aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/futex.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/futex.c')
-rw-r--r--kernel/futex.c382
1 files changed, 158 insertions, 224 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 7d1136e97c14..7c6cbabe52b3 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -92,11 +92,12 @@ struct futex_pi_state {
92 * A futex_q has a woken state, just like tasks have TASK_RUNNING. 92 * A futex_q has a woken state, just like tasks have TASK_RUNNING.
93 * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0. 93 * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0.
94 * The order of wakup is always to make the first condition true, then 94 * The order of wakup is always to make the first condition true, then
95 * wake up q->waiters, then make the second condition true. 95 * wake up q->waiter, then make the second condition true.
96 */ 96 */
97struct futex_q { 97struct futex_q {
98 struct plist_node list; 98 struct plist_node list;
99 wait_queue_head_t waiters; 99 /* There can only be a single waiter */
100 wait_queue_head_t waiter;
100 101
101 /* Which hash list lock to use: */ 102 /* Which hash list lock to use: */
102 spinlock_t *lock_ptr; 103 spinlock_t *lock_ptr;
@@ -123,24 +124,6 @@ struct futex_hash_bucket {
123static struct futex_hash_bucket futex_queues[1<<FUTEX_HASHBITS]; 124static struct futex_hash_bucket futex_queues[1<<FUTEX_HASHBITS];
124 125
125/* 126/*
126 * Take mm->mmap_sem, when futex is shared
127 */
128static inline void futex_lock_mm(struct rw_semaphore *fshared)
129{
130 if (fshared)
131 down_read(fshared);
132}
133
134/*
135 * Release mm->mmap_sem, when the futex is shared
136 */
137static inline void futex_unlock_mm(struct rw_semaphore *fshared)
138{
139 if (fshared)
140 up_read(fshared);
141}
142
143/*
144 * We hash on the keys returned from get_futex_key (see below). 127 * We hash on the keys returned from get_futex_key (see below).
145 */ 128 */
146static struct futex_hash_bucket *hash_futex(union futex_key *key) 129static struct futex_hash_bucket *hash_futex(union futex_key *key)
@@ -161,6 +144,45 @@ static inline int match_futex(union futex_key *key1, union futex_key *key2)
161 && key1->both.offset == key2->both.offset); 144 && key1->both.offset == key2->both.offset);
162} 145}
163 146
147/*
148 * Take a reference to the resource addressed by a key.
149 * Can be called while holding spinlocks.
150 *
151 */
152static void get_futex_key_refs(union futex_key *key)
153{
154 if (!key->both.ptr)
155 return;
156
157 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
158 case FUT_OFF_INODE:
159 atomic_inc(&key->shared.inode->i_count);
160 break;
161 case FUT_OFF_MMSHARED:
162 atomic_inc(&key->private.mm->mm_count);
163 break;
164 }
165}
166
167/*
168 * Drop a reference to the resource addressed by a key.
169 * The hash bucket spinlock must not be held.
170 */
171static void drop_futex_key_refs(union futex_key *key)
172{
173 if (!key->both.ptr)
174 return;
175
176 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
177 case FUT_OFF_INODE:
178 iput(key->shared.inode);
179 break;
180 case FUT_OFF_MMSHARED:
181 mmdrop(key->private.mm);
182 break;
183 }
184}
185
164/** 186/**
165 * get_futex_key - Get parameters which are the keys for a futex. 187 * get_futex_key - Get parameters which are the keys for a futex.
166 * @uaddr: virtual address of the futex 188 * @uaddr: virtual address of the futex
@@ -179,12 +201,10 @@ static inline int match_futex(union futex_key *key1, union futex_key *key2)
179 * For other futexes, it points to &current->mm->mmap_sem and 201 * For other futexes, it points to &current->mm->mmap_sem and
180 * caller must have taken the reader lock. but NOT any spinlocks. 202 * caller must have taken the reader lock. but NOT any spinlocks.
181 */ 203 */
182static int get_futex_key(u32 __user *uaddr, struct rw_semaphore *fshared, 204static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
183 union futex_key *key)
184{ 205{
185 unsigned long address = (unsigned long)uaddr; 206 unsigned long address = (unsigned long)uaddr;
186 struct mm_struct *mm = current->mm; 207 struct mm_struct *mm = current->mm;
187 struct vm_area_struct *vma;
188 struct page *page; 208 struct page *page;
189 int err; 209 int err;
190 210
@@ -208,100 +228,50 @@ static int get_futex_key(u32 __user *uaddr, struct rw_semaphore *fshared,
208 return -EFAULT; 228 return -EFAULT;
209 key->private.mm = mm; 229 key->private.mm = mm;
210 key->private.address = address; 230 key->private.address = address;
231 get_futex_key_refs(key);
211 return 0; 232 return 0;
212 } 233 }
213 /*
214 * The futex is hashed differently depending on whether
215 * it's in a shared or private mapping. So check vma first.
