root/kernel/futex.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. setup_fail_futex
  2. should_fail_futex
  3. fail_futex_debugfs
  4. should_fail_futex
  5. compat_exit_robust_list
  6. futex_get_mm
  7. hb_waiters_inc
  8. hb_waiters_dec
  9. hb_waiters_pending
  10. hash_futex
  11. match_futex
  12. get_futex_key_refs
  13. drop_futex_key_refs
  14. futex_setup_timer
  15. get_inode_sequence_number
  16. get_futex_key
  17. put_futex_key
  18. fault_in_user_writeable
  19. futex_top_waiter
  20. cmpxchg_futex_value_locked
  21. get_futex_value_locked
  22. refill_pi_state_cache
  23. alloc_pi_state
  24. get_pi_state
  25. put_pi_state
  26. exit_pi_state_list
  27. exit_pi_state_list
  28. attach_to_pi_state
  29. wait_for_owner_exiting
  30. handle_exit_race
  31. attach_to_pi_owner
  32. lookup_pi_state
  33. lock_pi_update_atomic
  34. futex_lock_pi_atomic
  35. __unqueue_futex
  36. mark_wake_futex
  37. wake_futex_pi
  38. double_lock_hb
  39. double_unlock_hb
  40. futex_wake
  41. futex_atomic_op_inuser
  42. futex_wake_op
  43. requeue_futex
  44. requeue_pi_wake_futex
  45. futex_proxy_trylock_atomic
  46. futex_requeue
  47. queue_lock
  48. queue_unlock
  49. __queue_me
  50. queue_me
  51. unqueue_me
  52. unqueue_me_pi
  53. fixup_pi_state_owner
  54. fixup_owner
  55. futex_wait_queue_me
  56. futex_wait_setup
  57. futex_wait
  58. futex_wait_restart
  59. futex_lock_pi
  60. futex_unlock_pi
  61. handle_early_requeue_pi_wakeup
  62. futex_wait_requeue_pi
  63. SYSCALL_DEFINE2
  64. SYSCALL_DEFINE3
  65. handle_futex_death
  66. fetch_robust_entry
  67. exit_robust_list
  68. futex_cleanup
  69. futex_exit_recursive
  70. futex_cleanup_begin
  71. futex_cleanup_end
  72. futex_exec_release
  73. futex_exit_release
  74. do_futex
  75. SYSCALL_DEFINE6
  76. compat_fetch_robust_entry
  77. futex_uaddr
  78. compat_exit_robust_list
  79. COMPAT_SYSCALL_DEFINE2
  80. COMPAT_SYSCALL_DEFINE3
  81. SYSCALL_DEFINE6
  82. futex_detect_cmpxchg
  83. futex_init

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /*
   3  *  Fast Userspace Mutexes (which I call "Futexes!").
   4  *  (C) Rusty Russell, IBM 2002
   5  *
   6  *  Generalized futexes, futex requeueing, misc fixes by Ingo Molnar
   7  *  (C) Copyright 2003 Red Hat Inc, All Rights Reserved
   8  *
   9  *  Removed page pinning, fix privately mapped COW pages and other cleanups
  10  *  (C) Copyright 2003, 2004 Jamie Lokier
  11  *
  12  *  Robust futex support started by Ingo Molnar
  13  *  (C) Copyright 2006 Red Hat Inc, All Rights Reserved
  14  *  Thanks to Thomas Gleixner for suggestions, analysis and fixes.
  15  *
  16  *  PI-futex support started by Ingo Molnar and Thomas Gleixner
  17  *  Copyright (C) 2006 Red Hat, Inc., Ingo Molnar <mingo@redhat.com>
  18  *  Copyright (C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
  19  *
  20  *  PRIVATE futexes by Eric Dumazet
  21  *  Copyright (C) 2007 Eric Dumazet <dada1@cosmosbay.com>
  22  *
  23  *  Requeue-PI support by Darren Hart <dvhltc@us.ibm.com>
  24  *  Copyright (C) IBM Corporation, 2009
  25  *  Thanks to Thomas Gleixner for conceptual design and careful reviews.
  26  *
  27  *  Thanks to Ben LaHaise for yelling "hashed waitqueues" loudly
  28  *  enough at me, Linus for the original (flawed) idea, Matthew
  29  *  Kirkwood for proof-of-concept implementation.
  30  *
  31  *  "The futexes are also cursed."
  32  *  "But they come in a choice of three flavours!"
  33  */
  34 #include <linux/compat.h>
  35 #include <linux/slab.h>
  36 #include <linux/poll.h>
  37 #include <linux/fs.h>
  38 #include <linux/file.h>
  39 #include <linux/jhash.h>
  40 #include <linux/init.h>
  41 #include <linux/futex.h>
  42 #include <linux/mount.h>
  43 #include <linux/pagemap.h>
  44 #include <linux/syscalls.h>
  45 #include <linux/signal.h>
  46 #include <linux/export.h>
  47 #include <linux/magic.h>
  48 #include <linux/pid.h>
  49 #include <linux/nsproxy.h>
  50 #include <linux/ptrace.h>
  51 #include <linux/sched/rt.h>
  52 #include <linux/sched/wake_q.h>
  53 #include <linux/sched/mm.h>
  54 #include <linux/hugetlb.h>
  55 #include <linux/freezer.h>
  56 #include <linux/memblock.h>
  57 #include <linux/fault-inject.h>
  58 #include <linux/refcount.h>
  59 
  60 #include <asm/futex.h>
  61 
  62 #include "locking/rtmutex_common.h"
  63 
  64 /*
  65  * READ this before attempting to hack on futexes!
  66  *
  67  * Basic futex operation and ordering guarantees
  68  * =============================================
  69  *
  70  * The waiter reads the futex value in user space and calls
  71  * futex_wait(). This function computes the hash bucket and acquires
  72  * the hash bucket lock. After that it reads the futex user space value
  73  * again and verifies that the data has not changed. If it has not changed
  74  * it enqueues itself into the hash bucket, releases the hash bucket lock
  75  * and schedules.
  76  *
  77  * The waker side modifies the user space value of the futex and calls
  78  * futex_wake(). This function computes the hash bucket and acquires the
  79  * hash bucket lock. Then it looks for waiters on that futex in the hash
  80  * bucket and wakes them.
  81  *
  82  * In futex wake up scenarios where no tasks are blocked on a futex, taking
  83  * the hb spinlock can be avoided and simply return. In order for this
  84  * optimization to work, ordering guarantees must exist so that the waiter
  85  * being added to the list is acknowledged when the list is concurrently being
  86  * checked by the waker, avoiding scenarios like the following:
  87  *
  88  * CPU 0                               CPU 1
  89  * val = *futex;
  90  * sys_futex(WAIT, futex, val);
  91  *   futex_wait(futex, val);
  92  *   uval = *futex;
  93  *                                     *futex = newval;
  94  *                                     sys_futex(WAKE, futex);
  95  *                                       futex_wake(futex);
  96  *                                       if (queue_empty())
  97  *                                         return;
  98  *   if (uval == val)
  99  *      lock(hash_bucket(futex));
 100  *      queue();
 101  *     unlock(hash_bucket(futex));
 102  *     schedule();
 103  *
 104  * This would cause the waiter on CPU 0 to wait forever because it
 105  * missed the transition of the user space value from val to newval
 106  * and the waker did not find the waiter in the hash bucket queue.
