aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/futex.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/futex.c')
-rw-r--r--kernel/futex.c433
1 files changed, 186 insertions, 247 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 8af10027514b..002aa189eb09 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -92,11 +92,12 @@ struct futex_pi_state {
92 * A futex_q has a woken state, just like tasks have TASK_RUNNING. 92 * A futex_q has a woken state, just like tasks have TASK_RUNNING.
93 * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0. 93 * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0.
94 * The order of wakup is always to make the first condition true, then 94 * The order of wakup is always to make the first condition true, then
95 * wake up q->waiters, then make the second condition true. 95 * wake up q->waiter, then make the second condition true.
96 */ 96 */
97struct futex_q { 97struct futex_q {
98 struct plist_node list; 98 struct plist_node list;
99 wait_queue_head_t waiters; 99 /* There can only be a single waiter */
100 wait_queue_head_t waiter;
100 101
101 /* Which hash list lock to use: */ 102 /* Which hash list lock to use: */
102 spinlock_t *lock_ptr; 103 spinlock_t *lock_ptr;
@@ -123,24 +124,6 @@ struct futex_hash_bucket {
123static struct futex_hash_bucket futex_queues[1<<FUTEX_HASHBITS]; 124static struct futex_hash_bucket futex_queues[1<<FUTEX_HASHBITS];
124 125
125/* 126/*
126 * Take mm->mmap_sem, when futex is shared
127 */
128static inline void futex_lock_mm(struct rw_semaphore *fshared)
129{
130 if (fshared)
131 down_read(fshared);
132}
133
134/*
135 * Release mm->mmap_sem, when the futex is shared
136 */
137static inline void futex_unlock_mm(struct rw_semaphore *fshared)
138{
139 if (fshared)
140 up_read(fshared);
141}
142
143/*
144 * We hash on the keys returned from get_futex_key (see below). 127 * We hash on the keys returned from get_futex_key (see below).
145 */ 128 */
146static struct futex_hash_bucket *hash_futex(union futex_key *key) 129static struct futex_hash_bucket *hash_futex(union futex_key *key)
@@ -161,6 +144,48 @@ static inline int match_futex(union futex_key *key1, union futex_key *key2)
161 && key1->both.offset == key2->both.offset); 144 && key1->both.offset == key2->both.offset);
162} 145}
163 146
147/*
148 * Take a reference to the resource addressed by a key.
149 * Can be called while holding spinlocks.
150 *
151 */
152static void get_futex_key_refs(union futex_key *key)
153{
154 if (!key->both.ptr)
155 return;
156
157 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
158 case FUT_OFF_INODE:
159 atomic_inc(&key->shared.inode->i_count);
160 break;
161 case FUT_OFF_MMSHARED:
162 atomic_inc(&key->private.mm->mm_count);
163 break;
164 }
165}
166
167/*
168 * Drop a reference to the resource addressed by a key.
169 * The hash bucket spinlock must not be held.
170 */
171static void drop_futex_key_refs(union futex_key *key)
172{
173 if (!key->both.ptr) {
174 /* If we're here then we tried to put a key we failed to get */
175 WARN_ON_ONCE(1);
176 return;
177 }
178
179 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
180 case FUT_OFF_INODE:
181 iput(key->shared.inode);
182 break;
183 case FUT_OFF_MMSHARED:
184 mmdrop(key->private.mm);
185 break;
186 }
187}
188
164/** 189/**
165 * get_futex_key - Get parameters which are the keys for a futex. 190 * get_futex_key - Get parameters which are the keys for a futex.
166 * @uaddr: virtual address of the futex 191 * @uaddr: virtual address of the futex
@@ -179,12 +204,10 @@ static inline int match_futex(union futex_key *key1, union futex_key *key2)
179 * For other futexes, it points to &current->mm->mmap_sem and 204 * For other futexes, it points to &current->mm->mmap_sem and
180 * caller must have taken the reader lock. but NOT any spinlocks. 205 * caller must have taken the reader lock. but NOT any spinlocks.
181 */ 206 */
182static int get_futex_key(u32 __user *uaddr, struct rw_semaphore *fshared, 207static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
183 union futex_key *key)
184{ 208{
185 unsigned long address = (unsigned long)uaddr; 209 unsigned long address = (unsigned long)uaddr;
186 struct mm_struct *mm = current->mm; 210 struct mm_struct *mm = current->mm;
187 struct vm_area_struct *vma;
188 struct page *page; 211 struct page *page;
189 int err; 212 int err;
190 213
@@ -208,100 +231,50 @@ static int get_futex_key(u32 __user *uaddr, struct rw_semaphore *fshared,
208 return -EFAULT; 231 return -EFAULT;
209 key->private.mm = mm; 232 key->private.mm = mm;
210 key->private.address = address; 233 key->private.address = address;
234 get_futex_key_refs(key);
211 return 0; 235 return 0;
212 } 236 }
213 /*
214 * The futex is hashed differently depending on whether
215 * it's in a shared or private mapping. So check vma first.
216 */
217 vma = find_extend_vma(mm, address);
218 if (unlikely(!vma))
219 return -EFAULT;
220 237
221 /* 238again:
222 * Permissions. 239 err = get_user_pages_fast(address, 1, 0, &page);
223 */ 240 if (err < 0)
224 if (unlikely((vma->vm_flags & (VM_IO|VM_READ)) != VM_READ)) 241 return err;
225 return (vma->vm_flags & VM_IO) ? -EPERM : -EACCES; 242
243 lock_page(page);
244 if (!page->mapping) {
245 unlock_page(page);
246 put_page(page);
247 goto again;
248 }
226 249
227 /* 250 /*
228 * Private mappings are handled in a simple way. 251 * Private mappings are handled in a simple way.