216 */
217 vma = find_extend_vma(mm, address);
218 if (unlikely(!vma))
219 return -EFAULT;
220 234
221 /* 235again:
222 * Permissions. 236 err = get_user_pages_fast(address, 1, 0, &page);
223 */ 237 if (err < 0)
224 if (unlikely((vma->vm_flags & (VM_IO|VM_READ)) != VM_READ)) 238 return err;
225 return (vma->vm_flags & VM_IO) ? -EPERM : -EACCES; 239
240 lock_page(page);
241 if (!page->mapping) {
242 unlock_page(page);
243 put_page(page);
244 goto again;
245 }
226 246
227 /* 247 /*
228 * Private mappings are handled in a simple way. 248 * Private mappings are handled in a simple way.
229 * 249 *
230 * NOTE: When userspace waits on a MAP_SHARED mapping, even if 250 * NOTE: When userspace waits on a MAP_SHARED mapping, even if
231 * it's a read-only handle, it's expected that futexes attach to 251 * it's a read-only handle, it's expected that futexes attach to
232 * the object not the particular process. Therefore we use 252 * the object not the particular process.
233 * VM_MAYSHARE here, not VM_SHARED which is restricted to shared
234 * mappings of _writable_ handles.
235 */ 253 */
236 if (likely(!(vma->vm_flags & VM_MAYSHARE))) { 254 if (PageAnon(page)) {
237 key->both.offset |= FUT_OFF_MMSHARED; /* reference taken on mm */ 255 key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
238 key->private.mm = mm; 256 key->private.mm = mm;
239 key->private.address = address; 257 key->private.address = address;
240 return 0; 258 } else {
259 key->both.offset |= FUT_OFF_INODE; /* inode-based key */
260 key->shared.inode = page->mapping->host;
261 key->shared.pgoff = page->index;
241 } 262 }
242 263
243 /* 264 get_futex_key_refs(key);
244 * Linear file mappings are also simple.
245 */
246 key->shared.inode = vma->vm_file->f_path.dentry->d_inode;
247 key->both.offset |= FUT_OFF_INODE; /* inode-based key. */
248 if (likely(!(vma->vm_flags & VM_NONLINEAR))) {
249 key->shared.pgoff = (((address - vma->vm_start) >> PAGE_SHIFT)
250 + vma->vm_pgoff);
251 return 0;
252 }
253 265
254 /* 266 unlock_page(page);
255 * We could walk the page table to read the non-linear 267 put_page(page);
256 * pte, and get the page index without fetching the page 268 return 0;
257 * from swap. But that's a lot of code to duplicate here
258 * for a rare case, so we simply fetch the page.
259 */
260 err = get_user_pages(current, mm, address, 1, 0, 0, &page, NULL);
261 if (err >= 0) {
262 key->shared.pgoff =
263 page->index << (PAGE_CACHE_SHIFT - PAGE_SHIFT);
264 put_page(page);
265 return 0;
266 }
267 return err;
268}
269
270/*
271 * Take a reference to the resource addressed by a key.
272 * Can be called while holding spinlocks.
273 *
274 */
275static void get_futex_key_refs(union futex_key *key)
276{
277 if (key->both.ptr == NULL)
278 return;
279 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
280 case FUT_OFF_INODE:
281 atomic_inc(&key->shared.inode->i_count);
282 break;
283 case FUT_OFF_MMSHARED:
284 atomic_inc(&key->private.mm->mm_count);
285 break;
286 }
287} 269}
288 270
289/* 271static inline
290 * Drop a reference to the resource addressed by a key. 272void put_futex_key(int fshared, union futex_key *key)
291 * The hash bucket spinlock must not be held.
292 */
293static void drop_futex_key_refs(union futex_key *key)
294{ 273{
295 if (!key->both.ptr) 274 drop_futex_key_refs(key);
296 return;
297 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
298 case FUT_OFF_INODE:
299 iput(key->shared.inode);
300 break;
301 case FUT_OFF_MMSHARED:
302 mmdrop(key->private.mm);
303 break;
304 }
305} 275}
306 276
307static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval) 277static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)
@@ -328,10 +298,8 @@ static int get_futex_value_locked(u32 *dest, u32 __user *from)
328 298
329/* 299/*
330 * Fault handling. 300 * Fault handling.
