, uaddr2,
3218 ktime_t t, *tp = NULL;
3220 int cmd = op & FUTEX_CMD_MASK;
3222 if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
3223 cmd == FUTEX_WAIT_BITSET ||
3224 cmd == FUTEX_WAIT_REQUEUE_PI)) {
3225 if (unlikely(should_fail_futex(!(op & FUTEX_PRIVATE_FLAG))))
3227 if (copy_from_user(&ts, utime, sizeof(ts)) != 0)
3229 if (!timespec_valid(&ts))
3232 t = timespec_to_ktime(ts);
3233 if (cmd == FUTEX_WAIT)
3234 t = ktime_add_safe(ktime_get(), t);
3238 * requeue parameter in 'utime' if cmd == FUTEX_*_REQUEUE_*.
3239 * number of waiters to wake in 'utime' if cmd == FUTEX_WAKE_OP.
3241 if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
3242 cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
3243 val2 = (u32) (unsigned long) utime;
3245 return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
3248 static void __init futex_detect_cmpxchg(void)
3250 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
3254 * This will fail and we want it. Some arch implementations do
3255 * runtime detection of the futex_atomic_cmpxchg_inatomic()
3256 * functionality. We want to know that before we call in any
3257 * of the complex code paths. Also we want to prevent
3258 * registration of robust lists in that case. NULL is
3259 * guaranteed to fault and we get -EFAULT on functional
3260 * implementation, the non-functional ones will return
3263 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
3264 futex_cmpxchg_enabled = 1;
3268 static int __init futex_init(void)
3270 unsigned int futex_shift;
3273 #if CONFIG_BASE_SMALL
3274 futex_hashsize = 16;
3276 futex_hashsize = roundup_pow_of_two(256 * num_possible_cpus());
3279 futex_queues = alloc_large_system_hash("futex", sizeof(*futex_queues),
3281 futex_hashsize < 256 ? HASH_SMALL : 0,
3283 futex_hashsize, futex_hashsize);
3284 futex_hashsize = 1UL << futex_shift;
3286 futex_detect_cmpxchg();
3288 for (i = 0; i < futex_hashsize; i++) {
3289 atomic_set(&futex_queues[i].waiters, 0);
3290 plist_head_init(&futex_queues[i].chain);
3291 spin_lock_init(&futex_queues[i].lock);
3296 __initcall(futex_init);
projects / cascardo / linux.git / blob