229 * 252 *
230 * NOTE: When userspace waits on a MAP_SHARED mapping, even if 253 * NOTE: When userspace waits on a MAP_SHARED mapping, even if
231 * it's a read-only handle, it's expected that futexes attach to 254 * it's a read-only handle, it's expected that futexes attach to
232 * the object not the particular process. Therefore we use 255 * the object not the particular process.
233 * VM_MAYSHARE here, not VM_SHARED which is restricted to shared
234 * mappings of _writable_ handles.
235 */ 256 */
236 if (likely(!(vma->vm_flags & VM_MAYSHARE))) { 257 if (PageAnon(page)) {
237 key->both.offset |= FUT_OFF_MMSHARED; /* reference taken on mm */ 258 key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
238 key->private.mm = mm; 259 key->private.mm = mm;
239 key->private.address = address; 260 key->private.address = address;
240 return 0; 261 } else {
241 } 262 key->both.offset |= FUT_OFF_INODE; /* inode-based key */
242 263 key->shared.inode = page->mapping->host;
243 /* 264 key->shared.pgoff = page->index;
244 * Linear file mappings are also simple.
245 */
246 key->shared.inode = vma->vm_file->f_path.dentry->d_inode;
247 key->both.offset |= FUT_OFF_INODE; /* inode-based key. */
248 if (likely(!(vma->vm_flags & VM_NONLINEAR))) {
249 key->shared.pgoff = (((address - vma->vm_start) >> PAGE_SHIFT)
250 + vma->vm_pgoff);
251 return 0;
252 } 265 }
253 266
254 /* 267 get_futex_key_refs(key);
255 * We could walk the page table to read the non-linear
256 * pte, and get the page index without fetching the page
257 * from swap. But that's a lot of code to duplicate here
258 * for a rare case, so we simply fetch the page.
259 */
260 err = get_user_pages(current, mm, address, 1, 0, 0, &page, NULL);
261 if (err >= 0) {
262 key->shared.pgoff =
263 page->index << (PAGE_CACHE_SHIFT - PAGE_SHIFT);
264 put_page(page);
265 return 0;
266 }
267 return err;
268}
269 268
270/* 269 unlock_page(page);
271 * Take a reference to the resource addressed by a key. 270 put_page(page);
272 * Can be called while holding spinlocks. 271 return 0;
273 *
274 */
275static void get_futex_key_refs(union futex_key *key)
276{
277 if (key->both.ptr == NULL)
278 return;
279 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
280 case FUT_OFF_INODE:
281 atomic_inc(&key->shared.inode->i_count);
282 break;
283 case FUT_OFF_MMSHARED:
284 atomic_inc(&key->private.mm->mm_count);
285 break;
286 }
287} 272}
288 273
289/* 274static inline
290 * Drop a reference to the resource addressed by a key. 275void put_futex_key(int fshared, union futex_key *key)
291 * The hash bucket spinlock must not be held.
292 */
293static void drop_futex_key_refs(union futex_key *key)
294{ 276{
295 if (!key->both.ptr) 277 drop_futex_key_refs(key);
296 return;
297 switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
298 case FUT_OFF_INODE:
299 iput(key->shared.inode);
300 break;
301 case FUT_OFF_MMSHARED:
302 mmdrop(key->private.mm);
303 break;
304 }
305} 278}
306 279
307static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval) 280static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)
@@ -328,10 +301,8 @@ static int get_futex_value_locked(u32 *dest, u32 __user *from)
328 301
329/* 302/*
330 * Fault handling. 303 * Fault handling.
331 * if fshared is non NULL, current->mm->mmap_sem is already held
332 */ 304 */
333static int futex_handle_fault(unsigned long address, 305static int futex_handle_fault(unsigned long address, int attempt)
334 struct rw_semaphore *fshared, int attempt)
335{ 306{
336 struct vm_area_struct * vma; 307 struct vm_area_struct * vma;
337 struct mm_struct *mm = current->mm; 308 struct mm_struct *mm = current->mm;
@@ -340,8 +311,7 @@ static int futex_handle_fault(unsigned long address,
340 if (attempt > 2) 311 if (attempt > 2)
341 return ret; 312 return ret;
342 313
343 if (!fshared) 314 down_read(&mm->mmap_sem);
344 down_read(&mm->mmap_sem);
345 vma = find_vma(mm, address); 315 vma = find_vma(mm, address);
346 if (vma && address >= vma->vm_start && 316 if (vma && address >= vma->vm_start &&
347 (vma->vm_flags & VM_WRITE)) { 317 (vma->vm_flags & VM_WRITE)) {
@@ -361,8 +331,7 @@ static int futex_handle_fault(unsigned long address,
361 current->min_flt++; 331 current->min_flt++;
362 } 332 }
363 } 333 }
364 if (!fshared) 334 up_read(&mm->mmap_sem);
365 up_read(&mm->mmap_sem);
366 return ret; 335 return ret;
367} 336}
368 337
@@ -385,6 +354,7 @@ static int refill_pi_state_cache(void)
385 /* pi_mutex gets initialized later */ 354 /* pi_mutex gets initialized later */
386 pi_state->owner = NULL; 355 pi_state->owner = NULL;
387 atomic_set(&pi_state->refcount, 1); 356 atomic_set(&pi_state->refcount, 1);
357 pi_state->key = FUTEX_KEY_INIT;
388 358
389 current->pi_state_cache = pi_state; 359 current->pi_state_cache = pi_state;
390 360
@@ -439,13 +409,20 @@ static void free_pi_state(struct futex_pi_state *pi_state)
439static struct task_struct * futex_find_get_task(pid_t pid) 409static struct task_struct * futex_find_get_task(pid_t pid)
440{ 410{
441 struct task_struct *p; 411 struct task_struct *p;
412 const struct cred *cred = current_cred(), *pcred;
442 413
443 rcu_read_lock(); 414 rcu_read_lock();
