Merge branch 'core-futexes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'core-futexes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: arm: Remove bogus comment in futex_atomic_cmpxchg_inatomic() futex: Deobfuscate handle_futex_death() plist: Add priority list test plist: Shrink struct plist_head futex,plist: Remove debug lock assignment from plist_node futex,plist: Pass the real head of the priority list to plist_del() futex: Sanitize futex ops argument types futex: Sanitize cmpxchg_futex_value_locked API futex: Remove redundant pagefault_disable in futex_atomic_cmpxchg_inatomic() futex: Avoid redudant evaluation of task_pid_vnr() futex: Update futex_wait_setup comments about locking
author: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-15 21:23:52 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-15 21:23:52 -0400
commit: b80cd62b7d4406bbe8c573fe4381dcc71a2850fd (patch)
tree: b3fbd9dcaac45feefc554b5a46888b2cbec0c51d /kernel/futex.c
parent: c345f60a5f58a65004f22fb0d257d65ec1528310 (diff)
parent: 07d5ecae2940ddd77746e2fb597dcf57d3c2e277 (diff)
1 files changed, 64 insertions, 61 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index b766d28accd6..e9251d934f7d 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -381,15 +381,16 @@ static struct futex_q *futex_top_waiter(struct futex_hash_bucket *hb,
        return NULL;
 }
-static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)
+static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
+                                      u32 uval, u32 newval)
 {
-        u32 curval;
+        int ret;
        pagefault_disable();
-        curval = futex_atomic_cmpxchg_inatomic(uaddr, uval, newval);
+        ret = futex_atomic_cmpxchg_inatomic(curval, uaddr, uval, newval);
        pagefault_enable();
-        return curval;
+        return ret;
 }
 static int get_futex_value_locked(u32 *dest, u32 __user *from)
@@ -674,7 +675,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
                                struct task_struct *task, int set_waiters)
 {
        int lock_taken, ret, ownerdied = 0;
-        u32 uval, newval, curval;
+        u32 uval, newval, curval, vpid = task_pid_vnr(task);
 retry:
        ret = lock_taken = 0;
@@ -684,19 +685,17 @@ retry:
         * (by doing a 0 -> TID atomic cmpxchg), while holding all
         * the locks. It will most likely not succeed.
         */
-        newval = task_pid_vnr(task);
+        newval = vpid;
        if (set_waiters)
                newval |= FUTEX_WAITERS;
-        curval = cmpxchg_futex_value_locked(uaddr, 0, newval);
+        if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, 0, newval)))
-        if (unlikely(curval == -EFAULT))
                return -EFAULT;
        /*
         * Detect deadlocks.
         */
-        if ((unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(task))))
+        if ((unlikely((curval & FUTEX_TID_MASK) == vpid)))
                return -EDEADLK;
        /*
@@ -723,14 +722,12 @@ retry:
         */
        if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
                /* Keep the OWNER_DIED bit */
-                newval = (curval & ~FUTEX_TID_MASK) | task_pid_vnr(task);
+                newval = (curval & ~FUTEX_TID_MASK) | vpid;
                ownerdied = 0;
                lock_taken = 1;
        }
-        curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
+        if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)))
-        if (unlikely(curval == -EFAULT))
                return -EFAULT;
        if (unlikely(curval != uval))
                goto retry;
@@ -775,6 +772,24 @@ retry:
        return ret;
 }
+/**
+ * __unqueue_futex() - Remove the futex_q from its futex_hash_bucket
+ * @q:  The futex_q to unqueue
+ *
+ * The q->lock_ptr must not be NULL and must be held by the caller.
+ */
+static void __unqueue_futex(struct futex_q *q)
+{
+        struct futex_hash_bucket *hb;
+        if (WARN_ON(!q->lock_ptr || !spin_is_locked(q->lock_ptr)
+                        || plist_node_empty(&q->list)))
+                return;
+        hb = container_of(q->lock_ptr, struct futex_hash_bucket, lock);
+        plist_del(&q->list, &hb->chain);
+}
 /*
 * The hash bucket lock must be held when this is called.