 107  *
 108  * The correct serialization ensures that a waiter either observes
 109  * the changed user space value before blocking or is woken by a
 110  * concurrent waker:
 111  *
 112  * CPU 0                                 CPU 1
 113  * val = *futex;
 114  * sys_futex(WAIT, futex, val);
 115  *   futex_wait(futex, val);
 116  *
 117  *   waiters++; (a)
 118  *   smp_mb(); (A) <-- paired with -.
 119  *                                  |
 120  *   lock(hash_bucket(futex));      |
 121  *                                  |
 122  *   uval = *futex;                 |
 123  *                                  |        *futex = newval;
 124  *                                  |        sys_futex(WAKE, futex);
 125  *                                  |          futex_wake(futex);
 126  *                                  |
 127  *                                  `--------> smp_mb(); (B)
 128  *   if (uval == val)
 129  *     queue();
 130  *     unlock(hash_bucket(futex));
 131  *     schedule();                         if (waiters)
 132  *                                           lock(hash_bucket(futex));
 133  *   else                                    wake_waiters(futex);
 134  *     waiters--; (b)                        unlock(hash_bucket(futex));
 135  *
 136  * Where (A) orders the waiters increment and the futex value read through
 137  * atomic operations (see hb_waiters_inc) and where (B) orders the write
 138  * to futex and the waiters read -- this is done by the barriers for both
 139  * shared and private futexes in get_futex_key_refs().
 140  *
 141  * This yields the following case (where X:=waiters, Y:=futex):
 142  *
 143  *      X = Y = 0
 144  *
 145  *      w[X]=1          w[Y]=1
 146  *      MB              MB
 147  *      r[Y]=y          r[X]=x
 148  *
 149  * Which guarantees that x==0 && y==0 is impossible; which translates back into
 150  * the guarantee that we cannot both miss the futex variable change and the
 151  * enqueue.
 152  *
 153  * Note that a new waiter is accounted for in (a) even when it is possible that
 154  * the wait call can return error, in which case we backtrack from it in (b).
 155  * Refer to the comment in queue_lock().
 156  *
 157  * Similarly, in order to account for waiters being requeued on another
 158  * address we always increment the waiters for the destination bucket before
 159  * acquiring the lock. It then decrements them again  after releasing it -
 160  * the code that actually moves the futex(es) between hash buckets (requeue_futex)
 161  * will do the additional required waiter count housekeeping. This is done for
 162  * double_lock_hb() and double_unlock_hb(), respectively.
 163  */
 164 
 165 #ifdef CONFIG_HAVE_FUTEX_CMPXCHG
 166 #define futex_cmpxchg_enabled 1
 167 #else
 168 static int  __read_mostly futex_cmpxchg_enabled;
 169 #endif
 170 
 171 /*
 172  * Futex flags used to encode options to functions and preserve them across
 173  * restarts.
 174  */
 175 #ifdef CONFIG_MMU
 176 # define FLAGS_SHARED           0x01
 177 #else
 178 /*
 179  * NOMMU does not have per process address space. Let the compiler optimize
 180  * code away.
 181  */
 182 # define FLAGS_SHARED           0x00
 183 #endif
 184 #define FLAGS_CLOCKRT           0x02
 185 #define FLAGS_HAS_TIMEOUT       0x04
 186 
 187 /*
 188  * Priority Inheritance state:
 189  */
 190 struct futex_pi_state {
 191         /*
 192          * list of 'owned' pi_state instances - these have to be
 193          * cleaned up in do_exit() if the task exits prematurely:
 194          */
 195         struct list_head list;
 196 
 197         /*
 198          * The PI object:
 199          */
 200         struct rt_mutex pi_mutex;
 201 
 202         struct task_struct *owner;
 203         refcount_t refcount;
 204 
 205         union futex_key key;
 206 } __randomize_layout;
 207 
 208 /**
 209  * struct futex_q - The hashed futex queue entry, one per waiting task
 210  * @list:               priority-sorted list of tasks waiting on this futex
 211  * @task:               the task waiting on the futex
 212  * @lock_ptr:           the hash bucket lock
 213  * @key:                the key the futex is hashed on
 214  * @pi_state:           optional priority inheritance state
 215  * @rt_waiter:          rt_waiter storage for use with requeue_pi
 216  * @requeue_pi_key:     the requeue_pi target futex key
 217  * @bitset:             bitset for the optional bitmasked wakeup
 218  *
 219  * We use this hashed waitqueue, instead of a normal wait_queue_entry_t, so
 220  * we can wake only the relevant ones (hashed queues may be shared).
 221  *
 222  * A futex_q has a woken state, just like tasks have TASK_RUNNING.
 223  * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0.
 224  * The order of wakeup is always to make the first condition true, then
 225  * the second.
 226  *
 227  * PI futexes are typically woken before they are removed from the hash list via
 228  * the rt_mutex code. See unqueue_me_pi().
 229  */
 230 struct futex_q {
 231         struct plist_node list;
 232 
 233         struct task_struct *task;
 234         spinlock_t *lock_ptr;
 235         union futex_key key;
 236         struct futex_pi_state *pi_state;
 237         struct rt_mutex_waiter *rt_waiter;
 238         union futex_key *requeue_pi_key;
 239         u32 bitset;
 240 } __randomize_layout;
 241 
 242 static const struct futex_q futex_q_init = {
 243         /* list gets initialized in queue_me()*/
 244         .key = FUTEX_KEY_INIT,
 245         .bitset = FUTEX_BITSET_MATCH_ANY
 246 };
 247 
 248 /*
 249  * Hash buckets are shared by all the futex_keys that hash to the same
 250  * location.  Each key may have multiple futex_q structures, one for each task
 251  * waiting on a futex.
 252  */
 253 struct futex_hash_bucket {
 254         atomic_t waiters;
 255         spinlock_t lock;
 256         struct plist_head chain;
 257 } ____cacheline_aligned_in_smp;
 258 
 259 /*
 260  * The base of the bucket array and its size are always used together
 261  * (after initialization only in hash_futex()), so ensure that they
 262  * reside in the same cacheline.
 263  */
 264 static struct {
 265         struct futex_hash_bucket *queues;
 266         unsigned long            hashsize;
 267 } __futex_data __read_mostly __aligned(2*sizeof(long));
 268 #define futex_queues   (__futex_data.queues)
 269 #define futex_hashsize (__futex_data.hashsize)
 270 
 271 
 272 /*
 273  * Fault injections for futexes.