444 p = find_task_by_vpid(pid); 415 p = find_task_by_vpid(pid);
445 if (!p || ((current->euid != p->euid) && (current->euid != p->uid))) 416 if (!p) {
446 p = ERR_PTR(-ESRCH); 417 p = ERR_PTR(-ESRCH);
447 else 418 } else {
448 get_task_struct(p); 419 pcred = __task_cred(p);
420 if (cred->euid != pcred->euid &&
421 cred->euid != pcred->uid)
422 p = ERR_PTR(-ESRCH);
423 else
424 get_task_struct(p);
425 }
449 426
450 rcu_read_unlock(); 427 rcu_read_unlock();
451 428
@@ -462,7 +439,7 @@ void exit_pi_state_list(struct task_struct *curr)
462 struct list_head *next, *head = &curr->pi_state_list; 439 struct list_head *next, *head = &curr->pi_state_list;
463 struct futex_pi_state *pi_state; 440 struct futex_pi_state *pi_state;
464 struct futex_hash_bucket *hb; 441 struct futex_hash_bucket *hb;
465 union futex_key key; 442 union futex_key key = FUTEX_KEY_INIT;
466 443
467 if (!futex_cmpxchg_enabled) 444 if (!futex_cmpxchg_enabled)
468 return; 445 return;
@@ -607,7 +584,7 @@ static void wake_futex(struct futex_q *q)
607 * The lock in wake_up_all() is a crucial memory barrier after the 584 * The lock in wake_up_all() is a crucial memory barrier after the
608 * plist_del() and also before assigning to q->lock_ptr. 585 * plist_del() and also before assigning to q->lock_ptr.
609 */ 586 */
610 wake_up_all(&q->waiters); 587 wake_up(&q->waiter);
611 /* 588 /*
612 * The waiting task can free the futex_q as soon as this is written, 589 * The waiting task can free the futex_q as soon as this is written,
613 * without taking any locks. This must come last. 590 * without taking any locks. This must come last.
@@ -719,20 +696,17 @@ double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
719 * Wake up all waiters hashed on the physical page that is mapped 696 * Wake up all waiters hashed on the physical page that is mapped
720 * to this virtual address: 697 * to this virtual address:
721 */ 698 */
722static int futex_wake(u32 __user *uaddr, struct rw_semaphore *fshared, 699static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
723 int nr_wake, u32 bitset)
724{ 700{
725 struct futex_hash_bucket *hb; 701 struct futex_hash_bucket *hb;
726 struct futex_q *this, *next; 702 struct futex_q *this, *next;
727 struct plist_head *head; 703 struct plist_head *head;
728 union futex_key key; 704 union futex_key key = FUTEX_KEY_INIT;
729 int ret; 705 int ret;
730 706
731 if (!bitset) 707 if (!bitset)
732 return -EINVAL; 708 return -EINVAL;
733 709
734 futex_lock_mm(fshared);
735
736 ret = get_futex_key(uaddr, fshared, &key); 710 ret = get_futex_key(uaddr, fshared, &key);
737 if (unlikely(ret != 0)) 711 if (unlikely(ret != 0))
738 goto out; 712 goto out;
@@ -759,8 +733,8 @@ static int futex_wake(u32 __user *uaddr, struct rw_semaphore *fshared,
759 } 733 }
760 734
761 spin_unlock(&hb->lock); 735 spin_unlock(&hb->lock);
736 put_futex_key(fshared, &key);
762out: 737out:
763 futex_unlock_mm(fshared);
764 return ret; 738 return ret;
765} 739}
766 740
@@ -769,25 +743,22 @@ out:
769 * to this virtual address: 743 * to this virtual address:
770 */ 744 */
771static int 745static int
772futex_wake_op(u32 __user *uaddr1, struct rw_semaphore *fshared, 746futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
773 u32 __user *uaddr2,
774 int nr_wake, int nr_wake2, int op) 747 int nr_wake, int nr_wake2, int op)
775{ 748{
776 union futex_key key1, key2; 749 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
777 struct futex_hash_bucket *hb1, *hb2; 750 struct futex_hash_bucket *hb1, *hb2;
778 struct plist_head *head; 751 struct plist_head *head;
779 struct futex_q *this, *next; 752 struct futex_q *this, *next;
780 int ret, op_ret, attempt = 0; 753 int ret, op_ret, attempt = 0;
781 754
782retryfull: 755retryfull:
783 futex_lock_mm(fshared);
784
785 ret = get_futex_key(uaddr1, fshared, &key1); 756 ret = get_futex_key(uaddr1, fshared, &key1);
786 if (unlikely(ret != 0)) 757 if (unlikely(ret != 0))
787 goto out; 758 goto out;
788 ret = get_futex_key(uaddr2, fshared, &key2); 759 ret = get_futex_key(uaddr2, fshared, &key2);
789 if (unlikely(ret != 0)) 760 if (unlikely(ret != 0))
790 goto out; 761 goto out_put_key1;
791 762
792 hb1 = hash_futex(&key1); 763 hb1 = hash_futex(&key1);
793 hb2 = hash_futex(&key2); 764 hb2 = hash_futex(&key2);
@@ -809,12 +780,12 @@ retry:
809 * but we might get them from range checking 780 * but we might get them from range checking
810 */ 781 */
811 ret = op_ret; 782 ret = op_ret;
812 goto out; 783 goto out_put_keys;
813#endif 784#endif
814 785
815 if (unlikely(op_ret != -EFAULT)) { 786 if (unlikely(op_ret != -EFAULT)) {
816 ret = op_ret; 787 ret = op_ret;
817 goto out; 788 goto out_put_keys;
818 } 789 }
819 790
820 /* 791 /*
@@ -826,18 +797,12 @@ retry:
826 */ 797 */
827 if (attempt++) { 798 if (attempt++) {
828 ret = futex_handle_fault((unsigned long)uaddr2, 799 ret = futex_handle_fault((unsigned long)uaddr2,
829 fshared, attempt); 800 attempt);
830 if (ret) 801 if (ret)
831 goto out; 802 goto out_put_keys;
832 goto retry; 803 goto retry;
833 } 804 }
834 805
835 /*
836 * If we would have faulted, release mmap_sem,
837 * fault it in and start all over again.
838 */
839 futex_unlock_mm(fshared);
840
841 ret = get_user(dummy, uaddr2); 806 ret = get_user(dummy, uaddr2);
842 if (ret) 807 if (ret)
843 return ret; 808 return ret;
@@ -872,9 +837,11 @@ retry:
872 spin_unlock(&hb1->lock); 837 spin_unlock(&hb1->lock);
873 if (hb1 != hb2) 838 if (hb1 != hb2)
874 spin_unlock(&hb2->lock); 839 spin_unlock(&hb2->lock);
840out_put_keys:
841 put_futex_key(fshared, &key2);
842out_put_key1:
843 put_futex_key(fshared, &key1);
875out: 844out:
876 futex_unlock_mm(fshared);
877
878 return ret; 845 return ret;
879} 846}
880 847
@@ -882,25 +849,22 @@ out:
882 * Requeue all waiters hashed on one physical page to another 849 * Requeue all waiters hashed on one physical page to another
883 * physical page. 850 * physical page.
884 */ 851 */
885static int futex_requeue(u32 __user *uaddr1, struct rw_semaphore *fshared, 852static int futex_requeue(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
886 u32 __user *uaddr2,
887 int nr_wake, int nr_requeue, u32 *cmpval) 853 int nr_wake, int nr_requeue, u32 *cmpval)
888{ 854{
889 union futex_key key1, key2; 855 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
890 struct futex_hash_bucket *hb1, *hb2; 856 struct futex_hash_bucket *hb1, *hb2;
891 struct plist_head *head1; 857 struct plist_head *head1;
892 struct futex_q *this, *next; 858 struct futex_q *this, *next;
893 int ret, drop_count = 0; 859 int ret, drop_count = 0;
894 860
895 retry: 861retry:
896 futex_lock_mm(fshared);
897
898 ret = get_futex_key(uaddr1, fshared, &key1); 862 ret = get_futex_key(uaddr1, fshared, &key1);
899 if (unlikely(ret != 0)) 863 if (unlikely(ret != 0))
900 goto out; 864 goto out;
901 ret = get_futex_key(uaddr2, fshared, &key2); 865 ret = get_futex_key(uaddr2, fshared, &key2);
902 if (unlikely(ret != 0)) 866 if (unlikely(ret != 0))
903 goto out; 867 goto out_put_key1;
904 868
905 hb1 = hash_futex(&key1); 869 hb1 = hash_futex(&key1);
906 hb2 = hash_futex(&key2); 870 hb2 = hash_futex(&key2);
@@ -917,18 +881,12 @@ static int futex_requeue(u32 __user *uaddr1, struct rw_semaphore *fshared,
917 if (hb1 != hb2) 881 if (hb1 != hb2)
918 spin_unlock(&hb2->lock); 882 spin_unlock(&hb2->lock);
919 883
920 /*
921 * If we would have faulted, release mmap_sem, fault
922 * it in and start all over again.
923 */
924 futex_unlock_mm(fshared);
925
926 ret = get_user(curval, uaddr1); 884 ret = get_user(curval, uaddr1);
927 885
928 if (!ret) 886 if (!ret)
929 goto retry; 887 goto retry;
930 888
931 return ret; 889 goto out_put_keys;
932 } 890 }
933 if (curval != *cmpval) { 891 if (curval != *cmpval) {
934 ret = -EAGAIN; 892 ret = -EAGAIN;
@@ -973,8 +931,11 @@ out_unlock:
973 while (--drop_count >= 0) 931 while (--drop_count >= 0)
974 drop_futex_key_refs(&key1); 932 drop_futex_key_refs(&key1);
975 933
934out_put_keys:
935 put_futex_key(fshared, &key2);
936out_put_key1:
937 put_futex_key(fshared, &key1);
976out: 938out:
977 futex_unlock_mm(fshared);
978 return ret; 939 return ret;
979} 940}
980 941
@@ -983,7 +944,7 @@ static inline struct futex_hash_bucket *queue_lock(struct futex_q *q)
983{ 944{
984 struct futex_hash_bucket *hb; 945 struct futex_hash_bucket *hb;
985 946
986 init_waitqueue_head(&q->waiters); 947 init_waitqueue_head(&q->waiter);
987 948
988 get_futex_key_refs(&q->key); 949 get_futex_key_refs(&q->key);
989 hb = hash_futex(&q->key); 950 hb = hash_futex(&q->key);
@@ -1035,7 +996,7 @@ static int unqueue_me(struct futex_q *q)
1035 int ret = 0; 996 int ret = 0;
1036 997
1037 /* In the common case we don't take the spinlock, which is nice. */ 998 /* In the common case we don't take the spinlock, which is nice. */
1038 retry: 999retry:
1039 lock_ptr = q->lock_ptr; 1000 lock_ptr = q->lock_ptr;
1040 barrier(); 1001 barrier();
1041 if (lock_ptr != NULL) { 1002 if (lock_ptr != NULL) {
@@ -1096,8 +1057,7 @@ static void unqueue_me_pi(struct futex_q *q)
1096 * private futexes. 1057 * private futexes.