 * Afterwards, the futex_q must not be accessed.
@@ -792,7 +807,7 @@ static void wake_futex(struct futex_q *q)
         */
        get_task_struct(p);
-        plist_del(&q->list, &q->list.plist);
+        __unqueue_futex(q);
        /*
         * The waiting task can free the futex_q as soon as
         * q->lock_ptr = NULL is written, without taking any locks. A
@@ -843,9 +858,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
                newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
-                curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
+                if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
-                if (curval == -EFAULT)
                        ret = -EFAULT;
                else if (curval != uval)
                        ret = -EINVAL;
@@ -880,10 +893,8 @@ static int unlock_futex_pi(u32 __user *uaddr, u32 uval)
         * There is no waiter, so we unlock the futex. The owner died
         * bit has not to be preserved here. We are the owner:
         */
-        oldval = cmpxchg_futex_value_locked(uaddr, uval, 0);
+        if (cmpxchg_futex_value_locked(&oldval, uaddr, uval, 0))
+                return -EFAULT;
-        if (oldval == -EFAULT)
-                return oldval;
        if (oldval != uval)
                return -EAGAIN;
@@ -1071,9 +1082,6 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
                plist_del(&q->list, &hb1->chain);
                plist_add(&q->list, &hb2->chain);
                q->lock_ptr = &hb2->lock;
-#ifdef CONFIG_DEBUG_PI_LIST
-                q->list.plist.spinlock = &hb2->lock;
-#endif
        }
        get_futex_key_refs(key2);
        q->key = *key2;
@@ -1100,16 +1108,12 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
        get_futex_key_refs(key);
        q->key = *key;
-        WARN_ON(plist_node_empty(&q->list));
+        __unqueue_futex(q);
-        plist_del(&q->list, &q->list.plist);
        WARN_ON(!q->rt_waiter);
        q->rt_waiter = NULL;
        q->lock_ptr = &hb->lock;
-#ifdef CONFIG_DEBUG_PI_LIST
-        q->list.plist.spinlock = &hb->lock;
-#endif
        wake_up_state(q->task, TASK_NORMAL);
 }
@@ -1457,9 +1461,6 @@ static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
        prio = min(current->normal_prio, MAX_RT_PRIO);
        plist_node_init(&q->list, prio);
-#ifdef CONFIG_DEBUG_PI_LIST
-        q->list.plist.spinlock = &hb->lock;
-#endif
        plist_add(&q->list, &hb->chain);
        q->task = current;
        spin_unlock(&hb->lock);
@@ -1504,8 +1505,7 @@ retry:
                        spin_unlock(lock_ptr);
                        goto retry;
                }
-                WARN_ON(plist_node_empty(&q->list));
+                __unqueue_futex(q);
-                plist_del(&q->list, &q->list.plist);
                BUG_ON(q->pi_state);
@@ -1525,8 +1525,7 @@ retry:
 static void unqueue_me_pi(struct futex_q *q)
        __releases(q->lock_ptr)
 {
-        WARN_ON(plist_node_empty(&q->list));
+        __unqueue_futex(q);
-        plist_del(&q->list, &q->list.plist);
        BUG_ON(!q->pi_state);
        free_pi_state(q->pi_state);
@@ -1578,9 +1577,7 @@ retry:
        while (1) {
                newval = (uval & FUTEX_OWNER_DIED) | newtid;
-                curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
+                if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
-                if (curval == -EFAULT)
                        goto handle_fault;
                if (curval == uval)
                        break;
@@ -1781,13 +1778,14 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
         *
         * The basic logical guarantee of a futex is that it blocks ONLY
         * if cond(var) is known to be true at the time of blocking, for
-         * any cond.  If we queued after testing *uaddr, that would open
+         * any cond.  If we locked the hash-bucket after testing *uaddr, that
-         * a race condition where we could block indefinitely with
+         * would open a race condition where we could block indefinitely with
         * cond(var) false, which would violate the guarantee.