331 * if fshared is non NULL, current->mm->mmap_sem is already held
332 */ 301 */
333static int futex_handle_fault(unsigned long address, 302static int futex_handle_fault(unsigned long address, int attempt)
334 struct rw_semaphore *fshared, int attempt)
335{ 303{
336 struct vm_area_struct * vma; 304 struct vm_area_struct * vma;
337 struct mm_struct *mm = current->mm; 305 struct mm_struct *mm = current->mm;
@@ -340,8 +308,7 @@ static int futex_handle_fault(unsigned long address,
340 if (attempt > 2) 308 if (attempt > 2)
341 return ret; 309 return ret;
342 310
343 if (!fshared) 311 down_read(&mm->mmap_sem);
344 down_read(&mm->mmap_sem);
345 vma = find_vma(mm, address); 312 vma = find_vma(mm, address);
346 if (vma && address >= vma->vm_start && 313 if (vma && address >= vma->vm_start &&
347 (vma->vm_flags & VM_WRITE)) { 314 (vma->vm_flags & VM_WRITE)) {
@@ -361,8 +328,7 @@ static int futex_handle_fault(unsigned long address,
361 current->min_flt++; 328 current->min_flt++;
362 } 329 }
363 } 330 }
364 if (!fshared) 331 up_read(&mm->mmap_sem);
365 up_read(&mm->mmap_sem);
366 return ret; 332 return ret;
367} 333}
368 334
@@ -385,6 +351,7 @@ static int refill_pi_state_cache(void)
385 /* pi_mutex gets initialized later */ 351 /* pi_mutex gets initialized later */
386 pi_state->owner = NULL; 352 pi_state->owner = NULL;
387 atomic_set(&pi_state->refcount, 1); 353 atomic_set(&pi_state->refcount, 1);
354 pi_state->key = FUTEX_KEY_INIT;
388 355
389 current->pi_state_cache = pi_state; 356 current->pi_state_cache = pi_state;
390 357
@@ -439,13 +406,20 @@ static void free_pi_state(struct futex_pi_state *pi_state)
439static struct task_struct * futex_find_get_task(pid_t pid) 406static struct task_struct * futex_find_get_task(pid_t pid)
440{ 407{
441 struct task_struct *p; 408 struct task_struct *p;
409 const struct cred *cred = current_cred(), *pcred;
442 410
443 rcu_read_lock(); 411 rcu_read_lock();
444 p = find_task_by_vpid(pid); 412 p = find_task_by_vpid(pid);
445 if (!p || ((current->euid != p->euid) && (current->euid != p->uid))) 413 if (!p) {
446 p = ERR_PTR(-ESRCH); 414 p = ERR_PTR(-ESRCH);
447 else 415 } else {
448 get_task_struct(p); 416 pcred = __task_cred(p);
417 if (cred->euid != pcred->euid &&
418 cred->euid != pcred->uid)
419 p = ERR_PTR(-ESRCH);
420 else
421 get_task_struct(p);
422 }
449 423
450 rcu_read_unlock(); 424 rcu_read_unlock();
451 425
@@ -462,7 +436,7 @@ void exit_pi_state_list(struct task_struct *curr)
462 struct list_head *next, *head = &curr->pi_state_list; 436 struct list_head *next, *head = &curr->pi_state_list;
463 struct futex_pi_state *pi_state; 437 struct futex_pi_state *pi_state;
464 struct futex_hash_bucket *hb; 438 struct futex_hash_bucket *hb;
465 union futex_key key; 439 union futex_key key = FUTEX_KEY_INIT;
466 440
467 if (!futex_cmpxchg_enabled) 441 if (!futex_cmpxchg_enabled)
468 return; 442 return;
@@ -607,7 +581,7 @@ static void wake_futex(struct futex_q *q)
607 * The lock in wake_up_all() is a crucial memory barrier after the 581 * The lock in wake_up_all() is a crucial memory barrier after the
608 * plist_del() and also before assigning to q->lock_ptr. 582 * plist_del() and also before assigning to q->lock_ptr.
609 */ 583 */
610 wake_up_all(&q->waiters); 584 wake_up(&q->waiter);
611 /* 585 /*
612 * The waiting task can free the futex_q as soon as this is written, 586 * The waiting task can free the futex_q as soon as this is written,
613 * without taking any locks. This must come last. 587 * without taking any locks. This must come last.
@@ -719,20 +693,17 @@ double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
719 * Wake up all waiters hashed on the physical page that is mapped 693 * Wake up all waiters hashed on the physical page that is mapped
720 * to this virtual address: 694 * to this virtual address:
721 */ 695 */
722static int futex_wake(u32 __user *uaddr, struct rw_semaphore *fshared, 696static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
723 int nr_wake, u32 bitset)
724{ 697{
725 struct futex_hash_bucket *hb; 698 struct futex_hash_bucket *hb;
726 struct futex_q *this, *next; 699 struct futex_q *this, *next;
727 struct plist_head *head; 700 struct plist_head *head;
728 union futex_key key; 701 union futex_key key = FUTEX_KEY_INIT;
729 int ret; 702 int ret;
730 703
731 if (!bitset) 704 if (!bitset)
732 return -EINVAL; 705 return -EINVAL;
733 706
734 futex_lock_mm(fshared);
735
736 ret = get_futex_key(uaddr, fshared, &key); 707 ret = get_futex_key(uaddr, fshared, &key);
737 if (unlikely(ret != 0)) 708 if (unlikely(ret != 0))
738 goto out; 709 goto out;
@@ -760,7 +731,7 @@ static int futex_wake(u32 __user *uaddr, struct rw_semaphore *fshared,
760 731
761 spin_unlock(&hb->lock); 732 spin_unlock(&hb->lock);
762out: 733out:
763 futex_unlock_mm(fshared); 734 put_futex_key(fshared, &key);
764 return ret; 735 return ret;
765} 736}
766 737
@@ -769,19 +740,16 @@ out:
769 * to this virtual address: 740 * to this virtual address:
770 */ 741 */
771static int 742static int
772futex_wake_op(u32 __user *uaddr1, struct rw_semaphore *fshared, 743futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
773 u32 __user *uaddr2,
774 int nr_wake, int nr_wake2, int op) 744 int nr_wake, int nr_wake2, int op)
775{ 745{
776 union futex_key key1, key2; 746 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
777 struct futex_hash_bucket *hb1, *hb2; 747 struct futex_hash_bucket *hb1, *hb2;
778 struct plist_head *head; 748 struct plist_head *head;
779 struct futex_q *this, *next; 749 struct futex_q *this, *next;
780 int ret, op_ret, attempt = 0; 750 int ret, op_ret, attempt = 0;
781 751
782retryfull: 752retryfull:
783 futex_lock_mm(fshared);
784
785 ret = get_futex_key(uaddr1, fshared, &key1); 753 ret = get_futex_key(uaddr1, fshared, &key1);
786 if (unlikely(ret != 0)) 754 if (unlikely(ret != 0))
787 goto out; 755 goto out;
@@ -826,18 +794,12 @@ retry:
826 */ 794 */
827 if (attempt++) { 795 if (attempt++) {
828 ret = futex_handle_fault((unsigned long)uaddr2, 796 ret = futex_handle_fault((unsigned long)uaddr2,
829 fshared, attempt); 797 attempt);
830 if (ret) 798 if (ret)
831 goto out; 799 goto out;
832 goto retry; 800 goto retry;
833 } 801 }
834 802
835 /*
836 * If we would have faulted, release mmap_sem,
837 * fault it in and start all over again.
