1 files changed, 103 insertions, 149 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index f89d373a9c6..6b50a024bca 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -114,7 +114,9 @@ struct futex_q {
 };
 /*
- * Split the global futex_lock into every hash list lock.
+ * Hash buckets are shared by all the futex_keys that hash to the same
+ * location.  Each key may have multiple futex_q structures, one for each task
+ * waiting on a futex.
 */
 struct futex_hash_bucket {
        spinlock_t lock;
@@ -189,8 +191,7 @@ static void drop_futex_key_refs(union futex_key *key)
 /**
 * get_futex_key - Get parameters which are the keys for a futex.
 * @uaddr: virtual address of the futex
- * @shared: NULL for a PROCESS_PRIVATE futex,
+ * @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
- *      &current->mm->mmap_sem for a PROCESS_SHARED futex
 * @key: address where result is stored.
 *
 * Returns a negative error code or 0
@@ -200,9 +201,7 @@ static void drop_futex_key_refs(union futex_key *key)
 * offset_within_page).  For private mappings, it's (uaddr, current->mm).
 * We can usually work out the index without swapping in the page.
 *
- * fshared is NULL for PROCESS_PRIVATE futexes
+ * lock_page() might sleep, the caller should not hold a spinlock.
- * For other futexes, it points to &current->mm->mmap_sem and
- * caller must have taken the reader lock. but NOT any spinlocks.
 */
 static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
 {
@@ -299,41 +298,6 @@ static int get_futex_value_locked(u32 *dest, u32 __user *from)
        return ret ? -EFAULT : 0;
 }
-/*
- * Fault handling.
- */
-static int futex_handle_fault(unsigned long address, int attempt)
-{
-        struct vm_area_struct * vma;
-        struct mm_struct *mm = current->mm;
-        int ret = -EFAULT;
-        if (attempt > 2)
-                return ret;
-        down_read(&mm->mmap_sem);
-        vma = find_vma(mm, address);
-        if (vma && address >= vma->vm_start &&
-            (vma->vm_flags & VM_WRITE)) {
-                int fault;
-                fault = handle_mm_fault(mm, vma, address, 1);
-                if (unlikely((fault & VM_FAULT_ERROR))) {
-#if 0
-                        /* XXX: let's do this when we verify it is OK */
-                        if (ret & VM_FAULT_OOM)
-                                ret = -ENOMEM;
-#endif
-                } else {
-                        ret = 0;
-                        if (fault & VM_FAULT_MAJOR)
-                                current->maj_flt++;
-                        else
-                                current->min_flt++;
-                }
-        }
-        up_read(&mm->mmap_sem);
-        return ret;
-}
 /*
 * PI code:
@@ -589,10 +553,9 @@ static void wake_futex(struct futex_q *q)
         * The waiting task can free the futex_q as soon as this is written,
         * without taking any locks.  This must come last.
         *
-         * A memory barrier is required here to prevent the following store
+         * A memory barrier is required here to prevent the following store to
-         * to lock_ptr from getting ahead of the wakeup. Clearing the lock
+         * lock_ptr from getting ahead of the wakeup. Clearing the lock at the
-         * at the end of wake_up_all() does not prevent this store from
+         * end of wake_up() does not prevent this store from moving.
-         * moving.
         */
        smp_wmb();
        q->lock_ptr = NULL;
@@ -692,9 +655,16 @@ double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
        }
 }
+static inline void
+double_unlock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
+{
+        spin_unlock(&hb1->lock);
+        if (hb1 != hb2)
+                spin_unlock(&hb2->lock);
+}
 /*
- * Wake up all waiters hashed on the physical page that is mapped
+ * Wake up waiters matching bitset queued on this futex (uaddr).
- * to this virtual address:
 */
 static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
 {
@@ -750,9 +720,9 @@ futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
        struct futex_hash_bucket *hb1, *hb2;
        struct plist_head *head;
        struct futex_q *this, *next;
-        int ret, op_ret, attempt = 0;
+        int ret, op_ret;
-retryfull:
+retry:
        ret = get_futex_key(uaddr1, fshared, &key1);
        if (unlikely(ret != 0))
                goto out;
@@ -763,16 +733,13 @@ retryfull:
        hb1 = hash_futex(&key1);
        hb2 = hash_futex(&key2);
-retry:
        double_lock_hb(hb1, hb2);
+retry_private:
        op_ret = futex_atomic_op_inuser(op, uaddr2);
        if (unlikely(op_ret < 0)) {
                u32 dummy;
-                spin_unlock(&hb1->lock);
+                double_unlock_hb(hb1, hb2);
-                if (hb1 != hb2)
-                        spin_unlock(&hb2->lock);
 #ifndef CONFIG_MMU
                /*
@@ -788,26 +755,16 @@ retry:
                        goto out_put_keys;
                }
-                /*
-                 * futex_atomic_op_inuser needs to both read and write
-                 * *(int __user *)uaddr2, but we can't modify it
-                 * non-atomically.  Therefore, if get_user below is not
-                 * enough, we need to handle the fault ourselves, while
-                 * still holding the mmap_sem.