         *
-         * A consequence is that futex_wait() can return zero and absorb
+         * On the other hand, we insert q and release the hash-bucket only
-         * a wakeup when *uaddr != val on entry to the syscall.  This is
+         * after testing *uaddr.  This guarantees that futex_wait() will NOT
-         * rare, but normal.
+         * absorb a wakeup if *uaddr does not match the desired values
+         * while the syscall executes.
         */
 retry:
        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key);
@@ -2046,9 +2044,9 @@ static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
 {
        struct futex_hash_bucket *hb;
        struct futex_q *this, *next;
-        u32 uval;
        struct plist_head *head;
        union futex_key key = FUTEX_KEY_INIT;
+        u32 uval, vpid = task_pid_vnr(current);
        int ret;
 retry:
@@ -2057,7 +2055,7 @@ retry:
        /*
         * We release only a lock we actually own:
         */
-        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
+        if ((uval & FUTEX_TID_MASK) != vpid)
                return -EPERM;
        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key);
@@ -2072,17 +2070,14 @@ retry:
         * again. If it succeeds then we can return without waking
         * anyone else up:
         */
-        if (!(uval & FUTEX_OWNER_DIED))
+        if (!(uval & FUTEX_OWNER_DIED) &&
-                uval = cmpxchg_futex_value_locked(uaddr, task_pid_vnr(current), 0);
+            cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
-        if (unlikely(uval == -EFAULT))
                goto pi_faulted;
        /*
         * Rare case: we managed to release the lock atomically,
         * no need to wake anyone else up:
         */
-        if (unlikely(uval == task_pid_vnr(current)))
+        if (unlikely(uval == vpid))
                goto out_unlock;
        /*
@@ -2167,7 +2162,7 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
                 * We were woken prior to requeue by a timeout or a signal.
                 * Unqueue the futex_q and determine which it was.
                 */
-                plist_del(&q->list, &q->list.plist);
+                plist_del(&q->list, &hb->chain);
                /* Handle spurious wakeups gracefully */
                ret = -EWOULDBLOCK;
@@ -2463,11 +2458,20 @@ retry:
                 * userspace.
                 */
                mval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;
-                nval = futex_atomic_cmpxchg_inatomic(uaddr, uval, mval);
+                /*
+                 * We are not holding a lock here, but we want to have
-                if (nval == -EFAULT)
+                 * the pagefault_disable/enable() protection because
-                        return -1;
+                 * we want to handle the fault gracefully. If the
+                 * access fails we try to fault in the futex with R/W
+                 * verification via get_user_pages. get_user() above
+                 * does not guarantee R/W access. If that fails we
+                 * give up and leave the futex locked.
+                 */
+                if (cmpxchg_futex_value_locked(&nval, uaddr, uval, mval)) {
+                        if (fault_in_user_writeable(uaddr))
+                                return -1;
+                        goto retry;
+                }
                if (nval != uval)
                        goto retry;
@@ -2678,8 +2682,7 @@ static int __init futex_init(void)
         * implementation, the non-functional ones will return
         * -ENOSYS.