838 */
839 futex_unlock_mm(fshared);
840
841 ret = get_user(dummy, uaddr2); 803 ret = get_user(dummy, uaddr2);
842 if (ret) 804 if (ret)
843 return ret; 805 return ret;
@@ -873,7 +835,8 @@ retry:
873 if (hb1 != hb2) 835 if (hb1 != hb2)
874 spin_unlock(&hb2->lock); 836 spin_unlock(&hb2->lock);
875out: 837out:
876 futex_unlock_mm(fshared); 838 put_futex_key(fshared, &key2);
839 put_futex_key(fshared, &key1);
877 840
878 return ret; 841 return ret;
879} 842}
@@ -882,19 +845,16 @@ out:
882 * Requeue all waiters hashed on one physical page to another 845 * Requeue all waiters hashed on one physical page to another
883 * physical page. 846 * physical page.
884 */ 847 */
885static int futex_requeue(u32 __user *uaddr1, struct rw_semaphore *fshared, 848static int futex_requeue(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
886 u32 __user *uaddr2,
887 int nr_wake, int nr_requeue, u32 *cmpval) 849 int nr_wake, int nr_requeue, u32 *cmpval)
888{ 850{
889 union futex_key key1, key2; 851 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
890 struct futex_hash_bucket *hb1, *hb2; 852 struct futex_hash_bucket *hb1, *hb2;
891 struct plist_head *head1; 853 struct plist_head *head1;
892 struct futex_q *this, *next; 854 struct futex_q *this, *next;
893 int ret, drop_count = 0; 855 int ret, drop_count = 0;
894 856
895 retry: 857 retry:
896 futex_lock_mm(fshared);
897
898 ret = get_futex_key(uaddr1, fshared, &key1); 858 ret = get_futex_key(uaddr1, fshared, &key1);
899 if (unlikely(ret != 0)) 859 if (unlikely(ret != 0))
900 goto out; 860 goto out;
@@ -917,12 +877,6 @@ static int futex_requeue(u32 __user *uaddr1, struct rw_semaphore *fshared,
917 if (hb1 != hb2) 877 if (hb1 != hb2)
918 spin_unlock(&hb2->lock); 878 spin_unlock(&hb2->lock);
919 879
920 /*
921 * If we would have faulted, release mmap_sem, fault
922 * it in and start all over again.
923 */
924 futex_unlock_mm(fshared);
925
926 ret = get_user(curval, uaddr1); 880 ret = get_user(curval, uaddr1);
927 881
928 if (!ret) 882 if (!ret)
@@ -974,7 +928,8 @@ out_unlock:
974 drop_futex_key_refs(&key1); 928 drop_futex_key_refs(&key1);
975 929
976out: 930out:
977 futex_unlock_mm(fshared); 931 put_futex_key(fshared, &key2);
932 put_futex_key(fshared, &key1);
978 return ret; 933 return ret;
979} 934}
980 935
@@ -983,7 +938,7 @@ static inline struct futex_hash_bucket *queue_lock(struct futex_q *q)
983{ 938{
984 struct futex_hash_bucket *hb; 939 struct futex_hash_bucket *hb;
985 940
986 init_waitqueue_head(&q->waiters); 941 init_waitqueue_head(&q->waiter);
987 942
988 get_futex_key_refs(&q->key); 943 get_futex_key_refs(&q->key);
989 hb = hash_futex(&q->key); 944 hb = hash_futex(&q->key);
@@ -1096,8 +1051,7 @@ static void unqueue_me_pi(struct futex_q *q)
1096 * private futexes. 1051 * private futexes.
