aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/futex.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/futex.c')
-rw-r--r--kernel/futex.c83
1 files changed, 61 insertions, 22 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 684d7549825a..8a310e240cda 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -725,9 +725,12 @@ static struct futex_pi_state * alloc_pi_state(void)
725} 725}
726 726
727/* 727/*
728 * Drops a reference to the pi_state object and frees or caches it
729 * when the last reference is gone.
730 *
728 * Must be called with the hb lock held. 731 * Must be called with the hb lock held.
729 */ 732 */
730static void free_pi_state(struct futex_pi_state *pi_state) 733static void put_pi_state(struct futex_pi_state *pi_state)
731{ 734{
732 if (!pi_state) 735 if (!pi_state)
733 return; 736 return;
@@ -1706,31 +1709,35 @@ retry_private:
1706 * exist yet, look it up one more time to ensure we have a 1709 * exist yet, look it up one more time to ensure we have a
1707 * reference to it. If the lock was taken, ret contains the 1710 * reference to it. If the lock was taken, ret contains the
1708 * vpid of the top waiter task. 1711 * vpid of the top waiter task.
1712 * If the lock was not taken, we have pi_state and an initial
1713 * refcount on it. In case of an error we have nothing.
1709 */ 1714 */
1710 if (ret > 0) { 1715 if (ret > 0) {
1711 WARN_ON(pi_state); 1716 WARN_ON(pi_state);
1712 drop_count++; 1717 drop_count++;
1713 task_count++; 1718 task_count++;
1714 /* 1719 /*
1715 * If we acquired the lock, then the user 1720 * If we acquired the lock, then the user space value
1716 * space value of uaddr2 should be vpid. It 1721 * of uaddr2 should be vpid. It cannot be changed by
1717 * cannot be changed by the top waiter as it 1722 * the top waiter as it is blocked on hb2 lock if it
1718 * is blocked on hb2 lock if it tries to do 1723 * tries to do so. If something fiddled with it behind
1719 * so. If something fiddled with it behind our 1724 * our back the pi state lookup might unearth it. So
1720 * back the pi state lookup might unearth 1725 * we rather use the known value than rereading and
1721 * it. So we rather use the known value than 1726 * handing potential crap to lookup_pi_state.
1722 * rereading and handing potential crap to 1727 *
1723 * lookup_pi_state. 1728 * If that call succeeds then we have pi_state and an
1729 * initial refcount on it.
1724 */ 1730 */
1725 ret = lookup_pi_state(ret, hb2, &key2, &pi_state); 1731 ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
1726 } 1732 }
1727 1733
1728 switch (ret) { 1734 switch (ret) {
1729 case 0: 1735 case 0:
1736 /* We hold a reference on the pi state. */
1730 break; 1737 break;
1738
1739 /* If the above failed, then pi_state is NULL */
1731 case -EFAULT: 1740 case -EFAULT:
1732 free_pi_state(pi_state);
1733 pi_state = NULL;
1734 double_unlock_hb(hb1, hb2); 1741 double_unlock_hb(hb1, hb2);
1735 hb_waiters_dec(hb2); 1742 hb_waiters_dec(hb2);
1736 put_futex_key(&key2); 1743 put_futex_key(&key2);
@@ -1746,8 +1753,6 @@ retry_private:
1746 * exit to complete. 1753 * exit to complete.
1747 * - The user space value changed. 1754 * - The user space value changed.
1748 */ 1755 */
1749 free_pi_state(pi_state);
1750 pi_state = NULL;
1751 double_unlock_hb(hb1, hb2); 1756 double_unlock_hb(hb1, hb2);
1752 hb_waiters_dec(hb2); 1757 hb_waiters_dec(hb2);
1753 put_futex_key(&key2); 1758 put_futex_key(&key2);
@@ -1801,30 +1806,58 @@ retry_private:
1801 * of requeue_pi if we couldn't acquire the lock atomically. 1806 * of requeue_pi if we couldn't acquire the lock atomically.
1802 */ 1807 */
1803 if (requeue_pi) { 1808 if (requeue_pi) {
1804 /* Prepare the waiter to take the rt_mutex. */ 1809 /*
1810 * Prepare the waiter to take the rt_mutex. Take a
1811 * refcount on the pi_state and store the pointer in
1812 * the futex_q object of the waiter.