-                 */
-                if (attempt++) {
-                        ret = futex_handle_fault((unsigned long)uaddr2,
-                                                 attempt);
-                        if (ret)
-                                goto out_put_keys;
-                        goto retry;
-                }
                ret = get_user(dummy, uaddr2);
                if (ret)
-                        return ret;
+                        goto out_put_keys;
+                if (!fshared)
+                        goto retry_private;
-                goto retryfull;
+                put_futex_key(fshared, &key2);
+                put_futex_key(fshared, &key1);
+                goto retry;
        }
        head = &hb1->chain;
@@ -834,9 +791,7 @@ retry:
                ret += op_ret;
        }
-        spin_unlock(&hb1->lock);
+        double_unlock_hb(hb1, hb2);
-        if (hb1 != hb2)
-                spin_unlock(&hb2->lock);
 out_put_keys:
        put_futex_key(fshared, &key2);
 out_put_key1:
@@ -869,6 +824,7 @@ retry:
        hb1 = hash_futex(&key1);
        hb2 = hash_futex(&key2);
+retry_private:
        double_lock_hb(hb1, hb2);
        if (likely(cmpval != NULL)) {
@@ -877,16 +833,18 @@ retry:
                ret = get_futex_value_locked(&curval, uaddr1);
                if (unlikely(ret)) {
-                        spin_unlock(&hb1->lock);
+                        double_unlock_hb(hb1, hb2);
-                        if (hb1 != hb2)
-                                spin_unlock(&hb2->lock);
                        ret = get_user(curval, uaddr1);
+                        if (ret)
+                                goto out_put_keys;
-                        if (!ret)
+                        if (!fshared)
-                                goto retry;
+                                goto retry_private;
-                        goto out_put_keys;
+                        put_futex_key(fshared, &key2);
+                        put_futex_key(fshared, &key1);
+                        goto retry;
                }
                if (curval != *cmpval) {
                        ret = -EAGAIN;
@@ -923,9 +881,7 @@ retry:
        }
 out_unlock:
-        spin_unlock(&hb1->lock);
+        double_unlock_hb(hb1, hb2);
-        if (hb1 != hb2)
-                spin_unlock(&hb2->lock);
        /* drop_futex_key_refs() must be called outside the spinlocks. */
        while (--drop_count >= 0)
@@ -1063,7 +1019,7 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
        struct futex_pi_state *pi_state = q->pi_state;
        struct task_struct *oldowner = pi_state->owner;
        u32 uval, curval, newval;
-        int ret, attempt = 0;
+        int ret;
        /* Owner died? */
        if (!pi_state->owner)
@@ -1076,11 +1032,9 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
         * in the user space variable. This must be atomic as we have
         * to preserve the owner died bit here.
         *
-         * Note: We write the user space value _before_ changing the
+         * Note: We write the user space value _before_ changing the pi_state
-         * pi_state because we can fault here. Imagine swapped out
+         * because we can fault here. Imagine swapped out pages or a fork
-         * pages or a fork, which was running right before we acquired
+         * that marked all the anonymous memory readonly for cow.
-         * mmap_sem, that marked all the anonymous memory readonly for
-         * cow.
         *
         * Modifying pi_state _before_ the user space value would
         * leave the pi_state in an inconsistent state when we fault
@@ -1136,7 +1090,7 @@ retry:
 handle_fault:
        spin_unlock(q->lock_ptr);
-        ret = futex_handle_fault((unsigned long)uaddr, attempt++);
+        ret = get_user(uval, uaddr);
        spin_lock(q->lock_ptr);
@@ -1165,6 +1119,7 @@ static int futex_wait(u32 __user *uaddr, int fshared,
                      u32 val, ktime_t *abs_time, u32 bitset, int clockrt)
 {
        struct task_struct *curr = current;
+        struct restart_block *restart;
        DECLARE_WAITQUEUE(wait, curr);
        struct futex_hash_bucket *hb;
        struct futex_q q;
@@ -1184,10 +1139,11 @@ retry:
        if (unlikely(ret != 0))
                goto out;
+retry_private:
        hb = queue_lock(&q);
        /*
-         * Access the page AFTER the futex is queued.
+         * Access the page AFTER the hash-bucket is locked.
         * Order is important:
         *
         *   Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
@@ -1203,24 +1159,29 @@ retry:
         * a wakeup when *uaddr != val on entry to the syscall.  This is
         * rare, but normal.
         *
-         * for shared futexes, we hold the mmap semaphore, so the mapping
+         * For shared futexes, we hold the mmap semaphore, so the mapping
         * cannot have changed since we looked it up in get_futex_key.