         */
-        curval = cmpxchg_futex_value_locked(NULL, 0, 0);
+        if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
-        if (curval == -EFAULT)
                futex_cmpxchg_enabled = 1;
        for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
author	Linus Torvalds <torvalds@linux-foundation.org>	2011-03-15 21:23:52 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2011-03-15 21:23:52 -0400
commit	b80cd62b7d4406bbe8c573fe4381dcc71a2850fd (patch)
tree	b3fbd9dcaac45feefc554b5a46888b2cbec0c51d /kernel/futex.c
parent	c345f60a5f58a65004f22fb0d257d65ec1528310 (diff)
parent	07d5ecae2940ddd77746e2fb597dcf57d3c2e277 (diff)

diff --git a/kernel/futex.c b/kernel/futex.c index b766d28accd6..e9251d934f7d 100644 --- a/kernel/futex.c +++ b/kernel/futex.c
@@ -381,15 +381,16 @@ static struct futex_q futex_top_waiter(struct futex_hash_bucket hb,
381	return NULL;	381	return NULL;
382	}	382	}
383		383
384	static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)	384	static int cmpxchg_futex_value_locked(u32 curval, u32 __user uaddr,
		385	u32 uval, u32 newval)
385	{	386	{
386	u32 curval;	387	int ret;
387		388
388	pagefault_disable();	389	pagefault_disable();
389	curval = futex_atomic_cmpxchg_inatomic(uaddr, uval, newval);	390	ret = futex_atomic_cmpxchg_inatomic(curval, uaddr, uval, newval);
390	pagefault_enable();	391	pagefault_enable();
391		392
392	return curval;	393	return ret;
393	}	394	}
394		395
395	static int get_futex_value_locked(u32 dest, u32 __user from)	396	static int get_futex_value_locked(u32 dest, u32 __user from)
@@ -674,7 +675,7 @@ static int futex_lock_pi_atomic(u32 __user uaddr, struct futex_hash_bucket hb,
674	struct task_struct *task, int set_waiters)	675	struct task_struct *task, int set_waiters)
675	{	676	{
676	int lock_taken, ret, ownerdied = 0;	677	int lock_taken, ret, ownerdied = 0;
677	u32 uval, newval, curval;	678	u32 uval, newval, curval, vpid = task_pid_vnr(task);
678		679
679	retry:	680	retry:
680	ret = lock_taken = 0;	681	ret = lock_taken = 0;
@@ -684,19 +685,17 @@ retry:
684	* (by doing a 0 -> TID atomic cmpxchg), while holding all	685	* (by doing a 0 -> TID atomic cmpxchg), while holding all
685	* the locks. It will most likely not succeed.	686	* the locks. It will most likely not succeed.
686	*/	687	*/
687	newval = task_pid_vnr(task);	688	newval = vpid;
688	if (set_waiters)	689	if (set_waiters)
689	newval \|= FUTEX_WAITERS;	690	newval \|= FUTEX_WAITERS;
690		691
691	curval = cmpxchg_futex_value_locked(uaddr, 0, newval);	692	if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, 0, newval)))
692
693	if (unlikely(curval == -EFAULT))
694	return -EFAULT;	693	return -EFAULT;
695		694
696	/*	695	/*
697	* Detect deadlocks.	696	* Detect deadlocks.
698	*/	697	*/
699	if ((unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(task))))	698	if ((unlikely((curval & FUTEX_TID_MASK) == vpid)))
700	return -EDEADLK;	699	return -EDEADLK;
701		700
702	/*	701	/*
@@ -723,14 +722,12 @@ retry:
723	*/	722	*/
724	if (unlikely(ownerdied \|\| !(curval & FUTEX_TID_MASK))) {	723	if (unlikely(ownerdied \|\| !(curval & FUTEX_TID_MASK))) {
725	/* Keep the OWNER_DIED bit */	724	/* Keep the OWNER_DIED bit */
726	newval = (curval & ~FUTEX_TID_MASK) \| task_pid_vnr(task);	725	newval = (curval & ~FUTEX_TID_MASK) \| vpid;
727	ownerdied = 0;	726	ownerdied = 0;
728	lock_taken = 1;	727	lock_taken = 1;
729	}	728	}
730		729
731	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);	730	if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)))
732
733	if (unlikely(curval == -EFAULT))
734	return -EFAULT;	731	return -EFAULT;
735	if (unlikely(curval != uval))	732	if (unlikely(curval != uval))
736	goto retry;	733	goto retry;
@@ -775,6 +772,24 @@ retry:
775	return ret;	772	return ret;
776	}	773	}
777		774
		775	/**
		776	* __unqueue_futex() - Remove the futex_q from its futex_hash_bucket
		777	* @q: The futex_q to unqueue
		778	*
		779	* The q->lock_ptr must not be NULL and must be held by the caller.
		780	*/
		781	static void __unqueue_futex(struct futex_q *q)
		782	{
		783	struct futex_hash_bucket *hb;
		784
		785	if (WARN_ON(!q->lock_ptr \|\| !spin_is_locked(q->lock_ptr)
		786	\|\| plist_node_empty(&q->list)))
		787	return;
		788
		789	hb = container_of(q->lock_ptr, struct futex_hash_bucket, lock);
		790	plist_del(&q->list, &hb->chain);
		791	}
		792
778	/*	793	/*
779	* The hash bucket lock must be held when this is called.	794	* The hash bucket lock must be held when this is called.