1813 */
1805 atomic_inc(&pi_state->refcount); 1814 atomic_inc(&pi_state->refcount);
1806 this->pi_state = pi_state; 1815 this->pi_state = pi_state;
1807 ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, 1816 ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
1808 this->rt_waiter, 1817 this->rt_waiter,
1809 this->task); 1818 this->task);
1810 if (ret == 1) { 1819 if (ret == 1) {
1811 /* We got the lock. */ 1820 /*
1821 * We got the lock. We do neither drop the
1822 * refcount on pi_state nor clear
1823 * this->pi_state because the waiter needs the
1824 * pi_state for cleaning up the user space
1825 * value. It will drop the refcount after
1826 * doing so.
1827 */
1812 requeue_pi_wake_futex(this, &key2, hb2); 1828 requeue_pi_wake_futex(this, &key2, hb2);
1813 drop_count++; 1829 drop_count++;
1814 continue; 1830 continue;
1815 } else if (ret) { 1831 } else if (ret) {
1816 /* -EDEADLK */ 1832 /*
1833 * rt_mutex_start_proxy_lock() detected a
1834 * potential deadlock when we tried to queue
1835 * that waiter. Drop the pi_state reference
1836 * which we took above and remove the pointer
1837 * to the state from the waiters futex_q
1838 * object.
1839 */
1817 this->pi_state = NULL; 1840 this->pi_state = NULL;
1818 free_pi_state(pi_state); 1841 put_pi_state(pi_state);
1819 goto out_unlock; 1842 /*
1843 * We stop queueing more waiters and let user
1844 * space deal with the mess.
1845 */
1846 break;
1820 } 1847 }
1821 } 1848 }
1822 requeue_futex(this, hb1, hb2, &key2); 1849 requeue_futex(this, hb1, hb2, &key2);
1823 drop_count++; 1850 drop_count++;
1824 } 1851 }
1825 1852
1853 /*
1854 * We took an extra initial reference to the pi_state either
1855 * in futex_proxy_trylock_atomic() or in lookup_pi_state(). We
1856 * need to drop it here again.
1857 */
1858 put_pi_state(pi_state);
1859
1826out_unlock: 1860out_unlock:
1827 free_pi_state(pi_state);
1828 double_unlock_hb(hb1, hb2); 1861 double_unlock_hb(hb1, hb2);
1829 wake_up_q(&wake_q); 1862 wake_up_q(&wake_q);
1830 hb_waiters_dec(hb2); 1863 hb_waiters_dec(hb2);
@@ -1973,7 +2006,7 @@ static void unqueue_me_pi(struct futex_q *q)
1973 __unqueue_futex(q); 2006 __unqueue_futex(q);
1974 2007
1975 BUG_ON(!q->pi_state); 2008 BUG_ON(!q->pi_state);
1976 free_pi_state(q->pi_state); 2009 put_pi_state(q->pi_state);
1977 q->pi_state = NULL; 2010 q->pi_state = NULL;
1978 2011
1979 spin_unlock(q->lock_ptr); 2012 spin_unlock(q->lock_ptr);
@@ -2755,6 +2788,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
2755 if (q.pi_state && (q.pi_state->owner != current)) { 2788 if (q.pi_state && (q.pi_state->owner != current)) {
2756 spin_lock(q.lock_ptr); 2789 spin_lock(q.lock_ptr);
2757 ret = fixup_pi_state_owner(uaddr2, &q, current); 2790 ret = fixup_pi_state_owner(uaddr2, &q, current);
2791 /*
2792 * Drop the reference to the pi state which
2793 * the requeue_pi() code acquired for us.
2794 */
2795 put_pi_state(q.pi_state);
2758 spin_unlock(q.lock_ptr); 2796 spin_unlock(q.lock_ptr);
2759 } 2797 }
2760 } else { 2798 } else {
@@ -3046,7 +3084,8 @@ long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
3046 3084
3047 if (op & FUTEX_CLOCK_REALTIME) { 3085 if (op & FUTEX_CLOCK_REALTIME) {
3048 flags |= FLAGS_CLOCKRT; 3086 flags |= FLAGS_CLOCKRT;
3049 if (cmd != FUTEX_WAIT_BITSET && cmd != FUTEX_WAIT_REQUEUE_PI) 3087 if (cmd != FUTEX_WAIT && cmd != FUTEX_WAIT_BITSET && \
3088 cmd != FUTEX_WAIT_REQUEUE_PI)
3050 return -ENOSYS; 3089 return -ENOSYS;
3051 } 3090 }
3052 3091
generated by cgit v1.2.2 (git 2.25.0) at 2026-01-07 07:19:13 -0500