         */
        ret = get_futex_value_locked(&uval, uaddr);
        if (unlikely(ret)) {
                queue_unlock(&q, hb);
-                put_futex_key(fshared, &q.key);
                ret = get_user(uval, uaddr);
+                if (ret)
+                        goto out_put_key;
-                if (!ret)
+                if (!fshared)
-                        goto retry;
+                        goto retry_private;
-                return ret;
+                put_futex_key(fshared, &q.key);
+                goto retry;
        }
        ret = -EWOULDBLOCK;
-        if (uval != val)
+        if (unlikely(uval != val)) {
-                goto out_unlock_put_key;
+                queue_unlock(&q, hb);
+                goto out_put_key;
+        }
        /* Only actually queue if *uaddr contained val.  */
        queue_me(&q, hb);
@@ -1245,16 +1206,13 @@ retry:
                if (!abs_time)
                        schedule();
                else {
-                        unsigned long slack;
-                        slack = current->timer_slack_ns;
-                        if (rt_task(current))
-                                slack = 0;
                        hrtimer_init_on_stack(&t.timer,
                                              clockrt ? CLOCK_REALTIME :
                                              CLOCK_MONOTONIC,
                                              HRTIMER_MODE_ABS);
                        hrtimer_init_sleeper(&t, current);
-                        hrtimer_set_expires_range_ns(&t.timer, *abs_time, slack);
+                        hrtimer_set_expires_range_ns(&t.timer, *abs_time,
+                                                     current->timer_slack_ns);
                        hrtimer_start_expires(&t.timer, HRTIMER_MODE_ABS);
                        if (!hrtimer_active(&t.timer))
@@ -1284,38 +1242,38 @@ retry:
         */
        /* If we were woken (and unqueued), we succeeded, whatever. */
+        ret = 0;
        if (!unqueue_me(&q))
-                return 0;
+                goto out_put_key;
+        ret = -ETIMEDOUT;
        if (rem)
-                return -ETIMEDOUT;
+                goto out_put_key;
        /*
         * We expect signal_pending(current), but another thread may
         * have handled it for us already.
         */
+        ret = -ERESTARTSYS;
        if (!abs_time)
-                return -ERESTARTSYS;
+                goto out_put_key;
-        else {
-                struct restart_block *restart;
-                restart = &current_thread_info()->restart_block;
-                restart->fn = futex_wait_restart;
-                restart->futex.uaddr = (u32 *)uaddr;
-                restart->futex.val = val;
-                restart->futex.time = abs_time->tv64;
-                restart->futex.bitset = bitset;
-                restart->futex.flags = 0;
-                if (fshared)
-                        restart->futex.flags |= FLAGS_SHARED;
-                if (clockrt)
-                        restart->futex.flags |= FLAGS_CLOCKRT;
-                return -ERESTART_RESTARTBLOCK;
-        }
-out_unlock_put_key:
+        restart = &current_thread_info()->restart_block;
-        queue_unlock(&q, hb);
+        restart->fn = futex_wait_restart;
-        put_futex_key(fshared, &q.key);
+        restart->futex.uaddr = (u32 *)uaddr;
+        restart->futex.val = val;
+        restart->futex.time = abs_time->tv64;
+        restart->futex.bitset = bitset;
+        restart->futex.flags = 0;
+        if (fshared)
+                restart->futex.flags |= FLAGS_SHARED;
+        if (clockrt)
+                restart->futex.flags |= FLAGS_CLOCKRT;
+        ret = -ERESTART_RESTARTBLOCK;
+out_put_key:
+        put_futex_key(fshared, &q.key);
 out:
        return ret;
 }
@@ -1351,7 +1309,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
        struct futex_hash_bucket *hb;
        u32 uval, newval, curval;
        struct futex_q q;
-        int ret, lock_taken, ownerdied = 0, attempt = 0;
+        int ret, lock_taken, ownerdied = 0;
        if (refill_pi_state_cache())
                return -ENOMEM;
@@ -1371,7 +1329,7 @@ retry:
        if (unlikely(ret != 0))
                goto out;
-retry_unlocked:
+retry_private:
        hb = queue_lock(&q);
 retry_locked:
@@ -1455,6 +1413,7 @@ retry_locked:
                         * exit to complete.
                         */
                        queue_unlock(&q, hb);
+                        put_futex_key(fshared, &q.key);
                        cond_resched();
                        goto retry;
@@ -1561,6 +1520,13 @@ retry_locked:
                }
        }
+        /*
+         * If fixup_pi_state_owner() faulted and was unable to handle the
+         * fault, unlock it and return the fault to userspace.
+         */
+        if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
+                rt_mutex_unlock(&q.pi_state->pi_mutex);
        /* Unqueue and drop the lock */
        unqueue_me_pi(&q);
@@ -1588,22 +1554,18 @@ uaddr_faulted:
         */
        queue_unlock(&q, hb);
-        if (attempt++) {
-                ret = futex_handle_fault((unsigned long)uaddr, attempt);
-                if (ret)
-                        goto out_put_key;
-                goto retry_unlocked;
-        }
        ret = get_user(uval, uaddr);
-        if (!ret)
+        if (ret)
-                goto retry;
+                goto out_put_key;
-        if (to)
+        if (!fshared)
-                destroy_hrtimer_on_stack(&to->timer);
+                goto retry_private;
-        return ret;
+        put_futex_key(fshared, &q.key);
+        goto retry;
 }
 /*
 * Userspace attempted a TID -> 0 atomic transition, and failed.
 * This is the in-kernel slowpath: we look up the PI state (if any),
@@ -1616,7 +1578,7 @@ static int futex_unlock_pi(u32 __user *uaddr, int fshared)
        u32 uval;
        struct plist_head *head;
        union futex_key key = FUTEX_KEY_INIT;
-        int ret, attempt = 0;
+        int ret;
 retry:
        if (get_user(uval, uaddr))
@@ -1632,7 +1594,6 @@ retry:
                goto out;
        hb = hash_futex(&key);
-retry_unlocked:
        spin_lock(&hb->lock);
        /*
@@ -1697,14 +1658,7 @@ pi_faulted:
         * we have to drop the mmap_sem in order to call get_user().
         */
        spin_unlock(&hb->lock);
+        put_futex_key(fshared, &key);
-        if (attempt++) {
-                ret = futex_handle_fault((unsigned long)uaddr, attempt);
-                if (ret)
-                        goto out;
-                uval = 0;
-                goto retry_unlocked;
-        }
        ret = get_user(uval, uaddr);
        if (!ret)

diff --git a/kernel/futex.c b/kernel/futex.c index f89d373a9c6..6b50a024bca 100644 --- a/kernel/futex.c +++ b/kernel/futex.c
@@ -114,7 +114,9 @@ struct futex_q {
114	};	114	};
115		115
116	/*	116	/*
117	* Split the global futex_lock into every hash list lock.	117	* Hash buckets are shared by all the futex_keys that hash to the same
		118	* location. Each key may have multiple futex_q structures, one for each task
		119	* waiting on a futex.
118	*/	120	*/
119	struct futex_hash_bucket {	121	struct futex_hash_bucket {
120	spinlock_t lock;	122	spinlock_t lock;
@@ -189,8 +191,7 @@ static void drop_futex_key_refs(union futex_key *key)
189	/**	191	/**
190	* get_futex_key - Get parameters which are the keys for a futex.	192	* get_futex_key - Get parameters which are the keys for a futex.
191	* @uaddr: virtual address of the futex	193	* @uaddr: virtual address of the futex
192	* @shared: NULL for a PROCESS_PRIVATE futex,	194	* @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
193	* &current->mm->mmap_sem for a PROCESS_SHARED futex
194	* @key: address where result is stored.	195	* @key: address where result is stored.
195	*	196	*
196	* Returns a negative error code or 0	197	* Returns a negative error code or 0
@@ -200,9 +201,7 @@ static void drop_futex_key_refs(union futex_key *key)
200	* offset_within_page). For private mappings, it's (uaddr, current->mm).	201	* offset_within_page). For private mappings, it's (uaddr, current->mm).
201	* We can usually work out the index without swapping in the page.	202	* We can usually work out the index without swapping in the page.
202	*	203	*
203	* fshared is NULL for PROCESS_PRIVATE futexes	204	* lock_page() might sleep, the caller should not hold a spinlock.
204	* For other futexes, it points to &current->mm->mmap_sem and
205	* caller must have taken the reader lock. but NOT any spinlocks.
206	*/	205	*/
207	static int get_futex_key(u32 __user uaddr, int fshared, union futex_key key)	206	static int get_futex_key(u32 __user uaddr, int fshared, union futex_key key)
208	{	207	{
@@ -299,41 +298,6 @@ static int get_futex_value_locked(u32 dest, u32 __user from)
299	return ret ? -EFAULT : 0;	298	return ret ? -EFAULT : 0;
300	}	299	}
301		300
302	/*
303	* Fault handling.
304	*/
305	static int futex_handle_fault(unsigned long address, int attempt)
306	{
307	struct vm_area_struct * vma;
308	struct mm_struct *mm = current->mm;
309	int ret = -EFAULT;
310
311	if (attempt > 2)
312	return ret;
313
314	down_read(&mm->mmap_sem);
315	vma = find_vma(mm, address);
316	if (vma && address >= vma->vm_start &&
317	(vma->vm_flags & VM_WRITE)) {
318	int fault;
319	fault = handle_mm_fault(mm, vma, address, 1);
320	if (unlikely((fault & VM_FAULT_ERROR))) {
321	#if 0
322	/* XXX: let's do this when we verify it is OK */
323	if (ret & VM_FAULT_OOM)
324	ret = -ENOMEM;
325	#endif
326	} else {
327	ret = 0;
328	if (fault & VM_FAULT_MAJOR)
329	current->maj_flt++;
330	else
331	current->min_flt++;
332	}
333	}
334	up_read(&mm->mmap_sem);
335	return ret;
336	}
337		301
338	/*	302	/*
339	* PI code:	303	* PI code:
@@ -589,10 +553,9 @@ static void wake_futex(struct futex_q *q)
589	* The waiting task can free the futex_q as soon as this is written,	553	* The waiting task can free the futex_q as soon as this is written,
590	* without taking any locks. This must come last.	554	* without taking any locks. This must come last.
591	*	555	*
592	* A memory barrier is required here to prevent the following store	556	* A memory barrier is required here to prevent the following store to
593	* to lock_ptr from getting ahead of the wakeup. Clearing the lock	557	* lock_ptr from getting ahead of the wakeup. Clearing the lock at the
594	* at the end of wake_up_all() does not prevent this store from	558	* end of wake_up() does not prevent this store from moving.