780	* Afterwards, the futex_q must not be accessed.	795	* Afterwards, the futex_q must not be accessed.
@@ -792,7 +807,7 @@ static void wake_futex(struct futex_q *q)
792	*/	807	*/
793	get_task_struct(p);	808	get_task_struct(p);
794		809
795	plist_del(&q->list, &q->list.plist);	810	__unqueue_futex(q);
796	/*	811	/*
797	* The waiting task can free the futex_q as soon as	812	* The waiting task can free the futex_q as soon as
798	* q->lock_ptr = NULL is written, without taking any locks. A	813	* q->lock_ptr = NULL is written, without taking any locks. A
@@ -843,9 +858,7 @@ static int wake_futex_pi(u32 __user uaddr, u32 uval, struct futex_q this)
843		858
844	newval = FUTEX_WAITERS \| task_pid_vnr(new_owner);	859	newval = FUTEX_WAITERS \| task_pid_vnr(new_owner);
845		860
846	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);	861	if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
847
848	if (curval == -EFAULT)
849	ret = -EFAULT;	862	ret = -EFAULT;
850	else if (curval != uval)	863	else if (curval != uval)
851	ret = -EINVAL;	864	ret = -EINVAL;
@@ -880,10 +893,8 @@ static int unlock_futex_pi(u32 __user *uaddr, u32 uval)
880	* There is no waiter, so we unlock the futex. The owner died	893	* There is no waiter, so we unlock the futex. The owner died
881	* bit has not to be preserved here. We are the owner:	894	* bit has not to be preserved here. We are the owner:
882	*/	895	*/
883	oldval = cmpxchg_futex_value_locked(uaddr, uval, 0);	896	if (cmpxchg_futex_value_locked(&oldval, uaddr, uval, 0))
884		897	return -EFAULT;
885	if (oldval == -EFAULT)
886	return oldval;
887	if (oldval != uval)	898	if (oldval != uval)
888	return -EAGAIN;	899	return -EAGAIN;
889		900
@@ -1071,9 +1082,6 @@ void requeue_futex(struct futex_q q, struct futex_hash_bucket hb1,
1071	plist_del(&q->list, &hb1->chain);	1082	plist_del(&q->list, &hb1->chain);
1072	plist_add(&q->list, &hb2->chain);	1083	plist_add(&q->list, &hb2->chain);
1073	q->lock_ptr = &hb2->lock;	1084	q->lock_ptr = &hb2->lock;
1074	#ifdef CONFIG_DEBUG_PI_LIST
1075	q->list.plist.spinlock = &hb2->lock;
1076	#endif
1077	}	1085	}
1078	get_futex_key_refs(key2);	1086	get_futex_key_refs(key2);
1079	q->key = *key2;	1087	q->key = *key2;
@@ -1100,16 +1108,12 @@ void requeue_pi_wake_futex(struct futex_q q, union futex_key key,
1100	get_futex_key_refs(key);	1108	get_futex_key_refs(key);
1101	q->key = *key;	1109	q->key = *key;
1102		1110
1103	WARN_ON(plist_node_empty(&q->list));	1111	__unqueue_futex(q);
1104	plist_del(&q->list, &q->list.plist);
1105		1112
1106	WARN_ON(!q->rt_waiter);	1113	WARN_ON(!q->rt_waiter);
1107	q->rt_waiter = NULL;	1114	q->rt_waiter = NULL;
1108		1115
1109	q->lock_ptr = &hb->lock;	1116	q->lock_ptr = &hb->lock;
1110	#ifdef CONFIG_DEBUG_PI_LIST
1111	q->list.plist.spinlock = &hb->lock;
1112	#endif
1113		1117
1114	wake_up_state(q->task, TASK_NORMAL);	1118	wake_up_state(q->task, TASK_NORMAL);
1115	}	1119	}