1097 */ 1052 */
1098static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 1053static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
1099 struct task_struct *newowner, 1054 struct task_struct *newowner, int fshared)
1100 struct rw_semaphore *fshared)
1101{ 1055{
1102 u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS; 1056 u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
1103 struct futex_pi_state *pi_state = q->pi_state; 1057 struct futex_pi_state *pi_state = q->pi_state;
@@ -1176,7 +1130,7 @@ retry:
1176handle_fault: 1130handle_fault:
1177 spin_unlock(q->lock_ptr); 1131 spin_unlock(q->lock_ptr);
1178 1132
1179 ret = futex_handle_fault((unsigned long)uaddr, fshared, attempt++); 1133 ret = futex_handle_fault((unsigned long)uaddr, attempt++);
1180 1134
1181 spin_lock(q->lock_ptr); 1135 spin_lock(q->lock_ptr);
1182 1136
@@ -1196,12 +1150,13 @@ handle_fault:
1196 * In case we must use restart_block to restart a futex_wait, 1150 * In case we must use restart_block to restart a futex_wait,
1197 * we encode in the 'flags' shared capability 1151 * we encode in the 'flags' shared capability
1198 */ 1152 */
1199#define FLAGS_SHARED 1 1153#define FLAGS_SHARED 0x01
1154#define FLAGS_CLOCKRT 0x02
1200 1155
1201static long futex_wait_restart(struct restart_block *restart); 1156static long futex_wait_restart(struct restart_block *restart);
1202 1157
1203static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, 1158static int futex_wait(u32 __user *uaddr, int fshared,
1204 u32 val, ktime_t *abs_time, u32 bitset) 1159 u32 val, ktime_t *abs_time, u32 bitset, int clockrt)
1205{ 1160{
1206 struct task_struct *curr = current; 1161 struct task_struct *curr = current;
1207 DECLARE_WAITQUEUE(wait, curr); 1162 DECLARE_WAITQUEUE(wait, curr);
@@ -1218,8 +1173,7 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1218 q.pi_state = NULL; 1173 q.pi_state = NULL;
1219 q.bitset = bitset; 1174 q.bitset = bitset;
1220 retry: 1175 retry:
1221 futex_lock_mm(fshared); 1176 q.key = FUTEX_KEY_INIT;
1222
1223 ret = get_futex_key(uaddr, fshared, &q.key); 1177 ret = get_futex_key(uaddr, fshared, &q.key);
1224 if (unlikely(ret != 0)) 1178 if (unlikely(ret != 0))
1225 goto out_release_sem; 1179 goto out_release_sem;
@@ -1251,12 +1205,6 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1251 if (unlikely(ret)) { 1205 if (unlikely(ret)) {
1252 queue_unlock(&q, hb); 1206 queue_unlock(&q, hb);
1253 1207
1254 /*
1255 * If we would have faulted, release mmap_sem, fault it in and
1256 * start all over again.
1257 */
1258 futex_unlock_mm(fshared);
1259
1260 ret = get_user(uval, uaddr); 1208 ret = get_user(uval, uaddr);
1261 1209
1262 if (!ret) 1210 if (!ret)
@@ -1271,12 +1219,6 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1271 queue_me(&q, hb); 1219 queue_me(&q, hb);
1272 1220
1273 /* 1221 /*
1274 * Now the futex is queued and we have checked the data, we
1275 * don't want to hold mmap_sem while we sleep.
1276 */
1277 futex_unlock_mm(fshared);
1278
1279 /*
1280 * There might have been scheduling since the queue_me(), as we 1222 * There might have been scheduling since the queue_me(), as we
1281 * cannot hold a spinlock across the get_user() in case it 1223 * cannot hold a spinlock across the get_user() in case it
1282 * faults, and we cannot just set TASK_INTERRUPTIBLE state when 1224 * faults, and we cannot just set TASK_INTERRUPTIBLE state when
@@ -1287,7 +1229,7 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1287 1229
1288 /* add_wait_queue is the barrier after __set_current_state. */ 1230 /* add_wait_queue is the barrier after __set_current_state. */
1289 __set_current_state(TASK_INTERRUPTIBLE); 1231 __set_current_state(TASK_INTERRUPTIBLE);
1290 add_wait_queue(&q.waiters, &wait); 1232 add_wait_queue(&q.waiter, &wait);
1291 /* 1233 /*
1292 * !plist_node_empty() is safe here without any lock. 1234 * !plist_node_empty() is safe here without any lock.
1293 * q.lock_ptr != 0 is not safe, because of ordering against wakeup. 1235 * q.lock_ptr != 0 is not safe, because of ordering against wakeup.