595	* moving.
596	*/	559	*/
597	smp_wmb();	560	smp_wmb();
598	q->lock_ptr = NULL;	561	q->lock_ptr = NULL;
@@ -692,9 +655,16 @@ double_lock_hb(struct futex_hash_bucket hb1, struct futex_hash_bucket hb2)
692	}	655	}
693	}	656	}
694		657
		658	static inline void
		659	double_unlock_hb(struct futex_hash_bucket hb1, struct futex_hash_bucket hb2)
		660	{
		661	spin_unlock(&hb1->lock);
		662	if (hb1 != hb2)
		663	spin_unlock(&hb2->lock);
		664	}
		665
695	/*	666	/*
696	* Wake up all waiters hashed on the physical page that is mapped	667	* Wake up waiters matching bitset queued on this futex (uaddr).
697	* to this virtual address:
698	*/	668	*/
699	static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)	669	static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
700	{	670	{
@@ -750,9 +720,9 @@ futex_wake_op(u32 __user uaddr1, int fshared, u32 __user uaddr2,
750	struct futex_hash_bucket hb1, hb2;	720	struct futex_hash_bucket hb1, hb2;
751	struct plist_head *head;	721	struct plist_head *head;
752	struct futex_q this, next;	722	struct futex_q this, next;
753	int ret, op_ret, attempt = 0;	723	int ret, op_ret;
754		724
755	retryfull:	725	retry:
756	ret = get_futex_key(uaddr1, fshared, &key1);	726	ret = get_futex_key(uaddr1, fshared, &key1);
757	if (unlikely(ret != 0))	727	if (unlikely(ret != 0))
758	goto out;	728	goto out;
@@ -763,16 +733,13 @@ retryfull:
763	hb1 = hash_futex(&key1);	733	hb1 = hash_futex(&key1);
764	hb2 = hash_futex(&key2);	734	hb2 = hash_futex(&key2);
765		735
766	retry:
767	double_lock_hb(hb1, hb2);	736	double_lock_hb(hb1, hb2);
768		737	retry_private:
769	op_ret = futex_atomic_op_inuser(op, uaddr2);	738	op_ret = futex_atomic_op_inuser(op, uaddr2);
770	if (unlikely(op_ret < 0)) {	739	if (unlikely(op_ret < 0)) {
771	u32 dummy;	740	u32 dummy;
772		741
773	spin_unlock(&hb1->lock);	742	double_unlock_hb(hb1, hb2);
774	if (hb1 != hb2)
775	spin_unlock(&hb2->lock);
776		743
777	#ifndef CONFIG_MMU	744	#ifndef CONFIG_MMU
778	/*	745	/*
@@ -788,26 +755,16 @@ retry:
788	goto out_put_keys;	755	goto out_put_keys;
789	}	756	}
790		757
791	/*
792	* futex_atomic_op_inuser needs to both read and write
793	* (int __user )uaddr2, but we can't modify it
794	* non-atomically. Therefore, if get_user below is not
795	* enough, we need to handle the fault ourselves, while
796	* still holding the mmap_sem.
797	*/
798	if (attempt++) {
799	ret = futex_handle_fault((unsigned long)uaddr2,
800	attempt);
801	if (ret)
802	goto out_put_keys;
803	goto retry;
804	}
805
806	ret = get_user(dummy, uaddr2);	758	ret = get_user(dummy, uaddr2);
807	if (ret)	759	if (ret)
808	return ret;	760	goto out_put_keys;
		761
		762	if (!fshared)
		763	goto retry_private;
809		764
810	goto retryfull;	765	put_futex_key(fshared, &key2);
		766	put_futex_key(fshared, &key1);
		767	goto retry;
811	}	768	}
812		769
813	head = &hb1->chain;	770	head = &hb1->chain;
@@ -834,9 +791,7 @@ retry:
834	ret += op_ret;	791	ret += op_ret;
835	}	792	}
836		793
837	spin_unlock(&hb1->lock);	794	double_unlock_hb(hb1, hb2);
838	if (hb1 != hb2)
839	spin_unlock(&hb2->lock);
840	out_put_keys:	795	out_put_keys:
841	put_futex_key(fshared, &key2);	796	put_futex_key(fshared, &key2);
842	out_put_key1:	797	out_put_key1:
@@ -869,6 +824,7 @@ retry:
869	hb1 = hash_futex(&key1);	824	hb1 = hash_futex(&key1);
870	hb2 = hash_futex(&key2);	825	hb2 = hash_futex(&key2);
871		826
		827	retry_private:
872	double_lock_hb(hb1, hb2);	828	double_lock_hb(hb1, hb2);
873		829
874	if (likely(cmpval != NULL)) {	830	if (likely(cmpval != NULL)) {
@@ -877,16 +833,18 @@ retry:
877	ret = get_futex_value_locked(&curval, uaddr1);	833	ret = get_futex_value_locked(&curval, uaddr1);
878		834
879	if (unlikely(ret)) {	835	if (unlikely(ret)) {
880	spin_unlock(&hb1->lock);	836	double_unlock_hb(hb1, hb2);
881	if (hb1 != hb2)
882	spin_unlock(&hb2->lock);
883		837
884	ret = get_user(curval, uaddr1);	838	ret = get_user(curval, uaddr1);
		839	if (ret)
		840	goto out_put_keys;
885		841
886	if (!ret)	842	if (!fshared)
887	goto retry;	843	goto retry_private;
888		844
889	goto out_put_keys;	845	put_futex_key(fshared, &key2);
		846	put_futex_key(fshared, &key1);
		847	goto retry;
890	}	848	}
891	if (curval != *cmpval) {	849	if (curval != *cmpval) {
892	ret = -EAGAIN;	850	ret = -EAGAIN;
@@ -923,9 +881,7 @@ retry:
923	}	881	}
924		882
925	out_unlock:	883	out_unlock:
926	spin_unlock(&hb1->lock);	884	double_unlock_hb(hb1, hb2);
927	if (hb1 != hb2)
928	spin_unlock(&hb2->lock);
929		885
930	/* drop_futex_key_refs() must be called outside the spinlocks. */	886	/* drop_futex_key_refs() must be called outside the spinlocks. */
931	while (--drop_count >= 0)	887	while (--drop_count >= 0)
@@ -1063,7 +1019,7 @@ static int fixup_pi_state_owner(u32 __user uaddr, struct futex_q q,
1063	struct futex_pi_state *pi_state = q->pi_state;	1019	struct futex_pi_state *pi_state = q->pi_state;
1064	struct task_struct *oldowner = pi_state->owner;	1020	struct task_struct *oldowner = pi_state->owner;
1065	u32 uval, curval, newval;	1021	u32 uval, curval, newval;
1066	int ret, attempt = 0;	1022	int ret;
1067		1023
1068	/* Owner died? */	1024	/* Owner died? */
1069	if (!pi_state->owner)	1025	if (!pi_state->owner)
@@ -1076,11 +1032,9 @@ static int fixup_pi_state_owner(u32 __user uaddr, struct futex_q q,
1076	* in the user space variable. This must be atomic as we have	1032	* in the user space variable. This must be atomic as we have
1077	* to preserve the owner died bit here.	1033	* to preserve the owner died bit here.
1078	*	1034	*
1079	* Note: We write the user space value _before_ changing the	1035	* Note: We write the user space value _before_ changing the pi_state
1080	* pi_state because we can fault here. Imagine swapped out	1036	* because we can fault here. Imagine swapped out pages or a fork
1081	* pages or a fork, which was running right before we acquired	1037	* that marked all the anonymous memory readonly for cow.
1082	* mmap_sem, that marked all the anonymous memory readonly for
1083	* cow.
1084	*	1038	*
1085	* Modifying pi_state _before_ the user space value would	1039	* Modifying pi_state _before_ the user space value would
1086	* leave the pi_state in an inconsistent state when we fault	1040	* leave the pi_state in an inconsistent state when we fault
@@ -1136,7 +1090,7 @@ retry:
1136	handle_fault:	1090	handle_fault:
1137	spin_unlock(q->lock_ptr);	1091	spin_unlock(q->lock_ptr);
1138		1092
1139	ret = futex_handle_fault((unsigned long)uaddr, attempt++);	1093	ret = get_user(uval, uaddr);
1140		1094
1141	spin_lock(q->lock_ptr);	1095	spin_lock(q->lock_ptr);
1142		1096
@@ -1165,6 +1119,7 @@ static int futex_wait(u32 __user *uaddr, int fshared,
1165	u32 val, ktime_t *abs_time, u32 bitset, int clockrt)	1119	u32 val, ktime_t *abs_time, u32 bitset, int clockrt)
1166	{	1120	{
1167	struct task_struct *curr = current;	1121	struct task_struct *curr = current;
		1122	struct restart_block *restart;
1168	DECLARE_WAITQUEUE(wait, curr);	1123	DECLARE_WAITQUEUE(wait, curr);
1169	struct futex_hash_bucket *hb;	1124	struct futex_hash_bucket *hb;
1170	struct futex_q q;	1125	struct futex_q q;
@@ -1184,10 +1139,11 @@ retry:
1184	if (unlikely(ret != 0))	1139	if (unlikely(ret != 0))
1185	goto out;	1140	goto out;
1186		1141
		1142	retry_private:
1187	hb = queue_lock(&q);	1143	hb = queue_lock(&q);
1188		1144
1189	/*	1145	/*
1190	* Access the page AFTER the futex is queued.	1146	* Access the page AFTER the hash-bucket is locked.
1191	* Order is important:	1147	* Order is important:
1192	*	1148	*
1193	* Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);	1149	* Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
@@ -1203,24 +1159,29 @@ retry:
1203	* a wakeup when *uaddr != val on entry to the syscall. This is	1159	* a wakeup when *uaddr != val on entry to the syscall. This is
1204	* rare, but normal.	1160	* rare, but normal.
1205	*	1161	*
1206	* for shared futexes, we hold the mmap semaphore, so the mapping	1162	* For shared futexes, we hold the mmap semaphore, so the mapping
1207	* cannot have changed since we looked it up in get_futex_key.	1163	* cannot have changed since we looked it up in get_futex_key.
1208	*/	1164	*/
1209	ret = get_futex_value_locked(&uval, uaddr);	1165	ret = get_futex_value_locked(&uval, uaddr);
1210		1166
1211	if (unlikely(ret)) {	1167	if (unlikely(ret)) {
1212	queue_unlock(&q, hb);	1168	queue_unlock(&q, hb);
1213	put_futex_key(fshared, &q.key);
1214		1169
1215	ret = get_user(uval, uaddr);	1170	ret = get_user(uval, uaddr);
		1171	if (ret)
		1172	goto out_put_key;
1216		1173
1217	if (!ret)	1174	if (!fshared)
1218	goto retry;	1175	goto retry_private;
1219	return ret;	1176
		1177	put_futex_key(fshared, &q.key);
		1178	goto retry;
1220	}	1179	}
1221	ret = -EWOULDBLOCK;	1180	ret = -EWOULDBLOCK;
1222	if (uval != val)	1181	if (unlikely(uval != val)) {
1223	goto out_unlock_put_key;	1182	queue_unlock(&q, hb);
		1183	goto out_put_key;
		1184	}
1224		1185
1225	/* Only actually queue if uaddr contained val. /	1186	/* Only actually queue if uaddr contained val. /
1226	queue_me(&q, hb);	1187	queue_me(&q, hb);
@@ -1245,16 +1206,13 @@ retry:
1245	if (!abs_time)	1206	if (!abs_time)
1246	schedule();	1207	schedule();
1247	else {	1208	else {
1248	unsigned long slack;
1249	slack = current->timer_slack_ns;
1250	if (rt_task(current))
1251	slack = 0;
1252	hrtimer_init_on_stack(&t.timer,	1209	hrtimer_init_on_stack(&t.timer,
1253	clockrt ? CLOCK_REALTIME :	1210	clockrt ? CLOCK_REALTIME :
1254	CLOCK_MONOTONIC,	1211	CLOCK_MONOTONIC,
1255	HRTIMER_MODE_ABS);	1212	HRTIMER_MODE_ABS);
1256	hrtimer_init_sleeper(&t, current);	1213	hrtimer_init_sleeper(&t, current);
1257	hrtimer_set_expires_range_ns(&t.timer, *abs_time, slack);	1214	hrtimer_set_expires_range_ns(&t.timer, *abs_time,
		1215	current->timer_slack_ns);
1258		1216
1259	hrtimer_start_expires(&t.timer, HRTIMER_MODE_ABS);	1217	hrtimer_start_expires(&t.timer, HRTIMER_MODE_ABS);
1260	if (!hrtimer_active(&t.timer))	1218	if (!hrtimer_active(&t.timer))
@@ -1284,38 +1242,38 @@ retry:
1284	*/	1242	*/
1285		1243
1286	/* If we were woken (and unqueued), we succeeded, whatever. */	1244	/* If we were woken (and unqueued), we succeeded, whatever. */
		1245	ret = 0;
1287	if (!unqueue_me(&q))	1246	if (!unqueue_me(&q))
1288	return 0;	1247	goto out_put_key;
		1248	ret = -ETIMEDOUT;
1289	if (rem)	1249	if (rem)
1290	return -ETIMEDOUT;	1250	goto out_put_key;
1291		1251
1292	/*	1252	/*
1293	* We expect signal_pending(current), but another thread may	1253	* We expect signal_pending(current), but another thread may
1294	* have handled it for us already.	1254	* have handled it for us already.
1295	*/	1255	*/
		1256	ret = -ERESTARTSYS;
1296	if (!abs_time)	1257	if (!abs_time)
1297	return -ERESTARTSYS;	1258	goto out_put_key;
1298	else {
1299	struct restart_block *restart;
1300	restart = &current_thread_info()->restart_block;
1301	restart->fn = futex_wait_restart;
1302	restart->futex.uaddr = (u32 *)uaddr;
1303	restart->futex.val = val;
1304	restart->futex.time = abs_time->tv64;
1305	restart->futex.bitset = bitset;
1306	restart->futex.flags = 0;
1307
1308	if (fshared)
1309	restart->futex.flags \|= FLAGS_SHARED;
1310	if (clockrt)
1311	restart->futex.flags \|= FLAGS_CLOCKRT;
1312	return -ERESTART_RESTARTBLOCK;
1313	}
1314		1259
1315	out_unlock_put_key:	1260	restart = &current_thread_info()->restart_block;
1316	queue_unlock(&q, hb);	1261	restart->fn = futex_wait_restart;
1317	put_futex_key(fshared, &q.key);	1262	restart->futex.uaddr = (u32 *)uaddr;
		1263	restart->futex.val = val;
		1264	restart->futex.time = abs_time->tv64;
		1265	restart->futex.bitset = bitset;
		1266	restart->futex.flags = 0;
		1267
		1268	if (fshared)
		1269	restart->futex.flags \|= FLAGS_SHARED;
		1270	if (clockrt)
		1271	restart->futex.flags \|= FLAGS_CLOCKRT;
		1272
		1273	ret = -ERESTART_RESTARTBLOCK;
1318		1274
		1275	out_put_key:
		1276	put_futex_key(fshared, &q.key);
1319	out:	1277	out:
1320	return ret;	1278	return ret;
1321	}	1279	}
@@ -1351,7 +1309,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
1351	struct futex_hash_bucket *hb;	1309	struct futex_hash_bucket *hb;
1352	u32 uval, newval, curval;	1310	u32 uval, newval, curval;
1353	struct futex_q q;	1311	struct futex_q q;
1354	int ret, lock_taken, ownerdied = 0, attempt = 0;	1312	int ret, lock_taken, ownerdied = 0;
1355		1313
1356	if (refill_pi_state_cache())	1314	if (refill_pi_state_cache())
1357	return -ENOMEM;	1315	return -ENOMEM;
@@ -1371,7 +1329,7 @@ retry:
1371	if (unlikely(ret != 0))	1329	if (unlikely(ret != 0))
1372	goto out;	1330	goto out;
1373		1331
1374	retry_unlocked:	1332	retry_private:
1375	hb = queue_lock(&q);	1333	hb = queue_lock(&q);
1376		1334
1377	retry_locked:	1335	retry_locked:
@@ -1455,6 +1413,7 @@ retry_locked:
1455	* exit to complete.	1413	* exit to complete.
1456	*/	1414	*/
1457	queue_unlock(&q, hb);	1415	queue_unlock(&q, hb);
		1416	put_futex_key(fshared, &q.key);
1458	cond_resched();	1417	cond_resched();
1459	goto retry;	1418	goto retry;
1460		1419
@@ -1561,6 +1520,13 @@ retry_locked:
1561	}	1520	}
1562	}	1521	}
1563		1522
		1523	/*
		1524	* If fixup_pi_state_owner() faulted and was unable to handle the
		1525	* fault, unlock it and return the fault to userspace.
		1526	*/
		1527	if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))
		1528	rt_mutex_unlock(&q.pi_state->pi_mutex);
		1529
1564	/* Unqueue and drop the lock */	1530	/* Unqueue and drop the lock */
1565	unqueue_me_pi(&q);	1531	unqueue_me_pi(&q);
1566		1532
@@ -1588,22 +1554,18 @@ uaddr_faulted:
1588	*/	1554	*/
1589	queue_unlock(&q, hb);	1555	queue_unlock(&q, hb);
1590		1556
1591	if (attempt++) {
1592	ret = futex_handle_fault((unsigned long)uaddr, attempt);
1593	if (ret)
1594	goto out_put_key;
1595	goto retry_unlocked;
1596	}
1597
1598	ret = get_user(uval, uaddr);	1557	ret = get_user(uval, uaddr);
1599	if (!ret)	1558	if (ret)
1600	goto retry;	1559	goto out_put_key;
1601		1560
1602	if (to)	1561	if (!fshared)
1603	destroy_hrtimer_on_stack(&to->timer);	1562	goto retry_private;
1604	return ret;	1563
		1564	put_futex_key(fshared, &q.key);
		1565	goto retry;
1605	}	1566	}
1606		1567
		1568
1607	/*	1569	/*
1608	* Userspace attempted a TID -> 0 atomic transition, and failed.	1570	* Userspace attempted a TID -> 0 atomic transition, and failed.
1609	* This is the in-kernel slowpath: we look up the PI state (if any),	1571	* This is the in-kernel slowpath: we look up the PI state (if any),
@@ -1616,7 +1578,7 @@ static int futex_unlock_pi(u32 __user *uaddr, int fshared)
1616	u32 uval;	1578	u32 uval;
1617	struct plist_head *head;	1579	struct plist_head *head;
1618	union futex_key key = FUTEX_KEY_INIT;	1580	union futex_key key = FUTEX_KEY_INIT;
1619	int ret, attempt = 0;	1581	int ret;
1620		1582
1621	retry:	1583	retry:
1622	if (get_user(uval, uaddr))	1584	if (get_user(uval, uaddr))
@@ -1632,7 +1594,6 @@ retry:
1632	goto out;	1594	goto out;
1633		1595
1634	hb = hash_futex(&key);	1596	hb = hash_futex(&key);
1635	retry_unlocked:
1636	spin_lock(&hb->lock);	1597	spin_lock(&hb->lock);
1637		1598
1638	/*	1599	/*
@@ -1697,14 +1658,7 @@ pi_faulted:
1697	* we have to drop the mmap_sem in order to call get_user().	1658	* we have to drop the mmap_sem in order to call get_user().
1698	*/	1659	*/
1699	spin_unlock(&hb->lock);	1660	spin_unlock(&hb->lock);
1700		1661	put_futex_key(fshared, &key);
1701	if (attempt++) {
1702	ret = futex_handle_fault((unsigned long)uaddr, attempt);
1703	if (ret)
1704	goto out;
1705	uval = 0;
1706	goto retry_unlocked;
1707	}
1708		1662
1709	ret = get_user(uval, uaddr);	1663	ret = get_user(uval, uaddr);
1710	if (!ret)	1664	if (!ret)