@@ -1457,9 +1461,6 @@ static inline void queue_me(struct futex_q q, struct futex_hash_bucket hb)
1457	prio = min(current->normal_prio, MAX_RT_PRIO);	1461	prio = min(current->normal_prio, MAX_RT_PRIO);
1458		1462
1459	plist_node_init(&q->list, prio);	1463	plist_node_init(&q->list, prio);
1460	#ifdef CONFIG_DEBUG_PI_LIST
1461	q->list.plist.spinlock = &hb->lock;
1462	#endif
1463	plist_add(&q->list, &hb->chain);	1464	plist_add(&q->list, &hb->chain);
1464	q->task = current;	1465	q->task = current;
1465	spin_unlock(&hb->lock);	1466	spin_unlock(&hb->lock);
@@ -1504,8 +1505,7 @@ retry:
1504	spin_unlock(lock_ptr);	1505	spin_unlock(lock_ptr);
1505	goto retry;	1506	goto retry;
1506	}	1507	}
1507	WARN_ON(plist_node_empty(&q->list));	1508	__unqueue_futex(q);
1508	plist_del(&q->list, &q->list.plist);
1509		1509
1510	BUG_ON(q->pi_state);	1510	BUG_ON(q->pi_state);
1511		1511
@@ -1525,8 +1525,7 @@ retry:
1525	static void unqueue_me_pi(struct futex_q *q)	1525	static void unqueue_me_pi(struct futex_q *q)
1526	__releases(q->lock_ptr)	1526	__releases(q->lock_ptr)
1527	{	1527	{
1528	WARN_ON(plist_node_empty(&q->list));	1528	__unqueue_futex(q);
1529	plist_del(&q->list, &q->list.plist);
1530		1529
1531	BUG_ON(!q->pi_state);	1530	BUG_ON(!q->pi_state);
1532	free_pi_state(q->pi_state);	1531	free_pi_state(q->pi_state);
@@ -1578,9 +1577,7 @@ retry:
1578	while (1) {	1577	while (1) {
1579	newval = (uval & FUTEX_OWNER_DIED) \| newtid;	1578	newval = (uval & FUTEX_OWNER_DIED) \| newtid;
1580		1579
1581	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);	1580	if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
1582
1583	if (curval == -EFAULT)
1584	goto handle_fault;	1581	goto handle_fault;
1585	if (curval == uval)	1582	if (curval == uval)
1586	break;	1583	break;
@@ -1781,13 +1778,14 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
1781	*	1778	*
1782	* The basic logical guarantee of a futex is that it blocks ONLY	1779	* The basic logical guarantee of a futex is that it blocks ONLY
1783	* if cond(var) is known to be true at the time of blocking, for	1780	* if cond(var) is known to be true at the time of blocking, for
1784	* any cond. If we queued after testing *uaddr, that would open	1781	* any cond. If we locked the hash-bucket after testing *uaddr, that
1785	* a race condition where we could block indefinitely with	1782	* would open a race condition where we could block indefinitely with
1786	* cond(var) false, which would violate the guarantee.	1783	* cond(var) false, which would violate the guarantee.
1787	*	1784	*
1788	* A consequence is that futex_wait() can return zero and absorb	1785	* On the other hand, we insert q and release the hash-bucket only
1789	* a wakeup when *uaddr != val on entry to the syscall. This is	1786	* after testing *uaddr. This guarantees that futex_wait() will NOT
1790	* rare, but normal.	1787	* absorb a wakeup if *uaddr does not match the desired values
		1788	* while the syscall executes.