@@ -1296,13 +1238,18 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1296 if (!abs_time) 1238 if (!abs_time)
1297 schedule(); 1239 schedule();
1298 else { 1240 else {
1299 hrtimer_init_on_stack(&t.timer, CLOCK_MONOTONIC, 1241 unsigned long slack;
1300 HRTIMER_MODE_ABS); 1242 slack = current->timer_slack_ns;
1243 if (rt_task(current))
1244 slack = 0;
1245 hrtimer_init_on_stack(&t.timer,
1246 clockrt ? CLOCK_REALTIME :
1247 CLOCK_MONOTONIC,
1248 HRTIMER_MODE_ABS);
1301 hrtimer_init_sleeper(&t, current); 1249 hrtimer_init_sleeper(&t, current);
1302 t.timer.expires = *abs_time; 1250 hrtimer_set_expires_range_ns(&t.timer, *abs_time, slack);
1303 1251
1304 hrtimer_start(&t.timer, t.timer.expires, 1252 hrtimer_start_expires(&t.timer, HRTIMER_MODE_ABS);
1305 HRTIMER_MODE_ABS);
1306 if (!hrtimer_active(&t.timer)) 1253 if (!hrtimer_active(&t.timer))
1307 t.task = NULL; 1254 t.task = NULL;
1308 1255
@@ -1353,6 +1300,8 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1353 1300
1354 if (fshared) 1301 if (fshared)
1355 restart->futex.flags |= FLAGS_SHARED; 1302 restart->futex.flags |= FLAGS_SHARED;
1303 if (clockrt)
1304 restart->futex.flags |= FLAGS_CLOCKRT;
1356 return -ERESTART_RESTARTBLOCK; 1305 return -ERESTART_RESTARTBLOCK;
1357 } 1306 }
1358 1307
@@ -1360,7 +1309,7 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1360 queue_unlock(&q, hb); 1309 queue_unlock(&q, hb);
1361 1310
1362 out_release_sem: 1311 out_release_sem:
1363 futex_unlock_mm(fshared); 1312 put_futex_key(fshared, &q.key);
1364 return ret; 1313 return ret;
1365} 1314}
1366 1315
@@ -1368,15 +1317,16 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1368static long futex_wait_restart(struct restart_block *restart) 1317static long futex_wait_restart(struct restart_block *restart)
1369{ 1318{
1370 u32 __user *uaddr = (u32 __user *)restart->futex.uaddr; 1319 u32 __user *uaddr = (u32 __user *)restart->futex.uaddr;
1371 struct rw_semaphore *fshared = NULL; 1320 int fshared = 0;
1372 ktime_t t; 1321 ktime_t t;
1373 1322
1374 t.tv64 = restart->futex.time; 1323 t.tv64 = restart->futex.time;
1375 restart->fn = do_no_restart_syscall; 1324 restart->fn = do_no_restart_syscall;
1376 if (restart->futex.flags & FLAGS_SHARED) 1325 if (restart->futex.flags & FLAGS_SHARED)
1377 fshared = &current->mm->mmap_sem; 1326 fshared = 1;
1378 return (long)futex_wait(uaddr, fshared, restart->futex.val, &t, 1327 return (long)futex_wait(uaddr, fshared, restart->futex.val, &t,
1379 restart->futex.bitset); 1328 restart->futex.bitset,
1329 restart->futex.flags & FLAGS_CLOCKRT);
1380} 1330}
1381 1331
1382 1332
@@ -1386,7 +1336,7 @@ static long futex_wait_restart(struct restart_block *restart)
1386 * if there are waiters then it will block, it does PI, etc. (Due to 1336 * if there are waiters then it will block, it does PI, etc. (Due to
1387 * races the kernel might see a 0 value of the futex too.) 1337 * races the kernel might see a 0 value of the futex too.)
1388 */ 1338 */
1389static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared, 1339static int futex_lock_pi(u32 __user *uaddr, int fshared,
1390 int detect, ktime_t *time, int trylock) 1340 int detect, ktime_t *time, int trylock)
1391{ 1341{
1392 struct hrtimer_sleeper timeout, *to = NULL; 1342 struct hrtimer_sleeper timeout, *to = NULL;
@@ -1404,13 +1354,12 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1404 hrtimer_init_on_stack(&to->timer, CLOCK_REALTIME, 1354 hrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,
1405 HRTIMER_MODE_ABS); 1355 HRTIMER_MODE_ABS);
1406 hrtimer_init_sleeper(to, current); 1356 hrtimer_init_sleeper(to, current);
1407 to->timer.expires = *time; 1357 hrtimer_set_expires(&to->timer, *time);
1408 } 1358 }
1409 1359
1410 q.pi_state = NULL; 1360 q.pi_state = NULL;
1411 retry: 1361 retry:
1412 futex_lock_mm(fshared); 1362 q.key = FUTEX_KEY_INIT;
1413
1414 ret = get_futex_key(uaddr, fshared, &q.key); 1363 ret = get_futex_key(uaddr, fshared, &q.key);
1415 if (unlikely(ret != 0)) 1364 if (unlikely(ret != 0))
1416 goto out_release_sem; 1365 goto out_release_sem;
@@ -1499,7 +1448,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1499 * exit to complete. 1448 * exit to complete.
1500 */ 1449 */
1501 queue_unlock(&q, hb); 1450 queue_unlock(&q, hb);
1502 futex_unlock_mm(fshared);
1503 cond_resched(); 1451 cond_resched();
1504 goto retry; 1452 goto retry;
1505 1453
@@ -1531,12 +1479,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1531 */ 1479 */
1532 queue_me(&q, hb); 1480 queue_me(&q, hb);
1533 1481
1534 /*
1535 * Now the futex is queued and we have checked the data, we
1536 * don't want to hold mmap_sem while we sleep.
1537 */
1538 futex_unlock_mm(fshared);
1539
1540 WARN_ON(!q.pi_state); 1482 WARN_ON(!q.pi_state);
1541 /* 1483 /*
1542 * Block on the PI mutex: 1484 * Block on the PI mutex:
@@ -1549,7 +1491,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1549 ret = ret ? 0 : -EWOULDBLOCK; 1491 ret = ret ? 0 : -EWOULDBLOCK;
1550 } 1492 }
1551 1493
1552 futex_lock_mm(fshared);
1553 spin_lock(q.lock_ptr); 1494 spin_lock(q.lock_ptr);
1554 1495
1555 if (!ret) { 1496 if (!ret) {
@@ -1615,7 +1556,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1615 1556
1616 /* Unqueue and drop the lock */ 1557 /* Unqueue and drop the lock */
1617 unqueue_me_pi(&q); 1558 unqueue_me_pi(&q);
1618 futex_unlock_mm(fshared);
1619 1559
1620 if (to) 1560 if (to)
1621 destroy_hrtimer_on_stack(&to->timer); 1561 destroy_hrtimer_on_stack(&to->timer);
@@ -1625,34 +1565,30 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1625 queue_unlock(&q, hb); 1565 queue_unlock(&q, hb);
1626 1566
1627 out_release_sem: 1567 out_release_sem:
1628 futex_unlock_mm(fshared); 1568 put_futex_key(fshared, &q.key);
1629 if (to) 1569 if (to)
1630 destroy_hrtimer_on_stack(&to->timer); 1570 destroy_hrtimer_on_stack(&to->timer);
1631 return ret; 1571 return ret;
1632 1572
1633 uaddr_faulted: 1573 uaddr_faulted:
1634 /* 1574 /*
1635 * We have to r/w *(int __user *)uaddr, but we can't modify it 1575 * We have to r/w *(int __user *)uaddr, and we have to modify it
1636 * non-atomically. Therefore, if get_user below is not 1576 * atomically. Therefore, if we continue to fault after get_user()
1637 * enough, we need to handle the fault ourselves, while 1577 * below, we need to handle the fault ourselves, while still holding
1638 * still holding the mmap_sem. 1578 * the mmap_sem. This can occur if the uaddr is under contention as
1639 * 1579 * we have to drop the mmap_sem in order to call get_user().
1640 * ... and hb->lock. :-) --ANK
1641 */ 1580 */
1642 queue_unlock(&q, hb); 1581 queue_unlock(&q, hb);
1643 1582
1644 if (attempt++) { 1583 if (attempt++) {
1645 ret = futex_handle_fault((unsigned long)uaddr, fshared, 1584 ret = futex_handle_fault((unsigned long)uaddr, attempt);
1646 attempt);
1647 if (ret) 1585 if (ret)
1648 goto out_release_sem; 1586 goto out_release_sem;
1649 goto retry_unlocked; 1587 goto retry_unlocked;
1650 } 1588 }
1651 1589
1652 futex_unlock_mm(fshared);
1653
1654 ret = get_user(uval, uaddr); 1590 ret = get_user(uval, uaddr);
1655 if (!ret && (uval != -EFAULT)) 1591 if (!ret)
1656 goto retry; 1592 goto retry;
1657 1593
1658 if (to) 1594 if (to)
@@ -1665,13 +1601,13 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1665 * This is the in-kernel slowpath: we look up the PI state (if any), 1601 * This is the in-kernel slowpath: we look up the PI state (if any),
1666 * and do the rt-mutex unlock. 1602 * and do the rt-mutex unlock.
1667 */ 1603 */
1668static int futex_unlock_pi(u32 __user *uaddr, struct rw_semaphore *fshared) 1604static int futex_unlock_pi(u32 __user *uaddr, int fshared)
1669{ 1605{
1670 struct futex_hash_bucket *hb; 1606 struct futex_hash_bucket *hb;
1671 struct futex_q *this, *next; 1607 struct futex_q *this, *next;
1672 u32 uval; 1608 u32 uval;
1673 struct plist_head *head; 1609 struct plist_head *head;
1674 union futex_key key; 1610 union futex_key key = FUTEX_KEY_INIT;
1675 int ret, attempt = 0; 1611 int ret, attempt = 0;
1676 1612
1677retry: 1613retry:
@@ -1682,10 +1618,6 @@ retry:
1682 */ 1618 */
1683 if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current)) 1619 if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
1684 return -EPERM; 1620 return -EPERM;
1685 /*
1686 * First take all the futex related locks:
1687 */
1688 futex_lock_mm(fshared);
1689 1621
1690 ret = get_futex_key(uaddr, fshared, &key); 1622 ret = get_futex_key(uaddr, fshared, &key);
1691 if (unlikely(ret != 0)) 1623 if (unlikely(ret != 0))
@@ -1744,34 +1676,30 @@ retry_unlocked:
1744out_unlock: 1676out_unlock:
1745 spin_unlock(&hb->lock); 1677 spin_unlock(&hb->lock);
1746out: 1678out:
1747 futex_unlock_mm(fshared); 1679 put_futex_key(fshared, &key);
1748 1680
1749 return ret; 1681 return ret;
1750 1682
1751pi_faulted: 1683pi_faulted:
1752 /* 1684 /*
1753 * We have to r/w *(int __user *)uaddr, but we can't modify it 1685 * We have to r/w *(int __user *)uaddr, and we have to modify it
1754 * non-atomically. Therefore, if get_user below is not 1686 * atomically. Therefore, if we continue to fault after get_user()
1755 * enough, we need to handle the fault ourselves, while 1687 * below, we need to handle the fault ourselves, while still holding
1756 * still holding the mmap_sem. 1688 * the mmap_sem. This can occur if the uaddr is under contention as
1757 * 1689 * we have to drop the mmap_sem in order to call get_user().