1097 */ 1058 */
1098static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, 1059static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
1099 struct task_struct *newowner, 1060 struct task_struct *newowner, int fshared)
1100 struct rw_semaphore *fshared)
1101{ 1061{
1102 u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS; 1062 u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
1103 struct futex_pi_state *pi_state = q->pi_state; 1063 struct futex_pi_state *pi_state = q->pi_state;
@@ -1176,7 +1136,7 @@ retry:
1176handle_fault: 1136handle_fault:
1177 spin_unlock(q->lock_ptr); 1137 spin_unlock(q->lock_ptr);
1178 1138
1179 ret = futex_handle_fault((unsigned long)uaddr, fshared, attempt++); 1139 ret = futex_handle_fault((unsigned long)uaddr, attempt++);
1180 1140
1181 spin_lock(q->lock_ptr); 1141 spin_lock(q->lock_ptr);
1182 1142
@@ -1196,12 +1156,13 @@ handle_fault:
1196 * In case we must use restart_block to restart a futex_wait, 1156 * In case we must use restart_block to restart a futex_wait,
1197 * we encode in the 'flags' shared capability 1157 * we encode in the 'flags' shared capability
1198 */ 1158 */
1199#define FLAGS_SHARED 1 1159#define FLAGS_SHARED 0x01
1160#define FLAGS_CLOCKRT 0x02
1200 1161
1201static long futex_wait_restart(struct restart_block *restart); 1162static long futex_wait_restart(struct restart_block *restart);
1202 1163
1203static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, 1164static int futex_wait(u32 __user *uaddr, int fshared,
1204 u32 val, ktime_t *abs_time, u32 bitset) 1165 u32 val, ktime_t *abs_time, u32 bitset, int clockrt)
1205{ 1166{
1206 struct task_struct *curr = current; 1167 struct task_struct *curr = current;
1207 DECLARE_WAITQUEUE(wait, curr); 1168 DECLARE_WAITQUEUE(wait, curr);
@@ -1217,12 +1178,11 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1217 1178
1218 q.pi_state = NULL; 1179 q.pi_state = NULL;
1219 q.bitset = bitset; 1180 q.bitset = bitset;
1220 retry: 1181retry:
1221 futex_lock_mm(fshared); 1182 q.key = FUTEX_KEY_INIT;
1222
1223 ret = get_futex_key(uaddr, fshared, &q.key); 1183 ret = get_futex_key(uaddr, fshared, &q.key);
1224 if (unlikely(ret != 0)) 1184 if (unlikely(ret != 0))
1225 goto out_release_sem; 1185 goto out;
1226 1186
1227 hb = queue_lock(&q); 1187 hb = queue_lock(&q);
1228 1188
@@ -1250,12 +1210,7 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1250 1210
1251 if (unlikely(ret)) { 1211 if (unlikely(ret)) {
1252 queue_unlock(&q, hb); 1212 queue_unlock(&q, hb);
1253 1213 put_futex_key(fshared, &q.key);
1254 /*
1255 * If we would have faulted, release mmap_sem, fault it in and
1256 * start all over again.
1257 */
1258 futex_unlock_mm(fshared);
1259 1214
1260 ret = get_user(uval, uaddr); 1215 ret = get_user(uval, uaddr);
1261 1216
@@ -1265,18 +1220,12 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1265 } 1220 }
1266 ret = -EWOULDBLOCK; 1221 ret = -EWOULDBLOCK;
1267 if (uval != val) 1222 if (uval != val)
1268 goto out_unlock_release_sem; 1223 goto out_unlock_put_key;
1269 1224
1270 /* Only actually queue if *uaddr contained val. */ 1225 /* Only actually queue if *uaddr contained val. */
1271 queue_me(&q, hb); 1226 queue_me(&q, hb);
1272 1227
1273 /* 1228 /*
1274 * Now the futex is queued and we have checked the data, we
1275 * don't want to hold mmap_sem while we sleep.
1276 */
1277 futex_unlock_mm(fshared);
1278
1279 /*
1280 * There might have been scheduling since the queue_me(), as we 1229 * There might have been scheduling since the queue_me(), as we
1281 * cannot hold a spinlock across the get_user() in case it 1230 * cannot hold a spinlock across the get_user() in case it
1282 * faults, and we cannot just set TASK_INTERRUPTIBLE state when 1231 * faults, and we cannot just set TASK_INTERRUPTIBLE state when
@@ -1287,7 +1236,7 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1287 1236
1288 /* add_wait_queue is the barrier after __set_current_state. */ 1237 /* add_wait_queue is the barrier after __set_current_state. */
1289 __set_current_state(TASK_INTERRUPTIBLE); 1238 __set_current_state(TASK_INTERRUPTIBLE);
1290 add_wait_queue(&q.waiters, &wait); 1239 add_wait_queue(&q.waiter, &wait);
1291 /* 1240 /*
1292 * !plist_node_empty() is safe here without any lock. 1241 * !plist_node_empty() is safe here without any lock.
1293 * q.lock_ptr != 0 is not safe, because of ordering against wakeup. 1242 * q.lock_ptr != 0 is not safe, because of ordering against wakeup.
@@ -1300,8 +1249,10 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1300 slack = current->timer_slack_ns; 1249 slack = current->timer_slack_ns;
1301 if (rt_task(current)) 1250 if (rt_task(current))
1302 slack = 0; 1251 slack = 0;
1303 hrtimer_init_on_stack(&t.timer, CLOCK_MONOTONIC, 1252 hrtimer_init_on_stack(&t.timer,
1304 HRTIMER_MODE_ABS); 1253 clockrt ? CLOCK_REALTIME :
1254 CLOCK_MONOTONIC,
1255 HRTIMER_MODE_ABS);
1305 hrtimer_init_sleeper(&t, current); 1256 hrtimer_init_sleeper(&t, current);
1306 hrtimer_set_expires_range_ns(&t.timer, *abs_time, slack); 1257 hrtimer_set_expires_range_ns(&t.timer, *abs_time, slack);
1307 1258
@@ -1356,14 +1307,16 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1356 1307
1357 if (fshared) 1308 if (fshared)
1358 restart->futex.flags |= FLAGS_SHARED; 1309 restart->futex.flags |= FLAGS_SHARED;
1310 if (clockrt)
1311 restart->futex.flags |= FLAGS_CLOCKRT;
1359 return -ERESTART_RESTARTBLOCK; 1312 return -ERESTART_RESTARTBLOCK;
1360 } 1313 }
1361 1314
1362 out_unlock_release_sem: 1315out_unlock_put_key:
1363 queue_unlock(&q, hb); 1316 queue_unlock(&q, hb);
1317 put_futex_key(fshared, &q.key);
1364 1318
1365 out_release_sem: 1319out:
1366 futex_unlock_mm(fshared);
1367 return ret; 1320 return ret;
1368} 1321}
1369 1322
@@ -1371,15 +1324,16 @@ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
1371static long futex_wait_restart(struct restart_block *restart) 1324static long futex_wait_restart(struct restart_block *restart)
1372{ 1325{
1373 u32 __user *uaddr = (u32 __user *)restart->futex.uaddr; 1326 u32 __user *uaddr = (u32 __user *)restart->futex.uaddr;
1374 struct rw_semaphore *fshared = NULL; 1327 int fshared = 0;
1375 ktime_t t; 1328 ktime_t t;
1376 1329
1377 t.tv64 = restart->futex.time; 1330 t.tv64 = restart->futex.time;
1378 restart->fn = do_no_restart_syscall; 1331 restart->fn = do_no_restart_syscall;
1379 if (restart->futex.flags & FLAGS_SHARED) 1332 if (restart->futex.flags & FLAGS_SHARED)
1380 fshared = &current->mm->mmap_sem; 1333 fshared = 1;
1381 return (long)futex_wait(uaddr, fshared, restart->futex.val, &t, 1334 return (long)futex_wait(uaddr, fshared, restart->futex.val, &t,
1382 restart->futex.bitset); 1335 restart->futex.bitset,
1336 restart->futex.flags & FLAGS_CLOCKRT);
1383} 1337}
1384 1338
1385 1339
@@ -1389,7 +1343,7 @@ static long futex_wait_restart(struct restart_block *restart)
1389 * if there are waiters then it will block, it does PI, etc. (Due to 1343 * if there are waiters then it will block, it does PI, etc. (Due to
1390 * races the kernel might see a 0 value of the futex too.) 1344 * races the kernel might see a 0 value of the futex too.)
1391 */ 1345 */
1392static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared, 1346static int futex_lock_pi(u32 __user *uaddr, int fshared,
1393 int detect, ktime_t *time, int trylock) 1347 int detect, ktime_t *time, int trylock)
1394{ 1348{
1395 struct hrtimer_sleeper timeout, *to = NULL; 1349 struct hrtimer_sleeper timeout, *to = NULL;
@@ -1411,17 +1365,16 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1411 } 1365 }
1412 1366
1413 q.pi_state = NULL; 1367 q.pi_state = NULL;
1414 retry: 1368retry:
1415 futex_lock_mm(fshared); 1369 q.key = FUTEX_KEY_INIT;
1416
1417 ret = get_futex_key(uaddr, fshared, &q.key); 1370 ret = get_futex_key(uaddr, fshared, &q.key);
1418 if (unlikely(ret != 0)) 1371 if (unlikely(ret != 0))
1419 goto out_release_sem; 1372 goto out;
1420 1373
1421 retry_unlocked: 1374retry_unlocked:
1422 hb = queue_lock(&q); 1375 hb = queue_lock(&q);
1423 1376
1424 retry_locked: 1377retry_locked:
1425 ret = lock_taken = 0; 1378 ret = lock_taken = 0;
1426 1379
1427 /* 1380 /*
@@ -1442,14 +1395,14 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1442 */ 1395 */
1443 if (unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(current))) { 1396 if (unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(current))) {
1444 ret = -EDEADLK; 1397 ret = -EDEADLK;
1445 goto out_unlock_release_sem; 1398 goto out_unlock_put_key;
1446 } 1399 }
1447 1400
1448 /* 1401 /*
1449 * Surprise - we got the lock. Just return to userspace: 1402 * Surprise - we got the lock. Just return to userspace:
1450 */ 1403 */
1451 if (unlikely(!curval)) 1404 if (unlikely(!curval))
1452 goto out_unlock_release_sem; 1405 goto out_unlock_put_key;
1453 1406
1454 uval = curval; 1407 uval = curval;
1455 1408
@@ -1485,7 +1438,7 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1485 * We took the lock due to owner died take over. 1438 * We took the lock due to owner died take over.
1486 */ 1439 */
1487 if (unlikely(lock_taken)) 1440 if (unlikely(lock_taken))
1488 goto out_unlock_release_sem; 1441 goto out_unlock_put_key;
1489 1442
1490 /* 1443 /*
1491 * We dont have the lock. Look up the PI state (or create it if 1444 * We dont have the lock. Look up the PI state (or create it if
@@ -1502,7 +1455,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1502 * exit to complete. 1455 * exit to complete.