1791	*/	1789	*/
1792	retry:	1790	retry:
1793	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key);	1791	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key);
@@ -2046,9 +2044,9 @@ static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
2046	{	2044	{
2047	struct futex_hash_bucket *hb;	2045	struct futex_hash_bucket *hb;
2048	struct futex_q this, next;	2046	struct futex_q this, next;
2049	u32 uval;
2050	struct plist_head *head;	2047	struct plist_head *head;
2051	union futex_key key = FUTEX_KEY_INIT;	2048	union futex_key key = FUTEX_KEY_INIT;
		2049	u32 uval, vpid = task_pid_vnr(current);
2052	int ret;	2050	int ret;
2053		2051
2054	retry:	2052	retry:
@@ -2057,7 +2055,7 @@ retry:
2057	/*	2055	/*
2058	* We release only a lock we actually own:	2056	* We release only a lock we actually own:
2059	*/	2057	*/
2060	if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))	2058	if ((uval & FUTEX_TID_MASK) != vpid)
2061	return -EPERM;	2059	return -EPERM;
2062		2060
2063	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key);	2061	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key);
@@ -2072,17 +2070,14 @@ retry:
2072	* again. If it succeeds then we can return without waking	2070	* again. If it succeeds then we can return without waking
2073	* anyone else up:	2071	* anyone else up:
2074	*/	2072	*/
2075	if (!(uval & FUTEX_OWNER_DIED))	2073	if (!(uval & FUTEX_OWNER_DIED) &&
2076	uval = cmpxchg_futex_value_locked(uaddr, task_pid_vnr(current), 0);	2074	cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
2077
2078
2079	if (unlikely(uval == -EFAULT))
2080	goto pi_faulted;	2075	goto pi_faulted;
2081	/*	2076	/*
2082	* Rare case: we managed to release the lock atomically,	2077	* Rare case: we managed to release the lock atomically,
2083	* no need to wake anyone else up:	2078	* no need to wake anyone else up:
2084	*/	2079	*/
2085	if (unlikely(uval == task_pid_vnr(current)))	2080	if (unlikely(uval == vpid))
2086	goto out_unlock;	2081	goto out_unlock;
2087		2082
2088	/*	2083	/*
@@ -2167,7 +2162,7 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
2167	* We were woken prior to requeue by a timeout or a signal.	2162	* We were woken prior to requeue by a timeout or a signal.
2168	* Unqueue the futex_q and determine which it was.	2163	* Unqueue the futex_q and determine which it was.
2169	*/	2164	*/
2170	plist_del(&q->list, &q->list.plist);	2165	plist_del(&q->list, &hb->chain);
2171		2166
2172	/* Handle spurious wakeups gracefully */	2167	/* Handle spurious wakeups gracefully */
2173	ret = -EWOULDBLOCK;	2168	ret = -EWOULDBLOCK;
@@ -2463,11 +2458,20 @@ retry:
2463	* userspace.	2458	* userspace.
2464	*/	2459	*/
2465	mval = (uval & FUTEX_WAITERS) \| FUTEX_OWNER_DIED;	2460	mval = (uval & FUTEX_WAITERS) \| FUTEX_OWNER_DIED;
2466	nval = futex_atomic_cmpxchg_inatomic(uaddr, uval, mval);	2461	/*
2467		2462	* We are not holding a lock here, but we want to have
2468	if (nval == -EFAULT)	2463	* the pagefault_disable/enable() protection because
2469	return -1;	2464	* we want to handle the fault gracefully. If the
2470		2465	* access fails we try to fault in the futex with R/W
		2466	* verification via get_user_pages. get_user() above
		2467	* does not guarantee R/W access. If that fails we
		2468	* give up and leave the futex locked.
		2469	*/
		2470	if (cmpxchg_futex_value_locked(&nval, uaddr, uval, mval)) {
		2471	if (fault_in_user_writeable(uaddr))
		2472	return -1;
		2473	goto retry;
		2474	}
2471	if (nval != uval)	2475	if (nval != uval)
2472	goto retry;	2476	goto retry;
2473		2477
@@ -2678,8 +2682,7 @@ static int __init futex_init(void)
2678	* implementation, the non-functional ones will return	2682	* implementation, the non-functional ones will return
2679	* -ENOSYS.	2683	* -ENOSYS.
2680	*/	2684	*/
2681	curval = cmpxchg_futex_value_locked(NULL, 0, 0);	2685	if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
2682	if (curval == -EFAULT)
2683	futex_cmpxchg_enabled = 1;	2686	futex_cmpxchg_enabled = 1;
2684		2687
2685	for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {	2688	for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {