9 files changed, 664 insertions, 76 deletions
diff --git a/kernel/locking/Makefile b/kernel/locking/Makefile
index b8bdcd4785b7..8541bfdfd232 100644
--- a/kernel/locking/Makefile
+++ b/kernel/locking/Makefile
@@ -24,4 +24,5 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock_debug.o
 obj-$(CONFIG_RWSEM_GENERIC_SPINLOCK) += rwsem-spinlock.o
 obj-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem-xadd.o
 obj-$(CONFIG_PERCPU_RWSEM) += percpu-rwsem.o
+obj-$(CONFIG_QUEUE_RWLOCK) += qrwlock.o
 obj-$(CONFIG_LOCK_TORTURE_TEST) += locktorture.o
diff --git a/kernel/locking/lockdep_internals.h b/kernel/locking/lockdep_internals.h
index 4f560cfedc8f..51c4b24b6328 100644
--- a/kernel/locking/lockdep_internals.h
+++ b/kernel/locking/lockdep_internals.h
@@ -54,9 +54,9 @@ enum {
 * table (if it's not there yet), and we check it for lock order
 * conflicts and deadlocks.
 */
-#define MAX_LOCKDEP_ENTRIES     16384UL
+#define MAX_LOCKDEP_ENTRIES     32768UL
-#define MAX_LOCKDEP_CHAINS_BITS 15
+#define MAX_LOCKDEP_CHAINS_BITS 16
 #define MAX_LOCKDEP_CHAINS      (1UL << MAX_LOCKDEP_CHAINS_BITS)
 #define MAX_LOCKDEP_CHAIN_HLOCKS (MAX_LOCKDEP_CHAINS*5)
@@ -65,7 +65,7 @@ enum {
 * Stack-trace: tightly packed array of stack backtrace
 * addresses. Protected by the hash_lock.
 */
-#define MAX_STACK_TRACE_ENTRIES 262144UL
+#define MAX_STACK_TRACE_ENTRIES 524288UL
 extern struct list_head all_lock_classes;
 extern struct lock_chain lock_chains[];
diff --git a/kernel/locking/locktorture.c b/kernel/locking/locktorture.c
index f26b1a18e34e..0955b885d0dc 100644
--- a/kernel/locking/locktorture.c
+++ b/kernel/locking/locktorture.c
@@ -82,14 +82,14 @@ struct lock_writer_stress_stats {
 };
 static struct lock_writer_stress_stats *lwsa;
-#if defined(MODULE) || defined(CONFIG_LOCK_TORTURE_TEST_RUNNABLE)
+#if defined(MODULE)
 #define LOCKTORTURE_RUNNABLE_INIT 1
 #else
 #define LOCKTORTURE_RUNNABLE_INIT 0
 #endif
 int locktorture_runnable = LOCKTORTURE_RUNNABLE_INIT;
 module_param(locktorture_runnable, int, 0444);
-MODULE_PARM_DESC(locktorture_runnable, "Start locktorture at boot");
+MODULE_PARM_DESC(locktorture_runnable, "Start locktorture at module init");
 /* Forward reference. */
 static void lock_torture_cleanup(void);
@@ -216,10 +216,11 @@ static int lock_torture_writer(void *arg)
        static DEFINE_TORTURE_RANDOM(rand);
        VERBOSE_TOROUT_STRING("lock_torture_writer task started");
-        set_user_nice(current, 19);
+        set_user_nice(current, MAX_NICE);
        do {
-                schedule_timeout_uninterruptible(1);
+                if ((torture_random(&rand) & 0xfffff) == 0)
+                        schedule_timeout_uninterruptible(1);
                cur_ops->writelock();
                if (WARN_ON_ONCE(lock_is_write_held))
                        lwsp->n_write_lock_fail++;
@@ -354,7 +355,8 @@ static int __init lock_torture_init(void)
                &lock_busted_ops, &spin_lock_ops, &spin_lock_irq_ops,
        };
-        torture_init_begin(torture_type, verbose, &locktorture_runnable);
+        if (!torture_init_begin(torture_type, verbose, &locktorture_runnable))
+                return -EBUSY;
        /* Process args and tell the world that the torturer is on the job. */
        for (i = 0; i < ARRAY_SIZE(torture_ops); i++) {
diff --git a/kernel/locking/qrwlock.c b/kernel/locking/qrwlock.c
new file mode 100644
index 000000000000..fb5b8ac411a5
--- /dev/null
+++ b/kernel/locking/qrwlock.c
@@ -0,0 +1,133 @@
+/*
+ * Queue read/write lock
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * (C) Copyright 2013-2014 Hewlett-Packard Development Company, L.P.
+ *
+ * Authors: Waiman Long <waiman.long@hp.com>
+ */
+#include <linux/smp.h>
+#include <linux/bug.h>
+#include <linux/cpumask.h>
+#include <linux/percpu.h>
+#include <linux/hardirq.h>
+#include <linux/mutex.h>
+#include <asm/qrwlock.h>
+/**
+ * rspin_until_writer_unlock - inc reader count & spin until writer is gone
+ * @lock  : Pointer to queue rwlock structure
+ * @writer: Current queue rwlock writer status byte
+ *
+ * In interrupt context or at the head of the queue, the reader will just
+ * increment the reader count & wait until the writer releases the lock.
+ */
+static __always_inline void
+rspin_until_writer_unlock(struct qrwlock *lock, u32 cnts)
+{
+        while ((cnts & _QW_WMASK) == _QW_LOCKED) {
+                arch_mutex_cpu_relax();
+                cnts = smp_load_acquire((u32 *)&lock->cnts);
+        }
+}
+/**
+ * queue_read_lock_slowpath - acquire read lock of a queue rwlock
+ * @lock: Pointer to queue rwlock structure
+ */
+void queue_read_lock_slowpath(struct qrwlock *lock)
+{
+        u32 cnts;
+        /*
+         * Readers come here when they cannot get the lock without waiting
+         */
+        if (unlikely(in_interrupt())) {
+                /*
+                 * Readers in interrupt context will spin until the lock is
+                 * available without waiting in the queue.
+                 */
+                cnts = smp_load_acquire((u32 *)&lock->cnts);
+                rspin_until_writer_unlock(lock, cnts);
+                return;
+        }
+        atomic_sub(_QR_BIAS, &lock->cnts);
+        /*
+         * Put the reader into the wait queue
+         */
+        arch_spin_lock(&lock->lock);
+        /*
+         * At the head of the wait queue now, wait until the writer state
+         * goes to 0 and then try to increment the reader count and get
+         * the lock. It is possible that an incoming writer may steal the
+         * lock in the interim, so it is necessary to check the writer byte
+         * to make sure that the write lock isn't taken.
+         */
+        while (atomic_read(&lock->cnts) & _QW_WMASK)
+                arch_mutex_cpu_relax();
+        cnts = atomic_add_return(_QR_BIAS, &lock->cnts) - _QR_BIAS;
+        rspin_until_writer_unlock(lock, cnts);
+        /*
+         * Signal the next one in queue to become queue head
+         */
+        arch_spin_unlock(&lock->lock);
+}
+EXPORT_SYMBOL(queue_read_lock_slowpath);
+/**
+ * queue_write_lock_slowpath - acquire write lock of a queue rwlock
+ * @lock : Pointer to queue rwlock structure
+ */
+void queue_write_lock_slowpath(struct qrwlock *lock)
+{
+        u32 cnts;
+        /* Put the writer into the wait queue */
+        arch_spin_lock(&lock->lock);
+        /* Try to acquire the lock directly if no reader is present */
+        if (!atomic_read(&lock->cnts) &&
+            (atomic_cmpxchg(&lock->cnts, 0, _QW_LOCKED) == 0))
+                goto unlock;
+        /*
+         * Set the waiting flag to notify readers that a writer is pending,
+         * or wait for a previous writer to go away.
+         */
+        for (;;) {
+                cnts = atomic_read(&lock->cnts);
+                if (!(cnts & _QW_WMASK) &&
+                    (atomic_cmpxchg(&lock->cnts, cnts,
+                                    cnts | _QW_WAITING) == cnts))
+                        break;
+                arch_mutex_cpu_relax();
+        }
+        /* When no more readers, set the locked flag */
+        for (;;) {
+                cnts = atomic_read(&lock->cnts);
+                if ((cnts == _QW_WAITING) &&
+                    (atomic_cmpxchg(&lock->cnts, _QW_WAITING,
+                                    _QW_LOCKED) == _QW_WAITING))
+                        break;
+                arch_mutex_cpu_relax();
+        }
+unlock:
+        arch_spin_unlock(&lock->lock);
+}
+EXPORT_SYMBOL(queue_write_lock_slowpath);
diff --git a/kernel/locking/rtmutex-debug.h b/kernel/locking/rtmutex-debug.h
index 14193d596d78..ab29b6a22669 100644
--- a/kernel/locking/rtmutex-debug.h
+++ b/kernel/locking/rtmutex-debug.h
@@ -31,3 +31,8 @@ static inline int debug_rt_mutex_detect_deadlock(struct rt_mutex_waiter *waiter,
 {
        return (waiter != NULL);
 }
+static inline void rt_mutex_print_deadlock(struct rt_mutex_waiter *w)
+{
+        debug_rt_mutex_print_deadlock(w);
+}
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index aa4dff04b594..fc605941b9b8 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -83,6 +83,47 @@ static inline void mark_rt_mutex_waiters(struct rt_mutex *lock)
                owner = *p;
        } while (cmpxchg(p, owner, owner | RT_MUTEX_HAS_WAITERS) != owner);
 }
+/*
+ * Safe fastpath aware unlock:
+ * 1) Clear the waiters bit
+ * 2) Drop lock->wait_lock
+ * 3) Try to unlock the lock with cmpxchg
+ */
+static inline bool unlock_rt_mutex_safe(struct rt_mutex *lock)
+        __releases(lock->wait_lock)
+{
+        struct task_struct *owner = rt_mutex_owner(lock);
+        clear_rt_mutex_waiters(lock);
+        raw_spin_unlock(&lock->wait_lock);
+        /*
+         * If a new waiter comes in between the unlock and the cmpxchg
+         * we have two situations:
+         *
+         * unlock(wait_lock);
+         *                                      lock(wait_lock);
+         * cmpxchg(p, owner, 0) == owner
+         *                                      mark_rt_mutex_waiters(lock);
+         *                                      acquire(lock);
+         * or:
+         *
+         * unlock(wait_lock);
+         *                                      lock(wait_lock);
+         *                                      mark_rt_mutex_waiters(lock);
+         *
+         * cmpxchg(p, owner, 0) != owner
+         *                                      enqueue_waiter();
+         *                                      unlock(wait_lock);
+         * lock(wait_lock);
+         * wake waiter();
+         * unlock(wait_lock);
+         *                                      lock(wait_lock);
+         *                                      acquire(lock);
+         */
+        return rt_mutex_cmpxchg(lock, owner, NULL);
+}
 #else
 # define rt_mutex_cmpxchg(l,c,n)        (0)
 static inline void mark_rt_mutex_waiters(struct rt_mutex *lock)
@@ -90,6 +131,17 @@ static inline void mark_rt_mutex_waiters(struct rt_mutex *lock)
        lock->owner = (struct task_struct *)
                        ((unsigned long)lock->owner | RT_MUTEX_HAS_WAITERS);
 }
+/*
+ * Simple slow path only version: lock->owner is protected by lock->wait_lock.
+ */
+static inline bool unlock_rt_mutex_safe(struct rt_mutex *lock)
+        __releases(lock->wait_lock)
+{
+        lock->owner = NULL;
+        raw_spin_unlock(&lock->wait_lock);
+        return true;
+}
 #endif
 static inline int
@@ -260,27 +312,36 @@ static void rt_mutex_adjust_prio(struct task_struct *task)
 */
 int max_lock_depth = 1024;
+static inline struct rt_mutex *task_blocked_on_lock(struct task_struct *p)
+{
+        return p->pi_blocked_on ? p->pi_blocked_on->lock : NULL;
+}
 /*
 * Adjust the priority chain. Also used for deadlock detection.
 * Decreases task's usage by one - may thus free the task.
 *
- * @task: the task owning the mutex (owner) for which a chain walk is probably
+ * @task:       the task owning the mutex (owner) for which a chain walk is
- *        needed
+ *              probably needed
 * @deadlock_detect: do we have to carry out deadlock detection?
- * @orig_lock: the mutex (can be NULL if we are walking the chain to recheck
+ * @orig_lock:  the mutex (can be NULL if we are walking the chain to recheck
- *             things for a task that has just got its priority adjusted, and
+ *              things for a task that has just got its priority adjusted, and
- *             is waiting on a mutex)
+ *              is waiting on a mutex)
+ * @next_lock:  the mutex on which the owner of @orig_lock was blocked before
+ *              we dropped its pi_lock. Is never dereferenced, only used for
+ *              comparison to detect lock chain changes.
 * @orig_waiter: rt_mutex_waiter struct for the task that has just donated
- *               its priority to the mutex owner (can be NULL in the case
+ *              its priority to the mutex owner (can be NULL in the case
- *               depicted above or if the top waiter is gone away and we are
+ *              depicted above or if the top waiter is gone away and we are
- *               actually deboosting the owner)
+ *              actually deboosting the owner)
- * @top_task: the current top waiter
+ * @top_task:   the current top waiter
 *
 * Returns 0 or -EDEADLK.
 */
 static int rt_mutex_adjust_prio_chain(struct task_struct *task,
                                      int deadlock_detect,
                                      struct rt_mutex *orig_lock,
+                                      struct rt_mutex *next_lock,
                                      struct rt_mutex_waiter *orig_waiter,
                                      struct task_struct *top_task)
 {
@@ -314,7 +375,7 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task,
                }
                put_task_struct(task);
-                return deadlock_detect ? -EDEADLK : 0;
+                return -EDEADLK;
        }
 retry:
        /*
@@ -339,13 +400,32 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task,
                goto out_unlock_pi;
        /*
+         * We dropped all locks after taking a refcount on @task, so
+         * the task might have moved on in the lock chain or even left
+         * the chain completely and blocks now on an unrelated lock or
+         * on @orig_lock.
+         *
+         * We stored the lock on which @task was blocked in @next_lock,
+         * so we can detect the chain change.
+         */
+        if (next_lock != waiter->lock)
+                goto out_unlock_pi;
+        /*
         * Drop out, when the task has no waiters. Note,
         * top_waiter can be NULL, when we are in the deboosting
         * mode!
         */
-        if (top_waiter && (!task_has_pi_waiters(task) ||
+        if (top_waiter) {
-                           top_waiter != task_top_pi_waiter(task)))
+                if (!task_has_pi_waiters(task))
-                goto out_unlock_pi;
+                        goto out_unlock_pi;
+                /*
+                 * If deadlock detection is off, we stop here if we
+                 * are not the top pi waiter of the task.
+                 */
+                if (!detect_deadlock && top_waiter != task_top_pi_waiter(task))
+                        goto out_unlock_pi;
+        }
        /*
         * When deadlock detection is off then we check, if further
@@ -361,11 +441,16 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task,
                goto retry;
        }
-        /* Deadlock detection */
+        /*
+         * Deadlock detection. If the lock is the same as the original
+         * lock which caused us to walk the lock chain or if the
+         * current lock is owned by the task which initiated the chain
+         * walk, we detected a deadlock.
+         */
        if (lock == orig_lock || rt_mutex_owner(lock) == top_task) {
                debug_rt_mutex_deadlock(deadlock_detect, orig_waiter, lock);
                raw_spin_unlock(&lock->wait_lock);
-                ret = deadlock_detect ? -EDEADLK : 0;
+                ret = -EDEADLK;
                goto out_unlock_pi;
        }
@@ -410,11 +495,26 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task,
                __rt_mutex_adjust_prio(task);
        }
+        /*
+         * Check whether the task which owns the current lock is pi
+         * blocked itself. If yes we store a pointer to the lock for
+         * the lock chain change detection above. After we dropped
+         * task->pi_lock next_lock cannot be dereferenced anymore.
+         */
+        next_lock = task_blocked_on_lock(task);
        raw_spin_unlock_irqrestore(&task->pi_lock, flags);
        top_waiter = rt_mutex_top_waiter(lock);
        raw_spin_unlock(&lock->wait_lock);
+        /*
+         * We reached the end of the lock chain. Stop right here. No
+         * point to go back just to figure that out.
+         */
+        if (!next_lock)
+                goto out_put_task;
        if (!detect_deadlock && waiter != top_waiter)
                goto out_put_task;
@@ -524,8 +624,21 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
 {
        struct task_struct *owner = rt_mutex_owner(lock);
        struct rt_mutex_waiter *top_waiter = waiter;
-        unsigned long flags;
+        struct rt_mutex *next_lock;
        int chain_walk = 0, res;
+        unsigned long flags;
+        /*
+         * Early deadlock detection. We really don't want the task to
+         * enqueue on itself just to untangle the mess later. It's not
+         * only an optimization. We drop the locks, so another waiter
+         * can come in before the chain walk detects the deadlock. So
+         * the other will detect the deadlock and return -EDEADLOCK,
+         * which is wrong, as the other waiter is not in a deadlock
+         * situation.
+         */
+        if (owner == task)
+                return -EDEADLK;
        raw_spin_lock_irqsave(&task->pi_lock, flags);
        __rt_mutex_adjust_prio(task);
@@ -545,20 +658,28 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
        if (!owner)
                return 0;
+        raw_spin_lock_irqsave(&owner->pi_lock, flags);
        if (waiter == rt_mutex_top_waiter(lock)) {
-                raw_spin_lock_irqsave(&owner->pi_lock, flags);
                rt_mutex_dequeue_pi(owner, top_waiter);
                rt_mutex_enqueue_pi(owner, waiter);
                __rt_mutex_adjust_prio(owner);
                if (owner->pi_blocked_on)
                        chain_walk = 1;
-                raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
+        } else if (debug_rt_mutex_detect_deadlock(waiter, detect_deadlock)) {
-        }
-        else if (debug_rt_mutex_detect_deadlock(waiter, detect_deadlock))
                chain_walk = 1;
+        }
+        /* Store the lock on which owner is blocked or NULL */
+        next_lock = task_blocked_on_lock(owner);
-        if (!chain_walk)
+        raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
+        /*
+         * Even if full deadlock detection is on, if the owner is not
+         * blocked itself, we can avoid finding this out in the chain
+         * walk.
+         */
+        if (!chain_walk || !next_lock)
                return 0;
        /*
@@ -570,8 +691,8 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
        raw_spin_unlock(&lock->wait_lock);
-        res = rt_mutex_adjust_prio_chain(owner, detect_deadlock, lock, waiter,
+        res = rt_mutex_adjust_prio_chain(owner, detect_deadlock, lock,
-                                         task);
+                                         next_lock, waiter, task);
        raw_spin_lock(&lock->wait_lock);
@@ -581,7 +702,8 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
 /*
 * Wake up the next waiter on the lock.
 *
- * Remove the top waiter from the current tasks waiter list and wake it up.
+ * Remove the top waiter from the current tasks pi waiter list and
+ * wake it up.
 *
 * Called with lock->wait_lock held.
 */
@@ -602,10 +724,23 @@ static void wakeup_next_waiter(struct rt_mutex *lock)
         */
        rt_mutex_dequeue_pi(current, waiter);
-        rt_mutex_set_owner(lock, NULL);
+        /*
+         * As we are waking up the top waiter, and the waiter stays
+         * queued on the lock until it gets the lock, this lock
+         * obviously has waiters. Just set the bit here and this has
+         * the added benefit of forcing all new tasks into the
+         * slow path making sure no task of lower priority than
+         * the top waiter can steal this lock.
+         */
+        lock->owner = (void *) RT_MUTEX_HAS_WAITERS;
        raw_spin_unlock_irqrestore(&current->pi_lock, flags);
+        /*
+         * It's safe to dereference waiter as it cannot go away as
+         * long as we hold lock->wait_lock. The waiter task needs to
+         * acquire it in order to dequeue the waiter.
+         */
        wake_up_process(waiter->task);
 }
@@ -620,8 +755,8 @@ static void remove_waiter(struct rt_mutex *lock,
 {
        int first = (waiter == rt_mutex_top_waiter(lock));
        struct task_struct *owner = rt_mutex_owner(lock);
+        struct rt_mutex *next_lock = NULL;
        unsigned long flags;
-        int chain_walk = 0;
        raw_spin_lock_irqsave(&current->pi_lock, flags);
        rt_mutex_dequeue(lock, waiter);
@@ -645,13 +780,13 @@ static void remove_waiter(struct rt_mutex *lock,
                }
                __rt_mutex_adjust_prio(owner);
-                if (owner->pi_blocked_on)
+                /* Store the lock on which owner is blocked or NULL */
-                        chain_walk = 1;
+                next_lock = task_blocked_on_lock(owner);
                raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
        }
-        if (!chain_walk)
+        if (!next_lock)
                return;
        /* gets dropped in rt_mutex_adjust_prio_chain()! */
@@ -659,7 +794,7 @@ static void remove_waiter(struct rt_mutex *lock,
        raw_spin_unlock(&lock->wait_lock);
-        rt_mutex_adjust_prio_chain(owner, 0, lock, NULL, current);
+        rt_mutex_adjust_prio_chain(owner, 0, lock, next_lock, NULL, current);
        raw_spin_lock(&lock->wait_lock);
 }
@@ -672,6 +807,7 @@ static void remove_waiter(struct rt_mutex *lock,
 void rt_mutex_adjust_pi(struct task_struct *task)
 {
        struct rt_mutex_waiter *waiter;
+        struct rt_mutex *next_lock;
        unsigned long flags;
        raw_spin_lock_irqsave(&task->pi_lock, flags);
@@ -682,12 +818,13 @@ void rt_mutex_adjust_pi(struct task_struct *task)
                raw_spin_unlock_irqrestore(&task->pi_lock, flags);
                return;
        }
+        next_lock = waiter->lock;
        raw_spin_unlock_irqrestore(&task->pi_lock, flags);
        /* gets dropped in rt_mutex_adjust_prio_chain()! */
        get_task_struct(task);
-        rt_mutex_adjust_prio_chain(task, 0, NULL, NULL, task);
+        rt_mutex_adjust_prio_chain(task, 0, NULL, next_lock, NULL, task);
 }
 /**
@@ -739,6 +876,26 @@ __rt_mutex_slowlock(struct rt_mutex *lock, int state,
        return ret;
 }
+static void rt_mutex_handle_deadlock(int res, int detect_deadlock,
+                                     struct rt_mutex_waiter *w)
+{
+        /*
+         * If the result is not -EDEADLOCK or the caller requested
+         * deadlock detection, nothing to do here.
+         */
+        if (res != -EDEADLOCK || detect_deadlock)
+                return;
+        /*
+         * Yell lowdly and stop the task right here.
+         */
+        rt_mutex_print_deadlock(w);
+        while (1) {
+                set_current_state(TASK_INTERRUPTIBLE);
+                schedule();
+        }
+}
 /*
 * Slow path lock function:
 */
@@ -778,8 +935,10 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
        set_current_state(TASK_RUNNING);
-        if (unlikely(ret))
+        if (unlikely(ret)) {
                remove_waiter(lock, &waiter);
+                rt_mutex_handle_deadlock(ret, detect_deadlock, &waiter);
+        }
        /*
         * try_to_take_rt_mutex() sets the waiter bit
@@ -835,12 +994,49 @@ rt_mutex_slowunlock(struct rt_mutex *lock)
        rt_mutex_deadlock_account_unlock(current);
-        if (!rt_mutex_has_waiters(lock)) {
+        /*
-                lock->owner = NULL;
+         * We must be careful here if the fast path is enabled. If we
-                raw_spin_unlock(&lock->wait_lock);
+         * have no waiters queued we cannot set owner to NULL here
-                return;
+         * because of:
+         *
+         * foo->lock->owner = NULL;
+         *                      rtmutex_lock(foo->lock);   <- fast path
+         *                      free = atomic_dec_and_test(foo->refcnt);
+         *                      rtmutex_unlock(foo->lock); <- fast path
+         *                      if (free)
+         *                              kfree(foo);
+         * raw_spin_unlock(foo->lock->wait_lock);
+         *
+         * So for the fastpath enabled kernel:
+         *
+         * Nothing can set the waiters bit as long as we hold
+         * lock->wait_lock. So we do the following sequence:
+         *
+         *      owner = rt_mutex_owner(lock);
+         *      clear_rt_mutex_waiters(lock);
+         *      raw_spin_unlock(&lock->wait_lock);
+         *      if (cmpxchg(&lock->owner, owner, 0) == owner)
+         *              return;
+         *      goto retry;
+         *
+         * The fastpath disabled variant is simple as all access to
+         * lock->owner is serialized by lock->wait_lock:
+         *
+         *      lock->owner = NULL;
+         *      raw_spin_unlock(&lock->wait_lock);
+         */
+        while (!rt_mutex_has_waiters(lock)) {
+                /* Drops lock->wait_lock ! */
+                if (unlock_rt_mutex_safe(lock) == true)
+                        return;
+                /* Relock the rtmutex and try again */
+                raw_spin_lock(&lock->wait_lock);
        }
+        /*
+         * The wakeup next waiter path does not suffer from the above
+         * race. See the comments there.
+         */
        wakeup_next_waiter(lock);
        raw_spin_unlock(&lock->wait_lock);
@@ -1088,7 +1284,8 @@ int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
                return 1;
        }
-        ret = task_blocks_on_rt_mutex(lock, waiter, task, detect_deadlock);
+        /* We enforce deadlock detection for futexes */
+        ret = task_blocks_on_rt_mutex(lock, waiter, task, 1);
        if (ret && !rt_mutex_owner(lock)) {
                /*
diff --git a/kernel/locking/rtmutex.h b/kernel/locking/rtmutex.h
index a1a1dd06421d..f6a1f3c133b1 100644
--- a/kernel/locking/rtmutex.h
+++ b/kernel/locking/rtmutex.h
@@ -24,3 +24,8 @@
 #define debug_rt_mutex_print_deadlock(w)                do { } while (0)
 #define debug_rt_mutex_detect_deadlock(w,d)             (d)
 #define debug_rt_mutex_reset_waiter(w)                  do { } while (0)
+static inline void rt_mutex_print_deadlock(struct rt_mutex_waiter *w)
+{
+        WARN(1, "rtmutex deadlock detected\n");
+}
diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c
index 1d66e08e897d..dacc32142fcc 100644
--- a/kernel/locking/rwsem-xadd.c
+++ b/kernel/locking/rwsem-xadd.c
@@ -5,11 +5,66 @@
 *
 * Writer lock-stealing by Alex Shi <alex.shi@intel.com>
 * and Michel Lespinasse <walken@google.com>
+ *
+ * Optimistic spinning by Tim Chen <tim.c.chen@intel.com>
+ * and Davidlohr Bueso <davidlohr@hp.com>. Based on mutexes.
 */
 #include <linux/rwsem.h>
 #include <linux/sched.h>
 #include <linux/init.h>
 #include <linux/export.h>
+#include <linux/sched/rt.h>
+#include "mcs_spinlock.h"
+/*
+ * Guide to the rw_semaphore's count field for common values.
+ * (32-bit case illustrated, similar for 64-bit)
+ *
+ * 0x0000000X   (1) X readers active or attempting lock, no writer waiting
+ *                  X = #active_readers + #readers attempting to lock
+ *                  (X*ACTIVE_BIAS)
+ *
+ * 0x00000000   rwsem is unlocked, and no one is waiting for the lock or
+ *              attempting to read lock or write lock.
+ *
+ * 0xffff000X   (1) X readers active or attempting lock, with waiters for lock
+ *                  X = #active readers + # readers attempting lock
+ *                  (X*ACTIVE_BIAS + WAITING_BIAS)
+ *              (2) 1 writer attempting lock, no waiters for lock
+ *                  X-1 = #active readers + #readers attempting lock
+ *                  ((X-1)*ACTIVE_BIAS + ACTIVE_WRITE_BIAS)
+ *              (3) 1 writer active, no waiters for lock
+ *                  X-1 = #active readers + #readers attempting lock
+ *                  ((X-1)*ACTIVE_BIAS + ACTIVE_WRITE_BIAS)
+ *
+ * 0xffff0001   (1) 1 reader active or attempting lock, waiters for lock
+ *                  (WAITING_BIAS + ACTIVE_BIAS)
+ *              (2) 1 writer active or attempting lock, no waiters for lock
+ *                  (ACTIVE_WRITE_BIAS)
+ *
+ * 0xffff0000   (1) There are writers or readers queued but none active
+ *                  or in the process of attempting lock.
+ *                  (WAITING_BIAS)
+ *              Note: writer can attempt to steal lock for this count by adding
+ *              ACTIVE_WRITE_BIAS in cmpxchg and checking the old count
+ *
+ * 0xfffe0001   (1) 1 writer active, or attempting lock. Waiters on queue.
+ *                  (ACTIVE_WRITE_BIAS + WAITING_BIAS)
+ *
+ * Note: Readers attempt to lock by adding ACTIVE_BIAS in down_read and checking
+ *       the count becomes more than 0 for successful lock acquisition,
+ *       i.e. the case where there are only readers or nobody has lock.
+ *       (1st and 2nd case above).
+ *
+ *       Writers attempt to lock by adding ACTIVE_WRITE_BIAS in down_write and
+ *       checking the count becomes ACTIVE_WRITE_BIAS for successful lock
+ *       acquisition (i.e. nobody else has lock or attempts lock).  If
+ *       unsuccessful, in rwsem_down_write_failed, we'll check to see if there
+ *       are only waiters but none active (5th case above), and attempt to
+ *       steal the lock.
+ *
+ */
 /*
 * Initialize an rwsem:
@@ -27,6 +82,10 @@ void __init_rwsem(struct rw_semaphore *sem, const char *name,
        sem->count = RWSEM_UNLOCKED_VALUE;
        raw_spin_lock_init(&sem->wait_lock);
        INIT_LIST_HEAD(&sem->wait_list);
+#ifdef CONFIG_SMP
+        sem->owner = NULL;
+        sem->osq = NULL;
+#endif
 }
 EXPORT_SYMBOL(__init_rwsem);
@@ -141,7 +200,7 @@ __rwsem_do_wake(struct rw_semaphore *sem, enum rwsem_wake_type wake_type)
 }
 /*
- * wait for the read lock to be granted
+ * Wait for the read lock to be granted
 */
 __visible
 struct rw_semaphore __sched *rwsem_down_read_failed(struct rw_semaphore *sem)
@@ -188,64 +247,221 @@ struct rw_semaphore __sched *rwsem_down_read_failed(struct rw_semaphore *sem)
        return sem;
 }
+static inline bool rwsem_try_write_lock(long count, struct rw_semaphore *sem)
+{
+        if (!(count & RWSEM_ACTIVE_MASK)) {
+                /* try acquiring the write lock */
+                if (sem->count == RWSEM_WAITING_BIAS &&
+                    cmpxchg(&sem->count, RWSEM_WAITING_BIAS,
+                            RWSEM_ACTIVE_WRITE_BIAS) == RWSEM_WAITING_BIAS) {
+                        if (!list_is_singular(&sem->wait_list))
+                                rwsem_atomic_update(RWSEM_WAITING_BIAS, sem);
+                        return true;
+                }
+        }
+        return false;
+}
+#ifdef CONFIG_SMP
 /*
- * wait until we successfully acquire the write lock
+ * Try to acquire write lock before the writer has been put on wait queue.
+ */
+static inline bool rwsem_try_write_lock_unqueued(struct rw_semaphore *sem)
+{
+        long old, count = ACCESS_ONCE(sem->count);
+        while (true) {
+                if (!(count == 0 || count == RWSEM_WAITING_BIAS))
+                        return false;
+                old = cmpxchg(&sem->count, count, count + RWSEM_ACTIVE_WRITE_BIAS);
+                if (old == count)
+                        return true;
+                count = old;
+        }
+}
+static inline bool rwsem_can_spin_on_owner(struct rw_semaphore *sem)
+{
+        struct task_struct *owner;
+        bool on_cpu = true;
+        if (need_resched())
+                return 0;
+        rcu_read_lock();
+        owner = ACCESS_ONCE(sem->owner);
+        if (owner)
+                on_cpu = owner->on_cpu;
+        rcu_read_unlock();
+        /*
+         * If sem->owner is not set, the rwsem owner may have
+         * just acquired it and not set the owner yet or the rwsem
+         * has been released.
+         */
+        return on_cpu;
+}
+static inline bool owner_running(struct rw_semaphore *sem,
+                                 struct task_struct *owner)
+{
+        if (sem->owner != owner)
+                return false;
+        /*
+         * Ensure we emit the owner->on_cpu, dereference _after_ checking
+         * sem->owner still matches owner, if that fails, owner might
+         * point to free()d memory, if it still matches, the rcu_read_lock()
+         * ensures the memory stays valid.
+         */
+        barrier();
+        return owner->on_cpu;
+}
+static noinline
+bool rwsem_spin_on_owner(struct rw_semaphore *sem, struct task_struct *owner)
+{
+        rcu_read_lock();
+        while (owner_running(sem, owner)) {
+                if (need_resched())
+                        break;
+                arch_mutex_cpu_relax();
+        }
+        rcu_read_unlock();
+        /*
+         * We break out the loop above on need_resched() or when the
+         * owner changed, which is a sign for heavy contention. Return
+         * success only when sem->owner is NULL.
+         */
+        return sem->owner == NULL;
+}
+static bool rwsem_optimistic_spin(struct rw_semaphore *sem)
+{
+        struct task_struct *owner;
+        bool taken = false;
+        preempt_disable();
+        /* sem->wait_lock should not be held when doing optimistic spinning */
+        if (!rwsem_can_spin_on_owner(sem))
+                goto done;
+        if (!osq_lock(&sem->osq))
+                goto done;
+        while (true) {
+                owner = ACCESS_ONCE(sem->owner);
+                if (owner && !rwsem_spin_on_owner(sem, owner))
+                        break;
+                /* wait_lock will be acquired if write_lock is obtained */
+                if (rwsem_try_write_lock_unqueued(sem)) {
+                        taken = true;
+                        break;
+                }
+                /*
+                 * When there's no owner, we might have preempted between the
+                 * owner acquiring the lock and setting the owner field. If
+                 * we're an RT task that will live-lock because we won't let
+                 * the owner complete.
+                 */
+                if (!owner && (need_resched() || rt_task(current)))
+                        break;
+                /*
+                 * The cpu_relax() call is a compiler barrier which forces
+                 * everything in this loop to be re-loaded. We don't need
+                 * memory barriers as we'll eventually observe the right
+                 * values at the cost of a few extra spins.
+                 */
+                arch_mutex_cpu_relax();
+        }
+        osq_unlock(&sem->osq);
+done:
+        preempt_enable();
+        return taken;
+}
+#else
+static bool rwsem_optimistic_spin(struct rw_semaphore *sem)
+{
+        return false;
+}
+#endif
+/*
+ * Wait until we successfully acquire the write lock
 */
 __visible
 struct rw_semaphore __sched *rwsem_down_write_failed(struct rw_semaphore *sem)
 {
-        long count, adjustment = -RWSEM_ACTIVE_WRITE_BIAS;
+        long count;
+        bool waiting = true; /* any queued threads before us */
        struct rwsem_waiter waiter;
-        struct task_struct *tsk = current;
-        /* set up my own style of waitqueue */
+        /* undo write bias from down_write operation, stop active locking */
-        waiter.task = tsk;
+        count = rwsem_atomic_update(-RWSEM_ACTIVE_WRITE_BIAS, sem);
+        /* do optimistic spinning and steal lock if possible */
+        if (rwsem_optimistic_spin(sem))
+                return sem;
+        /*
+         * Optimistic spinning failed, proceed to the slowpath
+         * and block until we can acquire the sem.
+         */
+        waiter.task = current;
        waiter.type = RWSEM_WAITING_FOR_WRITE;
        raw_spin_lock_irq(&sem->wait_lock);
+        /* account for this before adding a new element to the list */
        if (list_empty(&sem->wait_list))
-                adjustment += RWSEM_WAITING_BIAS;
+                waiting = false;
        list_add_tail(&waiter.list, &sem->wait_list);
        /* we're now waiting on the lock, but no longer actively locking */
-        count = rwsem_atomic_update(adjustment, sem);
+        if (waiting) {
+                count = ACCESS_ONCE(sem->count);
+                /*
+                 * If there were already threads queued before us and there are
+                 * no active writers, the lock must be read owned; so we try to
+                 * wake any read locks that were queued ahead of us.
+                 */
+                if (count > RWSEM_WAITING_BIAS)
+                        sem = __rwsem_do_wake(sem, RWSEM_WAKE_READERS);
-        /* If there were already threads queued before us and there are no
+        } else
-         * active writers, the lock must be read owned; so we try to wake
+                count = rwsem_atomic_update(RWSEM_WAITING_BIAS, sem);
-         * any read locks that were queued ahead of us. */
-        if (count > RWSEM_WAITING_BIAS &&
-            adjustment == -RWSEM_ACTIVE_WRITE_BIAS)
-                sem = __rwsem_do_wake(sem, RWSEM_WAKE_READERS);
        /* wait until we successfully acquire the lock */
-        set_task_state(tsk, TASK_UNINTERRUPTIBLE);
+        set_current_state(TASK_UNINTERRUPTIBLE);
        while (true) {
-                if (!(count & RWSEM_ACTIVE_MASK)) {
+                if (rwsem_try_write_lock(count, sem))
-                        /* Try acquiring the write lock. */
+                        break;
-                        count = RWSEM_ACTIVE_WRITE_BIAS;
-                        if (!list_is_singular(&sem->wait_list))
-                                count += RWSEM_WAITING_BIAS;
-                        if (sem->count == RWSEM_WAITING_BIAS &&
-                            cmpxchg(&sem->count, RWSEM_WAITING_BIAS, count) ==
-                                                        RWSEM_WAITING_BIAS)
-                                break;
-                }
                raw_spin_unlock_irq(&sem->wait_lock);
                /* Block until there are no active lockers. */
                do {
                        schedule();
-                        set_task_state(tsk, TASK_UNINTERRUPTIBLE);
+                        set_current_state(TASK_UNINTERRUPTIBLE);
                } while ((count = sem->count) & RWSEM_ACTIVE_MASK);
                raw_spin_lock_irq(&sem->wait_lock);
        }
+        __set_current_state(TASK_RUNNING);
        list_del(&waiter.list);
        raw_spin_unlock_irq(&sem->wait_lock);
-        tsk->state = TASK_RUNNING;
        return sem;
 }
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index cfff1435bdfb..42f806de49d4 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -12,6 +12,27 @@
 #include <linux/atomic.h>
+#if defined(CONFIG_SMP) && defined(CONFIG_RWSEM_XCHGADD_ALGORITHM)
+static inline void rwsem_set_owner(struct rw_semaphore *sem)
+{
+        sem->owner = current;
+}
+static inline void rwsem_clear_owner(struct rw_semaphore *sem)
+{
+        sem->owner = NULL;
+}
+#else
+static inline void rwsem_set_owner(struct rw_semaphore *sem)
+{
+}
+static inline void rwsem_clear_owner(struct rw_semaphore *sem)
+{
+}
+#endif
 /*
 * lock for reading
 */
@@ -48,6 +69,7 @@ void __sched down_write(struct rw_semaphore *sem)
        rwsem_acquire(&sem->dep_map, 0, 0, _RET_IP_);
        LOCK_CONTENDED(sem, __down_write_trylock, __down_write);
+        rwsem_set_owner(sem);
 }
 EXPORT_SYMBOL(down_write);
@@ -59,8 +81,11 @@ int down_write_trylock(struct rw_semaphore *sem)
 {
        int ret = __down_write_trylock(sem);
-        if (ret == 1)
+        if (ret == 1) {
                rwsem_acquire(&sem->dep_map, 0, 1, _RET_IP_);
+                rwsem_set_owner(sem);
+        }
        return ret;
 }
@@ -85,6 +110,7 @@ void up_write(struct rw_semaphore *sem)
 {
        rwsem_release(&sem->dep_map, 1, _RET_IP_);
+        rwsem_clear_owner(sem);
        __up_write(sem);
 }
@@ -99,6 +125,7 @@ void downgrade_write(struct rw_semaphore *sem)
         * lockdep: a downgraded write will live on as a write
         * dependency.
         */
+        rwsem_clear_owner(sem);
        __downgrade_write(sem);
 }
@@ -122,6 +149,7 @@ void _down_write_nest_lock(struct rw_semaphore *sem, struct lockdep_map *nest)
        rwsem_acquire_nest(&sem->dep_map, 0, 0, nest, _RET_IP_);
        LOCK_CONTENDED(sem, __down_write_trylock, __down_write);
+        rwsem_set_owner(sem);
 }
 EXPORT_SYMBOL(_down_write_nest_lock);
@@ -141,6 +169,7 @@ void down_write_nested(struct rw_semaphore *sem, int subclass)
        rwsem_acquire(&sem->dep_map, subclass, 0, _RET_IP_);
        LOCK_CONTENDED(sem, __down_write_trylock, __down_write);
+        rwsem_set_owner(sem);
 }
 EXPORT_SYMBOL(down_write_nested);