1503 */ 1456 */
1504 queue_unlock(&q, hb); 1457 queue_unlock(&q, hb);
1505 futex_unlock_mm(fshared);
1506 cond_resched(); 1458 cond_resched();
1507 goto retry; 1459 goto retry;
1508 1460
@@ -1525,7 +1477,7 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1525 goto retry_locked; 1477 goto retry_locked;
1526 } 1478 }
1527 default: 1479 default:
1528 goto out_unlock_release_sem; 1480 goto out_unlock_put_key;
1529 } 1481 }
1530 } 1482 }
1531 1483
@@ -1534,12 +1486,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1534 */ 1486 */
1535 queue_me(&q, hb); 1487 queue_me(&q, hb);
1536 1488
1537 /*
1538 * Now the futex is queued and we have checked the data, we
1539 * don't want to hold mmap_sem while we sleep.
1540 */
1541 futex_unlock_mm(fshared);
1542
1543 WARN_ON(!q.pi_state); 1489 WARN_ON(!q.pi_state);
1544 /* 1490 /*
1545 * Block on the PI mutex: 1491 * Block on the PI mutex:
@@ -1552,7 +1498,6 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1552 ret = ret ? 0 : -EWOULDBLOCK; 1498 ret = ret ? 0 : -EWOULDBLOCK;
1553 } 1499 }
1554 1500
1555 futex_lock_mm(fshared);
1556 spin_lock(q.lock_ptr); 1501 spin_lock(q.lock_ptr);
1557 1502
1558 if (!ret) { 1503 if (!ret) {
@@ -1618,44 +1563,40 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1618 1563
1619 /* Unqueue and drop the lock */ 1564 /* Unqueue and drop the lock */
1620 unqueue_me_pi(&q); 1565 unqueue_me_pi(&q);
1621 futex_unlock_mm(fshared);
1622 1566
1623 if (to) 1567 if (to)
1624 destroy_hrtimer_on_stack(&to->timer); 1568 destroy_hrtimer_on_stack(&to->timer);
1625 return ret != -EINTR ? ret : -ERESTARTNOINTR; 1569 return ret != -EINTR ? ret : -ERESTARTNOINTR;
1626 1570
1627 out_unlock_release_sem: 1571out_unlock_put_key:
1628 queue_unlock(&q, hb); 1572 queue_unlock(&q, hb);
1629 1573
1630 out_release_sem: 1574out_put_key:
1631 futex_unlock_mm(fshared); 1575 put_futex_key(fshared, &q.key);
1576out:
1632 if (to) 1577 if (to)
1633 destroy_hrtimer_on_stack(&to->timer); 1578 destroy_hrtimer_on_stack(&to->timer);
1634 return ret; 1579 return ret;
1635 1580
1636 uaddr_faulted: 1581uaddr_faulted:
1637 /* 1582 /*
1638 * We have to r/w *(int __user *)uaddr, but we can't modify it 1583 * We have to r/w *(int __user *)uaddr, and we have to modify it
1639 * non-atomically. Therefore, if get_user below is not 1584 * atomically. Therefore, if we continue to fault after get_user()
1640 * enough, we need to handle the fault ourselves, while 1585 * below, we need to handle the fault ourselves, while still holding
1641 * still holding the mmap_sem. 1586 * the mmap_sem. This can occur if the uaddr is under contention as
1642 * 1587 * we have to drop the mmap_sem in order to call get_user().
1643 * ... and hb->lock. :-) --ANK
1644 */ 1588 */
1645 queue_unlock(&q, hb); 1589 queue_unlock(&q, hb);
1646 1590
1647 if (attempt++) { 1591 if (attempt++) {
1648 ret = futex_handle_fault((unsigned long)uaddr, fshared, 1592 ret = futex_handle_fault((unsigned long)uaddr, attempt);
1649 attempt);
1650 if (ret) 1593 if (ret)
1651 goto out_release_sem; 1594 goto out_put_key;
1652 goto retry_unlocked; 1595 goto retry_unlocked;
1653 } 1596 }
1654 1597
1655 futex_unlock_mm(fshared);
1656
1657 ret = get_user(uval, uaddr); 1598 ret = get_user(uval, uaddr);
1658 if (!ret && (uval != -EFAULT)) 1599 if (!ret)
1659 goto retry; 1600 goto retry;
1660 1601
1661 if (to) 1602 if (to)
@@ -1668,13 +1609,13 @@ static int futex_lock_pi(u32 __user *uaddr, struct rw_semaphore *fshared,
1668 * This is the in-kernel slowpath: we look up the PI state (if any), 1609 * This is the in-kernel slowpath: we look up the PI state (if any),
1669 * and do the rt-mutex unlock. 1610 * and do the rt-mutex unlock.
1670 */ 1611 */
1671static int futex_unlock_pi(u32 __user *uaddr, struct rw_semaphore *fshared) 1612static int futex_unlock_pi(u32 __user *uaddr, int fshared)
1672{ 1613{
1673 struct futex_hash_bucket *hb; 1614 struct futex_hash_bucket *hb;
1674 struct futex_q *this, *next; 1615 struct futex_q *this, *next;
1675 u32 uval; 1616 u32 uval;
1676 struct plist_head *head; 1617 struct plist_head *head;
1677 union futex_key key; 1618 union futex_key key = FUTEX_KEY_INIT;
1678 int ret, attempt = 0; 1619 int ret, attempt = 0;
1679 1620
1680retry: 1621retry:
@@ -1685,10 +1626,6 @@ retry:
1685 */ 1626 */
1686 if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current)) 1627 if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
1687 return -EPERM; 1628 return -EPERM;
1688 /*
1689 * First take all the futex related locks:
1690 */
1691 futex_lock_mm(fshared);
1692 1629
1693 ret = get_futex_key(uaddr, fshared, &key); 1630 ret = get_futex_key(uaddr, fshared, &key);
1694 if (unlikely(ret != 0)) 1631 if (unlikely(ret != 0))
@@ -1746,35 +1683,31 @@ retry_unlocked:
1746 1683
1747out_unlock: 1684out_unlock:
1748 spin_unlock(&hb->lock); 1685 spin_unlock(&hb->lock);
1749out: 1686 put_futex_key(fshared, &key);
1750 futex_unlock_mm(fshared);
1751 1687
1688out:
1752 return ret; 1689 return ret;
1753 1690
1754pi_faulted: 1691pi_faulted:
1755 /* 1692 /*
1756 * We have to r/w *(int __user *)uaddr, but we can't modify it 1693 * We have to r/w *(int __user *)uaddr, and we have to modify it
1757 * non-atomically. Therefore, if get_user below is not 1694 * atomically. Therefore, if we continue to fault after get_user()
1758 * enough, we need to handle the fault ourselves, while 1695 * below, we need to handle the fault ourselves, while still holding
1759 * still holding the mmap_sem. 1696 * the mmap_sem. This can occur if the uaddr is under contention as
1760 * 1697 * we have to drop the mmap_sem in order to call get_user().
1761 * ... and hb->lock. --ANK
1762 */ 1698 */
1763 spin_unlock(&hb->lock); 1699 spin_unlock(&hb->lock);
1764 1700
1765 if (attempt++) { 1701 if (attempt++) {
1766 ret = futex_handle_fault((unsigned long)uaddr, fshared, 1702 ret = futex_handle_fault((unsigned long)uaddr, attempt);
1767 attempt);
1768 if (ret) 1703 if (ret)
1769 goto out; 1704 goto out;
1770 uval = 0; 1705 uval = 0;
1771 goto retry_unlocked; 1706 goto retry_unlocked;
1772 } 1707 }
1773 1708
1774 futex_unlock_mm(fshared);
1775
1776 ret = get_user(uval, uaddr); 1709 ret = get_user(uval, uaddr);
1777 if (!ret && (uval != -EFAULT)) 1710 if (!ret)
1778 goto retry; 1711 goto retry;
1779 1712
1780 return ret; 1713 return ret;
@@ -1829,6 +1762,7 @@ sys_get_robust_list(int pid, struct robust_list_head __user * __user *head_ptr,
1829{ 1762{
1830 struct robust_list_head __user *head; 1763 struct robust_list_head __user *head;
1831 unsigned long ret; 1764 unsigned long ret;
1765 const struct cred *cred = current_cred(), *pcred;
1832 1766
1833 if (!futex_cmpxchg_enabled) 1767 if (!futex_cmpxchg_enabled)
1834 return -ENOSYS; 1768 return -ENOSYS;
@@ -1844,8 +1778,10 @@ sys_get_robust_list(int pid, struct robust_list_head __user * __user *head_ptr,
1844 if (!p) 1778 if (!p)
1845 goto err_unlock; 1779 goto err_unlock;
1846 ret = -EPERM; 1780 ret = -EPERM;
1847 if ((current->euid != p->euid) && (current->euid != p->uid) && 1781 pcred = __task_cred(p);
1848 !capable(CAP_SYS_PTRACE)) 1782 if (cred->euid != pcred->euid &&
1783 cred->euid != pcred->uid &&
1784 !capable(CAP_SYS_PTRACE))
1849 goto err_unlock; 1785 goto err_unlock;
1850 head = p->robust_list; 1786 head = p->robust_list;
1851 rcu_read_unlock(); 1787 rcu_read_unlock();
@@ -1898,8 +1834,7 @@ retry:
1898 * PI futexes happens in exit_pi_state(): 1834 * PI futexes happens in exit_pi_state():
1899 */ 1835 */
1900 if (!pi && (uval & FUTEX_WAITERS)) 1836 if (!pi && (uval & FUTEX_WAITERS))
1901 futex_wake(uaddr, &curr->mm->mmap_sem, 1, 1837 futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
1902 FUTEX_BITSET_MATCH_ANY);
1903 } 1838 }
1904 return 0; 1839 return 0;
1905} 1840}
@@ -1993,18 +1928,22 @@ void exit_robust_list(struct task_struct *curr)
1993long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, 1928long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
1994 u32 __user *uaddr2, u32 val2, u32 val3) 1929 u32 __user *uaddr2, u32 val2, u32 val3)
1995{ 1930{
1996 int ret = -ENOSYS; 1931 int clockrt, ret = -ENOSYS;
1997 int cmd = op & FUTEX_CMD_MASK; 1932 int cmd = op & FUTEX_CMD_MASK;
1998 struct rw_semaphore *fshared = NULL; 1933 int fshared = 0;
1999 1934
2000 if (!(op & FUTEX_PRIVATE_FLAG)) 1935 if (!(op & FUTEX_PRIVATE_FLAG))
2001 fshared = &current->mm->mmap_sem; 1936 fshared = 1;
1937
1938 clockrt = op & FUTEX_CLOCK_REALTIME;
1939 if (clockrt && cmd != FUTEX_WAIT_BITSET)
1940 return -ENOSYS;
2002 1941
2003 switch (cmd) { 1942 switch (cmd) {
2004 case FUTEX_WAIT: 1943 case FUTEX_WAIT:
2005 val3 = FUTEX_BITSET_MATCH_ANY; 1944 val3 = FUTEX_BITSET_MATCH_ANY;
2006 case FUTEX_WAIT_BITSET: 1945 case FUTEX_WAIT_BITSET:
2007 ret = futex_wait(uaddr, fshared, val, timeout, val3); 1946 ret = futex_wait(uaddr, fshared, val, timeout, val3, clockrt);
2008 break; 1947 break;
2009 case FUTEX_WAKE: 1948 case FUTEX_WAKE:
2010 val3 = FUTEX_BITSET_MATCH_ANY; 1949 val3 = FUTEX_BITSET_MATCH_ANY;
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-12 03:47:17 -0500