1758 * ... and hb->lock. --ANK
1759 */ 1690 */
1760 spin_unlock(&hb->lock); 1691 spin_unlock(&hb->lock);
1761 1692
1762 if (attempt++) { 1693 if (attempt++) {
1763 ret = futex_handle_fault((unsigned long)uaddr, fshared, 1694 ret = futex_handle_fault((unsigned long)uaddr, attempt);
1764 attempt);
1765 if (ret) 1695 if (ret)
1766 goto out; 1696 goto out;
1767 uval = 0; 1697 uval = 0;
1768 goto retry_unlocked; 1698 goto retry_unlocked;
1769 } 1699 }
1770 1700
1771 futex_unlock_mm(fshared);
1772
1773 ret = get_user(uval, uaddr); 1701 ret = get_user(uval, uaddr);
1774 if (!ret && (uval != -EFAULT)) 1702 if (!ret)
1775 goto retry; 1703 goto retry;
1776 1704
1777 return ret; 1705 return ret;
@@ -1826,6 +1754,7 @@ sys_get_robust_list(int pid, struct robust_list_head __user * __user *head_ptr,
1826{ 1754{
1827 struct robust_list_head __user *head; 1755 struct robust_list_head __user *head;
1828 unsigned long ret; 1756 unsigned long ret;
1757 const struct cred *cred = current_cred(), *pcred;
1829 1758
1830 if (!futex_cmpxchg_enabled) 1759 if (!futex_cmpxchg_enabled)
1831 return -ENOSYS; 1760 return -ENOSYS;
@@ -1841,8 +1770,10 @@ sys_get_robust_list(int pid, struct robust_list_head __user * __user *head_ptr,
1841 if (!p) 1770 if (!p)
1842 goto err_unlock; 1771 goto err_unlock;
1843 ret = -EPERM; 1772 ret = -EPERM;
1844 if ((current->euid != p->euid) && (current->euid != p->uid) && 1773 pcred = __task_cred(p);
1845 !capable(CAP_SYS_PTRACE)) 1774 if (cred->euid != pcred->euid &&
1775 cred->euid != pcred->uid &&
1776 !capable(CAP_SYS_PTRACE))
1846 goto err_unlock; 1777 goto err_unlock;
1847 head = p->robust_list; 1778 head = p->robust_list;
1848 rcu_read_unlock(); 1779 rcu_read_unlock();
@@ -1895,8 +1826,7 @@ retry:
1895 * PI futexes happens in exit_pi_state(): 1826 * PI futexes happens in exit_pi_state():
1896 */ 1827 */
1897 if (!pi && (uval & FUTEX_WAITERS)) 1828 if (!pi && (uval & FUTEX_WAITERS))
1898 futex_wake(uaddr, &curr->mm->mmap_sem, 1, 1829 futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
1899 FUTEX_BITSET_MATCH_ANY);
1900 } 1830 }
1901 return 0; 1831 return 0;
1902} 1832}
@@ -1990,18 +1920,22 @@ void exit_robust_list(struct task_struct *curr)
1990long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, 1920long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
1991 u32 __user *uaddr2, u32 val2, u32 val3) 1921 u32 __user *uaddr2, u32 val2, u32 val3)
1992{ 1922{
1993 int ret = -ENOSYS; 1923 int clockrt, ret = -ENOSYS;
1994 int cmd = op & FUTEX_CMD_MASK; 1924 int cmd = op & FUTEX_CMD_MASK;
1995 struct rw_semaphore *fshared = NULL; 1925 int fshared = 0;
1996 1926
1997 if (!(op & FUTEX_PRIVATE_FLAG)) 1927 if (!(op & FUTEX_PRIVATE_FLAG))
1998 fshared = &current->mm->mmap_sem; 1928 fshared = 1;
1929
1930 clockrt = op & FUTEX_CLOCK_REALTIME;
1931 if (clockrt && cmd != FUTEX_WAIT_BITSET)
1932 return -ENOSYS;
1999 1933
2000 switch (cmd) { 1934 switch (cmd) {
2001 case FUTEX_WAIT: 1935 case FUTEX_WAIT:
2002 val3 = FUTEX_BITSET_MATCH_ANY; 1936 val3 = FUTEX_BITSET_MATCH_ANY;
2003 case FUTEX_WAIT_BITSET: 1937 case FUTEX_WAIT_BITSET:
2004 ret = futex_wait(uaddr, fshared, val, timeout, val3); 1938 ret = futex_wait(uaddr, fshared, val, timeout, val3, clockrt);
2005 break; 1939 break;
2006 case FUTEX_WAKE: 1940 case FUTEX_WAKE:
2007 val3 = FUTEX_BITSET_MATCH_ANY; 1941 val3 = FUTEX_BITSET_MATCH_ANY;
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-01 13:54:29 -0500