 274  */
 275 #ifdef CONFIG_FAIL_FUTEX
 276 
 277 static struct {
 278         struct fault_attr attr;
 279 
 280         bool ignore_private;
 281 } fail_futex = {
 282         .attr = FAULT_ATTR_INITIALIZER,
 283         .ignore_private = false,
 284 };
 285 
 286 static int __init setup_fail_futex(char *str)
 287 {
 288         return setup_fault_attr(&fail_futex.attr, str);
 289 }
 290 __setup("fail_futex=", setup_fail_futex);
 291 
 292 static bool should_fail_futex(bool fshared)
 293 {
 294         if (fail_futex.ignore_private && !fshared)
 295                 return false;
 296 
 297         return should_fail(&fail_futex.attr, 1);
 298 }
 299 
 300 #ifdef CONFIG_FAULT_INJECTION_DEBUG_FS
 301 
 302 static int __init fail_futex_debugfs(void)
 303 {
 304         umode_t mode = S_IFREG | S_IRUSR | S_IWUSR;
 305         struct dentry *dir;
 306 
 307         dir = fault_create_debugfs_attr("fail_futex", NULL,
 308                                         &fail_futex.attr);
 309         if (IS_ERR(dir))
 310                 return PTR_ERR(dir);
 311 
 312         debugfs_create_bool("ignore-private", mode, dir,
 313                             &fail_futex.ignore_private);
 314         return 0;
 315 }
 316 
 317 late_initcall(fail_futex_debugfs);
 318 
 319 #endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */
 320 
 321 #else
 322 static inline bool should_fail_futex(bool fshared)
 323 {
 324         return false;
 325 }
 326 #endif /* CONFIG_FAIL_FUTEX */
 327 
 328 #ifdef CONFIG_COMPAT
 329 static void compat_exit_robust_list(struct task_struct *curr);
 330 #else
 331 static inline void compat_exit_robust_list(struct task_struct *curr) { }
 332 #endif
 333 
 334 static inline void futex_get_mm(union futex_key *key)
 335 {
 336         mmgrab(key->private.mm);
 337         /*
 338          * Ensure futex_get_mm() implies a full barrier such that
 339          * get_futex_key() implies a full barrier. This is relied upon
 340          * as smp_mb(); (B), see the ordering comment above.
 341          */
 342         smp_mb__after_atomic();
 343 }
 344 
 345 /*
 346  * Reflects a new waiter being added to the waitqueue.
 347  */
 348 static inline void hb_waiters_inc(struct futex_hash_bucket *hb)
 349 {
 350 #ifdef CONFIG_SMP
 351         atomic_inc(&hb->waiters);
 352         /*
 353          * Full barrier (A), see the ordering comment above.
 354          */
 355         smp_mb__after_atomic();
 356 #endif
 357 }
 358 
 359 /*
 360  * Reflects a waiter being removed from the waitqueue by wakeup
 361  * paths.
 362  */
 363 static inline void hb_waiters_dec(struct futex_hash_bucket *hb)
 364 {
 365 #ifdef CONFIG_SMP
 366         atomic_dec(&hb->waiters);
 367 #endif
 368 }
 369 
 370 static inline int hb_waiters_pending(struct futex_hash_bucket *hb)
 371 {
 372 #ifdef CONFIG_SMP
 373         return atomic_read(&hb->waiters);
 374 #else
 375         return 1;
 376 #endif
 377 }
 378 
 379 /**
 380  * hash_futex - Return the hash bucket in the global hash
 381  * @key:        Pointer to the futex key for which the hash is calculated
 382  *
 383  * We hash on the keys returned from get_futex_key (see below) and return the
 384  * corresponding hash bucket in the global hash.
 385  */
 386 static struct futex_hash_bucket *hash_futex(union futex_key *key)
 387 {
 388         u32 hash = jhash2((u32 *)key, offsetof(typeof(*key), both.offset) / 4,
 389                           key->both.offset);
 390 
 391         return &futex_queues[hash & (futex_hashsize - 1)];
 392 }
 393 
 394 
 395 /**
 396  * match_futex - Check whether two futex keys are equal
 397  * @key1:       Pointer to key1
 398  * @key2:       Pointer to key2
 399  *
 400  * Return 1 if two futex_keys are equal, 0 otherwise.
 401  */
 402 static inline int match_futex(union futex_key *key1, union futex_key *key2)
 403 {
 404         return (key1 && key2
 405                 && key1->both.word == key2->both.word
 406                 && key1->both.ptr == key2->both.ptr
 407                 && key1->both.offset == key2->both.offset);
 408 }
 409 
 410 /*
 411  * Take a reference to the resource addressed by a key.
 412  * Can be called while holding spinlocks.
 413  *
 414  */
 415 static void get_futex_key_refs(union futex_key *key)
 416 {
 417         if (!key->both.ptr)
 418                 return;
 419 
 420         /*
 421          * On MMU less systems futexes are always "private" as there is no per
 422          * process address space. We need the smp wmb nevertheless - yes,
 423          * arch/blackfin has MMU less SMP ...
 424          */
 425         if (!IS_ENABLED(CONFIG_MMU)) {
 426                 smp_mb(); /* explicit smp_mb(); (B) */
 427                 return;
 428         }
 429 
 430         switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
 431         case FUT_OFF_INODE:
 432                 smp_mb();               /* explicit smp_mb(); (B) */
 433                 break;
 434         case FUT_OFF_MMSHARED:
 435                 futex_get_mm(key); /* implies smp_mb(); (B) */
 436                 break;
 437         default:
 438                 /*
 439                  * Private futexes do not hold reference on an inode or
 440                  * mm, therefore the only purpose of calling get_futex_key_refs
 441                  * is because we need the barrier for the lockless waiter check.
 442                  */
 443                 smp_mb(); /* explicit smp_mb(); (B) */
 444         }
 445 }
 446 
 447 /*
 448  * Drop a reference to the resource addressed by a key.
 449  * The hash bucket spinlock must not be held. This is
 450  * a no-op for private futexes, see comment in the get
 451  * counterpart.
 452  */
 453 static void drop_futex_key_refs(union futex_key *key)
 454 {
 455         if (!key->both.ptr) {
 456                 /* If we're here then we tried to put a key we failed to get */
 457                 WARN_ON_ONCE(1);
 458                 return;
 459         }
 460 
 461         if (!IS_ENABLED(CONFIG_MMU))
 462                 return;
 463 
 464         switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
 465         case FUT_OFF_INODE:
 466                 break;
 467         case FUT_OFF_MMSHARED:
 468                 mmdrop(key->private.mm);
 469                 break;
 470         }
 471 }
 472 
 473 enum futex_access {
 474         FUTEX_READ,
 475         FUTEX_WRITE
 476 };
 477 
 478 /**
 479  * futex_setup_timer - set up the sleeping hrtimer.
 480  * @time:       ptr to the given timeout value
 481  * @timeout:    the hrtimer_sleeper structure to be set up
 482  * @flags:      futex flags
 483  * @range_ns:   optional range in ns
 484  *
 485  * Return: Initialized hrtimer_sleeper structure or NULL if no timeout
 486  *         value given
 487  */
 488 static inline struct hrtimer_sleeper *
 489 futex_setup_timer(ktime_t *time, struct hrtimer_sleeper *timeout,
 490                   int flags, u64 range_ns)
 491 {
 492         if (!time)
 493                 return NULL;
 494 
 495         hrtimer_init_sleeper_on_stack(timeout, (flags & FLAGS_CLOCKRT) ?
 496                                       CLOCK_REALTIME : CLOCK_MONOTONIC,
 497                                       HRTIMER_MODE_ABS);
 498         /*
 499          * If range_ns is 0, calling hrtimer_set_expires_range_ns() is
 500          * effectively the same as calling hrtimer_set_expires().
 501          */
 502         hrtimer_set_expires_range_ns(&timeout->timer, *time, range_ns);
 503 
 504         return timeout;
 505 }
 506 
 507 /*
 508  * Generate a machine wide unique identifier for this inode.
 509  *
 510  * This relies on u64 not wrapping in the life-time of the machine; which with
 511  * 1ns resolution means almost 585 years.
 512  *
 513  * This further relies on the fact that a well formed program will not unmap
 514  * the file while it has a (shared) futex waiting on it. This mapping will have
 515  * a file reference which pins the mount and inode.
 516  *
 517  * If for some reason an inode gets evicted and read back in again, it will get
 518  * a new sequence number and will _NOT_ match, even though it is the exact same
 519  * file.
 520  *
 521  * It is important that match_futex() will never have a false-positive, esp.
 522  * for PI futexes that can mess up the state. The above argues that false-negatives
 523  * are only possible for malformed programs.
 524  */
 525 static u64 get_inode_sequence_number(struct inode *inode)
 526 {
 527         static atomic64_t i_seq;
 528         u64 old;
 529 
 530         /* Does the inode already have a sequence number? */
 531         old = atomic64_read(&inode->i_sequence);
 532         if (likely(old))
 533                 return old;
 534 
 535         for (;;) {
 536                 u64 new = atomic64_add_return(1, &i_seq);
 537                 if (WARN_ON_ONCE(!new))
 538                         continue;
 539 
 540                 old = atomic64_cmpxchg_relaxed(&inode->i_sequence, 0, new);
 541                 if (old)
 542                         return old;
 543                 return new;
 544         }
 545 }
 546 
 547 /**
 548  * get_futex_key() - Get parameters which are the keys for a futex
 549  * @uaddr:      virtual address of the futex
 550  * @fshared:    0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
 551  * @key:        address where result is stored.
 552  * @rw:         mapping needs to be read/write (values: FUTEX_READ,
 553  *              FUTEX_WRITE)
 554  *
 555  * Return: a negative error code or 0
 556  *
 557  * The key words are stored in @key on success.
 558  *
 559  * For shared mappings (when @fshared), the key is:
 560  *   ( inode->i_sequence, page->index, offset_within_page )
 561  * [ also see get_inode_sequence_number() ]
 562  *
 563  * For private mappings (or when !@fshared), the key is:
 564  *   ( current->mm, address, 0 )
 565  *
 566  * This allows (cross process, where applicable) identification of the futex
 567  * without keeping the page pinned for the duration of the FUTEX_WAIT.
 568  *
 569  * lock_page() might sleep, the caller should not hold a spinlock.
 570  */
 571 static int
 572 get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, enum futex_access rw)
 573 {
 574         unsigned long address = (unsigned long)uaddr;
 575         struct mm_struct *mm = current->mm;
 576         struct page *page, *tail;
 577         struct address_space *mapping;
 578         int err, ro = 0;
 579 
 580         /*
 581          * The futex address must be "naturally" aligned.
 582          */
 583         key->both.offset = address % PAGE_SIZE;
 584         if (unlikely((address % sizeof(u32)) != 0))
 585                 return -EINVAL;
 586         address -= key->both.offset;
 587 
 588         if (unlikely(!access_ok(uaddr, sizeof(u32))))
 589                 return -EFAULT;
 590 
 591         if (unlikely(should_fail_futex(fshared)))
 592                 return -EFAULT;
 593 
 594         /*
 595          * PROCESS_PRIVATE futexes are fast.
 596          * As the mm cannot disappear under us and the 'key' only needs
 597          * virtual address, we dont even have to find the underlying vma.
 598          * Note : We do have to check 'uaddr' is a valid user address,
 599          *        but access_ok() should be faster than find_vma()
 600          */
 601         if (!fshared) {
 602                 key->private.mm = mm;
 603                 key->private.address = address;
 604                 get_futex_key_refs(key);  /* implies smp_mb(); (B) */
 605                 return 0;
 606         }
 607 
 608 again:
 609         /* Ignore any VERIFY_READ mapping (futex common case) */
 610         if (unlikely(should_fail_futex(fshared)))
 611                 return -EFAULT;
 612 
 613         err = get_user_pages_fast(address, 1, FOLL_WRITE, &page);
 614         /*
 615          * If write access is not required (eg. FUTEX_WAIT), try
 616          * and get read-only access.
 617          */
 618         if (err == -EFAULT && rw == FUTEX_READ) {
 619                 err = get_user_pages_fast(address, 1, 0, &page);
 620                 ro = 1;
 621         }
 622         if (err < 0)
 623                 return err;
 624         else
 625                 err = 0;
 626 
 627         /*
 628          * The treatment of mapping from this point on is critical. The page
 629          * lock protects many things but in this context the page lock
 630          * stabilizes mapping, prevents inode freeing in the shared
 631          * file-backed region case and guards against movement to swap cache.
 632          *
 633          * Strictly speaking the page lock is not needed in all cases being
 634          * considered here and page lock forces unnecessarily serialization
 635          * From this point on, mapping will be re-verified if necessary and
 636          * page lock will be acquired only if it is unavoidable
 637          *
 638          * Mapping checks require the head page for any compound page so the
 639          * head page and mapping is looked up now. For anonymous pages, it
 640          * does not matter if the page splits in the future as the key is
 641          * based on the address. For filesystem-backed pages, the tail is
 642          * required as the index of the page determines the key. For
 643          * base pages, there is no tail page and tail == page.
 644          */
 645         tail = page;
 646         page = compound_head(page);
 647         mapping = READ_ONCE(page->mapping);
 648 
 649         /*
 650          * If page->mapping is NULL, then it cannot be a PageAnon
 651          * page; but it might be the ZERO_PAGE or in the gate area or
 652          * in a special mapping (all cases which we are happy to fail);
 653          * or it may have been a good file page when get_user_pages_fast
 654          * found it, but truncated or holepunched or subjected to
 655          * invalidate_complete_page2 before we got the page lock (also
 656          * cases which we are happy to fail).  And we hold a reference,
 657          * so refcount care in invalidate_complete_page's remove_mapping
 658          * prevents drop_caches from setting mapping to NULL beneath us.
 659          *
 660          * The case we do have to guard against is when memory pressure made
 661          * shmem_writepage move it from filecache to swapcache beneath us:
 662          * an unlikely race, but we do need to retry for page->mapping.
 663          */
 664         if (unlikely(!mapping)) {
 665                 int shmem_swizzled;
 666 
 667                 /*
 668                  * Page lock is required to identify which special case above
 669                  * applies. If this is really a shmem page then the page lock
 670                  * will prevent unexpected transitions.
 671                  */
 672                 lock_page(page);
 673                 shmem_swizzled = PageSwapCache(page) || page->mapping;
 674                 unlock_page(page);
 675                 put_page(page);
 676 
 677                 if (shmem_swizzled)
 678                         goto again;
 679 
 680                 return -EFAULT;
 681         }
 682 
 683         /*
 684          * Private mappings are handled in a simple way.
 685          *
 686          * If the futex key is stored on an anonymous page, then the associated
 687          * object is the mm which is implicitly pinned by the calling process.
 688          *
 689          * NOTE: When userspace waits on a MAP_SHARED mapping, even if
 690          * it's a read-only handle, it's expected that futexes attach to
 691          * the object not the particular process.
 692          */
 693         if (PageAnon(page)) {
 694                 /*
 695                  * A RO anonymous page will never change and thus doesn't make
 696                  * sense for futex operations.
 697                  */
 698                 if (unlikely(should_fail_futex(fshared)) || ro) {
 699                         err = -EFAULT;
 700                         goto out;
 701                 }
 702 
 703                 key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
 704                 key->private.mm = mm;
 705                 key->private.address = address;
 706 
 707         } else {
 708                 struct inode *inode;
 709 
 710                 /*
 711                  * The associated futex object in this case is the inode and
 712                  * the page->mapping must be traversed. Ordinarily this should
 713                  * be stabilised under page lock but it's not strictly
 714                  * necessary in this case as we just want to pin the inode, not
 715                  * update the radix tree or anything like that.
 716                  *
 717                  * The RCU read lock is taken as the inode is finally freed
 718                  * under RCU. If the mapping still matches expectations then the
 719                  * mapping->host can be safely accessed as being a valid inode.
 720                  */
 721                 rcu_read_lock();
 722 
 723                 if (READ_ONCE(page->mapping) != mapping) {
 724                         rcu_read_unlock();
 725                         put_page(page);
 726 
 727                         goto again;
 728                 }
 729 
 730                 inode = READ_ONCE(mapping->host);
 731                 if (!inode) {
 732                         rcu_read_unlock();
 733                         put_page(page);
 734 
 735                         goto again;
 736                 }
 737 
 738                 key->both.offset |= FUT_OFF_INODE; /* inode-based key */
 739                 key->shared.i_seq = get_inode_sequence_number(inode);
 740                 key->shared.pgoff = basepage_index(tail);
 741                 rcu_read_unlock();
 742         }
 743 
 744         get_futex_key_refs(key); /* implies smp_mb(); (B) */
 745 
 746 out:
 747         put_page(page);
 748         return err;
 749 }
 750 
 751 static inline void put_futex_key(union futex_key *key)
 752 {
 753         drop_futex_key_refs(key);
 754 }
 755 
 756 /**
 757  * fault_in_user_writeable() - Fault in user address and verify RW access
 758  * @uaddr:      pointer to faulting user space address
 759  *
 760  * Slow path to fixup the fault we just took in the atomic write
 761  * access to @uaddr.
 762  *
 763  * We have no generic implementation of a non-destructive write to the
 764  * user address. We know that we faulted in the atomic pagefault
 765  * disabled section so we can as well avoid the #PF overhead by
 766  * calling get_user_pages() right away.
 767  */
 768 static int fault_in_user_writeable(u32 __user *uaddr)
 769 {
 770         struct mm_struct *mm = current->mm;
 771         int ret;
 772 
 773         down_read(&mm->mmap_sem);
 774         ret = fixup_user_fault(current, mm, (unsigned long)uaddr,
 775                                FAULT_FLAG_WRITE, NULL);
 776         up_read(&mm->mmap_sem);
 777 
 778         return ret < 0 ? ret : 0;
 779 }
 780 
 781 /**
 782  * futex_top_waiter() - Return the highest priority waiter on a futex
 783  * @hb:         the hash bucket the futex_q's reside in
 784  * @key:        the futex key (to distinguish it from other futex futex_q's)
 785  *
 786  * Must be called with the hb lock held.
 787  */
 788 static struct futex_q *futex_top_waiter(struct futex_hash_bucket *hb,
 789                                         union futex_key *key)
 790 {
 791         struct futex_q *this;
 792 
 793         plist_for_each_entry(this, &hb->chain, list) {
 794                 if (match_futex(&this->key, key))
 795                         return this;
 796         }
 797         return NULL;
 798 }
 799 
 800 static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
 801                                       u32 uval, u32 newval)
 802 {
 803         int ret;
 804 
 805         pagefault_disable();
 806         ret = futex_atomic_cmpxchg_inatomic(curval, uaddr, uval, newval);
 807         pagefault_enable();
 808 
 809         return ret;
 810 }
 811 
 812 static int get_futex_value_locked(u32 *dest, u32 __user *from)
 813 {
 814         int ret;
 815 
 816         pagefault_disable();
 817         ret = __get_user(*dest, from);
 818         pagefault_enable();
 819 
 820         return ret ? -EFAULT : 0;
 821 }
 822 
 823 
 824 /*
 825  * PI code:
 826  */
 827 static int refill_pi_state_cache(void)
 828 {
 829         struct futex_pi_state *pi_state;
 830 
 831         if (likely(current->pi_state_cache))
 832                 return 0;
 833 
 834         pi_state = kzalloc(sizeof(*pi_state), GFP_KERNEL);
 835 
 836         if (!pi_state)
 837                 return -ENOMEM;
 838 
 839         INIT_LIST_HEAD(&pi_state->list);
 840         /* pi_mutex gets initialized later */
 841         pi_state->owner = NULL;
 842         refcount_set(&pi_state->refcount, 1);
 843         pi_state->key = FUTEX_KEY_INIT;
 844 
 845         current->pi_state_cache = pi_state;
 846 
 847         return 0;
 848 }
 849 
 850 static struct futex_pi_state *alloc_pi_state(void)
 851 {
 852         struct futex_pi_state *pi_state = current->pi_state_cache;
 853 
 854         WARN_ON(!pi_state);
 855         current->pi_state_cache = NULL;
 856 
 857         return pi_state;
 858 }
 859 
 860 static void get_pi_state(struct futex_pi_state *pi_state)
 861 {
 862         WARN_ON_ONCE(!refcount_inc_not_zero(&pi_state->refcount));
 863 }
 864 
 865 /*
 866  * Drops a reference to the pi_state object and frees or caches it
 867  * when the last reference is gone.
 868  */
 869 static void put_pi_state(struct futex_pi_state *pi_state)
 870 {
 871         if (!pi_state)
 872                 return;
 873 
 874         if (!refcount_dec_and_test(&pi_state->refcount))
 875                 return;
 876 
 877         /*
 878          * If pi_state->owner is NULL, the owner is most probably dying
 879          * and has cleaned up the pi_state already
 880          */
 881         if (pi_state->owner) {
 882                 struct task_struct *owner;
 883 
 884                 raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
 885                 owner = pi_state->owner;
 886                 if (owner) {
 887                         raw_spin_lock(&owner->pi_lock);
 888                         list_del_init(&pi_state->list);
 889                         raw_spin_unlock(&owner->pi_lock);
 890                 }
 891                 rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner);
 892                 raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
 893         }
 894 
 895         if (current->pi_state_cache) {
 896                 kfree(pi_state);
 897         } else {
 898                 /*
 899                  * pi_state->list is already empty.
 900                  * clear pi_state->owner.
 901                  * refcount is at 0 - put it back to 1.
 902                  */
 903                 pi_state->owner = NULL;
 904                 refcount_set(&pi_state->refcount, 1);
 905                 current->pi_state_cache = pi_state;
 906         }
 907 }
 908 
 909 #ifdef CONFIG_FUTEX_PI
 910 
 911 /*
 912  * This task is holding PI mutexes at exit time => bad.
 913  * Kernel cleans up PI-state, but userspace is likely hosed.
 914  * (Robust-futex cleanup is separate and might save the day for userspace.)
 915  */
 916 static void exit_pi_state_list(struct task_struct *curr)
 917 {
 918         struct list_head *next, *head = &curr->pi_state_list;
 919         struct futex_pi_state *pi_state;
 920         struct futex_hash_bucket *hb;
 921         union futex_key key = FUTEX_KEY_INIT;
 922 
 923         if (!futex_cmpxchg_enabled)
 924                 return;
 925         /*
 926          * We are a ZOMBIE and nobody can enqueue itself on
 927          * pi_state_list anymore, but we have to be careful
 928          * versus waiters unqueueing themselves:
 929          */
 930         raw_spin_lock_irq(&curr->pi_lock);
 931         while (!list_empty(head)) {
 932                 next = head->next;
 933                 pi_state = list_entry(next, struct futex_pi_state, list);
 934                 key = pi_state->key;
 935                 hb = hash_futex(&key);
 936 
 937                 /*
 938                  * We can race against put_pi_state() removing itself from the
 939                  * list (a waiter going away). put_pi_state() will first
 940                  * decrement the reference count and then modify the list, so
 941                  * its possible to see the list entry but fail this reference
 942                  * acquire.
 943                  *
 944                  * In that case; drop the locks to let put_pi_state() make
 945                  * progress and retry the loop.
 946                  */
 947                 if (!refcount_inc_not_zero(&pi_state->refcount)) {
 948                         raw_spin_unlock_irq(&curr->pi_lock);
 949                         cpu_relax();
 950                         raw_spin_lock_irq(&curr->pi_lock);
 951                         continue;
 952                 }
 953                 raw_spin_unlock_irq(&curr->pi_lock);
 954 
 955                 spin_lock(&hb->lock);
 956                 raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
 957                 raw_spin_lock(&curr->pi_lock);
 958                 /*
 959                  * We dropped the pi-lock, so re-check whether this
 960                  * task still owns the PI-state:
 961                  */
 962                 if (head->next != next) {
 963                         /* retain curr->pi_lock for the loop invariant */
 964                         raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
 965                         spin_unlock(&hb->lock);
 966                         put_pi_state(pi_state);
 967                         continue;
 968                 }
 969 
 970                 WARN_ON(pi_state->owner != curr);
 971                 WARN_ON(list_empty(&pi_state->list));
 972                 list_del_init(&pi_state->list);
 973                 pi_state->owner = NULL;
 974 
 975                 raw_spin_unlock(&curr->pi_lock);
 976                 raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
 977                 spin_unlock(&hb->lock);
 978 
 979                 rt_mutex_futex_unlock(&pi_state->pi_mutex);
 980                 put_pi_state(pi_state);
 981 
 982                 raw_spin_lock_irq(&curr->pi_lock);
 983         }
 984         raw_spin_unlock_irq(&curr->pi_lock);
 985 }
 986 #else
 987 static inline void exit_pi_state_list(struct task_struct *curr) { }
 988 #endif
 989 
 990 /*
 991  * We need to check the following states:
 992  *
 993  *      Waiter | pi_state | pi->owner | uTID      | uODIED | ?
 994  *
 995  * [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
 996  * [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
 997  *
 998  * [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
 999  *
1000  * [4]  Found  | Found    | NULL      | 0         | 1      | Valid
1001  * [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
1002  *
1003  * [6]  Found  | Found    | task      | 0         | 1      | Valid
1004  *
1005  * [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
1006  *
1007  * [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
1008  * [9]  Found  | Found    | task      | 0         | 0      | Invalid
1009  * [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
1010  *
1011  * [1]  Indicates that the kernel can acquire the futex atomically. We
1012  *      came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
1013  *
1014  * [2]  Valid, if TID does not belong to a kernel thread. If no matching
1015  *      thread is found then it indicates that the owner TID has died.
1016  *
1017  * [3]  Invalid. The waiter is queued on a non PI futex
1018  *
1019  * [4]  Valid state after exit_robust_list(), which sets the user space
1020  *      value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
1021  *
1022  * [5]  The user space value got manipulated between exit_robust_list()
1023  *      and exit_pi_state_list()
1024  *
1025  * [6]  Valid state after exit_pi_state_list() which sets the new owner in
1026  *      the pi_state but cannot access the user space value.
1027  *
1028  * [7]  pi_state->owner can only be NULL when the OWNER_DIED bit is set.
1029  *
1030  * [8]  Owner and user space value match
1031  *
1032  * [9]  There is no transient state which sets the user space TID to 0
1033  *      except exit_robust_list(), but this is indicated by the
1034  *      FUTEX_OWNER_DIED bit. See [4]
1035  *
1036  * [10] There is no transient state which leaves owner and user space
1037  *      TID out of sync.
1038  *
1039  *
1040  * Serialization and lifetime rules:
1041  *
1042  * hb->lock:
1043  *
1044  *      hb -> futex_q, relation
1045  *      futex_q -> pi_state, relation
1046  *
1047  *      (cannot be raw because hb can contain arbitrary amount
1048  *       of futex_q's)
1049  *
1050  * pi_mutex->wait_lock:
1051  *
1052  *      {uval, pi_state}
1053  *
1054  *      (and pi_mutex 'obviously')
1055  *
1056  * p->pi_lock:
1057  *
1058  *      p->pi_state_list -> pi_state->list, relation
1059  *
1060  * pi_state->refcount:
1061  *
1062  *      pi_state lifetime
1063  *
1064  *
1065  * Lock order:
1066  *
1067  *   hb->lock
1068  *     pi_mutex->wait_lock
1069  *       p->pi_lock
1070  *
1071  */
1072 
1073 /*
1074  * Validate that the existing waiter has a pi_state and sanity check
1075  * the pi_state against the user space value. If correct, attach to
1076  * it.
1077  */
1078 static int attach_to_pi_state(u32 __user *uaddr, u32 uval,
1079                               struct futex_pi_state *pi_state,
1080                               struct futex_pi_state **ps)
1081 {
1082         pid_t pid = uval & FUTEX_TID_MASK;
1083         u32 uval2;
1084         int ret;
1085 
1086         /*
1087          * Userspace might have messed up non-PI and PI futexes [3]
1088          */
1089         if (unlikely(!pi_state))
1090                 return -EINVAL;
1091 
1092         /*
1093          * We get here with hb->lock held, and having found a
1094          * futex_top_waiter(). This means that futex_lock_pi() of said futex_q
1095          * has dropped the hb->lock in between queue_me() and unqueue_me_pi(),
1096          * which in turn means that futex_lock_pi() still has a reference on
1097          * our pi_state.
1098          *
1099          * The waiter holding a reference on @pi_state also protects against
1100          * the unlocked put_pi_state() in futex_unlock_pi(), futex_lock_pi()
1101          * and futex_wait_requeue_pi() as it cannot go to 0 and consequently
1102          * free pi_state before we can take a reference ourselves.
1103          */
1104         WARN_ON(!refcount_read(&pi_state->refcount));
1105 
1106         /*
1107          * Now that we have a pi_state, we can acquire wait_lock
1108          * and do the state validation.
1109          */
1110         raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
1111 
1112         /*
1113          * Since {uval, pi_state} is serialized by wait_lock, and our current
1114          * uval was read without holding it, it can have changed. Verify it
1115          * still is what we expect it to be, otherwise retry the entire
1116          * operation.
1117          */
1118         if (get_futex_value_locked(&uval2, uaddr))
1119                 goto out_efault;
1120 
1121         if (uval != uval2)
1122                 goto out_eagain;
1123 
1124         /*
1125          * Handle the owner died case:
1126          */
1127         if (uval & FUTEX_OWNER_DIED) {
1128                 /*
1129                  * exit_pi_state_list sets owner to NULL and wakes the
1130                  * topmost waiter. The task which acquires the
1131                  * pi_state->rt_mutex will fixup owner.
1132                  */
1133                 if (!pi_state->owner) {
1134                         /*
1135                          * No pi state owner, but the user space TID
1136                          * is not 0. Inconsistent state. [5]
1137                          */
1138                         if (pid)
1139                                 goto out_einval;
1140                         /*
1141                          * Take a ref on the state and return success. [4]
1142                          */
1143                         goto out_attach;
1144                 }
1145 
1146                 /*
1147                  * If TID is 0, then either the dying owner has not
1148                  * yet executed exit_pi_state_list() or some waiter
1149                  * acquired the rtmutex in the pi state, but did not
1150                  * yet fixup the TID in user space.
1151                  *
1152                  * Take a ref on the state and return success. [6]
1153                  */
1154                 if (!pid)
1155                         goto out_attach;
1156         } else {
1157                 /*
1158                  * If the owner died bit is not set, then the pi_state
1159                  * must have an owner. [7]
1160                  */
1161                 if (!pi_state->owner)
1162                         goto out_einval;
1163         }
1164 
1165         /*
1166          * Bail out if user space manipulated the futex value. If pi
1167          * state exists then the owner TID must be the same as the
1168          * user space TID. [9/10]
1169          */
1170         if (pid != task_pid_vnr(pi_state->owner))
1171                 goto out_einval;
1172 
1173 out_attach:
1174         get_pi_state(pi_state);
1175         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1176         *ps = pi_state;
1177         return 0;
1178 
1179 out_einval:
1180         ret = -EINVAL;
1181         goto out_error;
1182 
1183 out_eagain:
1184         ret = -EAGAIN;
1185         goto out_error;
1186 
1187 out_efault:
1188         ret = -EFAULT;
1189         goto out_error;
1190 
1191 out_error:
1192         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1193         return ret;
1194 }
1195 
1196 /**
1197  * wait_for_owner_exiting - Block until the owner has exited
1198  * @exiting:    Pointer to the exiting task
1199  *
1200  * Caller must hold a refcount on @exiting.
1201  */
1202 static void wait_for_owner_exiting(int ret, struct task_struct *exiting)
1203 {
1204         if (ret != -EBUSY) {
1205                 WARN_ON_ONCE(exiting);
1206                 return;
1207         }
1208 
1209         if (WARN_ON_ONCE(ret == -EBUSY && !exiting))
1210                 return;
1211 
1212         mutex_lock(&exiting->futex_exit_mutex);
1213         /*
1214          * No point in doing state checking here. If the waiter got here
1215          * while the task was in exec()->exec_futex_release() then it can
1216          * have any FUTEX_STATE_* value when the waiter has acquired the
1217          * mutex. OK, if running, EXITING or DEAD if it reached exit()
1218          * already. Highly unlikely and not a problem. Just one more round
1219          * through the futex maze.
1220          */
1221         mutex_unlock(&exiting->futex_exit_mutex);
1222 
1223         put_task_struct(exiting);
1224 }
1225 
1226 static int handle_exit_race(u32 __user *uaddr, u32 uval,
1227                             struct task_struct *tsk)
1228 {
1229         u32 uval2;
1230 
1231         /*
1232          * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
1233          * caller that the alleged owner is busy.
1234          */
1235         if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
1236                 return -EBUSY;
1237 
1238         /*
1239          * Reread the user space value to handle the following situation:
1240          *
1241          * CPU0                         CPU1
1242          *
1243          * sys_exit()                   sys_futex()
1244          *  do_exit()                    futex_lock_pi()
1245          *                                futex_lock_pi_atomic()
1246          *   exit_signals(tsk)              No waiters:
1247          *    tsk->flags |= PF_EXITING;     *uaddr == 0x00000PID
1248          *  mm_release(tsk)                 Set waiter bit
1249          *   exit_robust_list(tsk) {        *uaddr = 0x80000PID;
1250          *      Set owner died              attach_to_pi_owner() {
1251          *    *uaddr = 0xC0000000;           tsk = get_task(PID);
1252          *   }                               if (!tsk->flags & PF_EXITING) {
1253          *  ...                                attach();
1254          *  tsk->futex_state =               } else {
1255          *      FUTEX_STATE_DEAD;              if (tsk->futex_state !=
1256          *                                        FUTEX_STATE_DEAD)
1257          *                                       return -EAGAIN;
1258          *                                     return -ESRCH; <--- FAIL
1259          *                                   }
1260          *
1261          * Returning ESRCH unconditionally is wrong here because the
1262          * user space value has been changed by the exiting task.
1263          *
1264          * The same logic applies to the case where the exiting task is
1265          * already gone.
1266          */
1267         if (get_futex_value_locked(&uval2, uaddr))
1268                 return -EFAULT;
1269 
1270         /* If the user space value has changed, try again. */
1271         if (uval2 != uval)
1272                 return -EAGAIN;
1273 
1274         /*
1275          * The exiting task did not have a robust list, the robust list was
1276          * corrupted or the user space value in *uaddr is simply bogus.
1277          * Give up and tell user space.
1278          */
1279         return -ESRCH;
1280 }
1281 
1282 /*
1283  * Lookup the task for the TID provided from user space and attach to
1284  * it after doing proper sanity checks.
1285  */
1286 static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
1287                               struct futex_pi_state **ps,
1288                               struct task_struct **exiting)
1289 {
1290         pid_t pid = uval & FUTEX_TID_MASK;
1291         struct futex_pi_state *pi_state;
1292         struct task_struct *p;
1293 
1294         /*
1295          * We are the first waiter - try to look up the real owner and attach
1296          * the new pi_state to it, but bail out when TID = 0 [1]
1297          *
1298          * The !pid check is paranoid. None of the call sites should end up
1299          * with pid == 0, but better safe than sorry. Let the caller retry
1300          */
1301         if (!pid)
1302                 return -EAGAIN;
1303         p = find_get_task_by_vpid(pid);
1304         if (!p)
1305                 return handle_exit_race(uaddr, uval, NULL);
1306 
1307         if (unlikely(p->flags & PF_KTHREAD)) {
1308                 put_task_struct(p);
1309                 return -EPERM;
1310         }
1311 
1312         /*
1313          * We need to look at the task state to figure out, whether the
1314          * task is exiting. To protect against the change of the task state
1315          * in futex_exit_release(), we do this protected by p->pi_lock:
1316          */
1317         raw_spin_lock_irq(&p->pi_lock);
1318         if (unlikely(p->futex_state != FUTEX_STATE_OK)) {
1319                 /*
1320                  * The task is on the way out. When the futex state is
1321                  * FUTEX_STATE_DEAD, we know that the task has finished
1322                  * the cleanup:
1323                  */
1324                 int ret = handle_exit_race(uaddr, uval, p);
1325 
1326                 raw_spin_unlock_irq(&p->pi_lock);
1327                 /*
1328                  * If the owner task is between FUTEX_STATE_EXITING and
1329                  * FUTEX_STATE_DEAD then store the task pointer and keep
1330                  * the reference on the task struct. The calling code will
1331                  * drop all locks, wait for the task to reach
1332                  * FUTEX_STATE_DEAD and then drop the refcount. This is
1333                  * required to prevent a live lock when the current task
1334                  * preempted the exiting task between the two states.
1335                  */
1336                 if (ret == -EBUSY)
1337                         *exiting = p;
1338                 else
1339                         put_task_struct(p);
1340                 return ret;
1341         }
1342 
1343         /*
1344          * No existing pi state. First waiter. [2]
1345          *
1346          * This creates pi_state, we have hb->lock held, this means nothing can
1347          * observe this state, wait_lock is irrelevant.
1348          */
1349         pi_state = alloc_pi_state();
1350 
1351         /*
1352          * Initialize the pi_mutex in locked state and make @p
1353          * the owner of it:
1354          */
1355         rt_mutex_init_proxy_locked(&pi_state->pi_mutex, p);
1356 
1357         /* Store the key for possible exit cleanups: */
1358         pi_state->key = *key;
1359 
1360         WARN_ON(!list_empty(&pi_state->list));
1361         list_add(&pi_state->list, &p->pi_state_list);
1362         /*
1363          * Assignment without holding pi_state->pi_mutex.wait_lock is safe
1364          * because there is no concurrency as the object is not published yet.
1365          */
1366         pi_state->owner = p;
1367         raw_spin_unlock_irq(&p->pi_lock);
1368 
1369         put_task_struct(p);
1370 
1371         *ps = pi_state;
1372 
1373         return 0;
1374 }
1375 
1376 static int lookup_pi_state(u32 __user *uaddr, u32 uval,
1377                            struct futex_hash_bucket *hb,
1378                            union futex_key *key, struct futex_pi_state **ps,
1379                            struct task_struct **exiting)
1380 {
1381         struct futex_q *top_waiter = futex_top_waiter(hb, key);
1382 
1383         /*
1384          * If there is a waiter on that futex, validate it and
1385          * attach to the pi_state when the validation succeeds.
1386          */
1387         if (top_waiter)
1388                 return attach_to_pi_state(uaddr, uval, top_waiter->pi_state, ps);
1389 
1390         /*
1391          * We are the first waiter - try to look up the owner based on
1392          * @uval and attach to it.
1393          */
1394         return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
1395 }
1396 
1397 static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
1398 {
1399         int err;
1400         u32 uninitialized_var(curval);
1401 
1402         if (unlikely(should_fail_futex(true)))
1403                 return -EFAULT;
1404 
1405         err = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
1406         if (unlikely(err))
1407                 return err;
1408 
1409         /* If user space value changed, let the caller retry */
1410         return curval != uval ? -EAGAIN : 0;
1411 }
1412 
1413 /**
1414  * futex_lock_pi_atomic() - Atomic work required to acquire a pi aware futex
1415  * @uaddr:              the pi futex user address
1416  * @hb:                 the pi futex hash bucket
1417  * @key:                the futex key associated with uaddr and hb
1418  * @ps:                 the pi_state pointer where we store the result of the
1419  *                      lookup
1420  * @task:               the task to perform the atomic lock work for.  This will
1421  *                      be "current" except in the case of requeue pi.
1422  * @exiting:            Pointer to store the task pointer of the owner task
1423  *                      which is in the middle of exiting
1424  * @set_waiters:        force setting the FUTEX_WAITERS bit (1) or not (0)
1425  *
1426  * Return:
1427  *  -  0 - ready to wait;
1428  *  -  1 - acquired the lock;
1429  *  - <0 - error
1430  *
1431  * The hb->lock and futex_key refs shall be held by the caller.
1432  *
1433  * @exiting is only set when the return value is -EBUSY. If so, this holds
1434  * a refcount on the exiting task on return and the caller needs to drop it
1435  * after waiting for the exit to complete.
1436  */
1437 static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1438                                 union futex_key *key,
1439                                 struct futex_pi_state **ps,
1440                                 struct task_struct *task,
1441                                 struct task_struct **exiting,
1442                                 int set_waiters)
1443 {
1444         u32 uval, newval, vpid = task_pid_vnr(task);
1445         struct futex_q *top_waiter;
1446         int ret;
1447 
1448         /*
1449          * Read the user space value first so we can validate a few
1450          * things before proceeding further.
1451          */
1452         if (get_futex_value_locked(&uval, uaddr))
1453                 return -EFAULT;
1454 
1455         if (unlikely(should_fail_futex(true)))
1456                 return -EFAULT;
1457 
1458         /*
1459          * Detect deadlocks.
1460          */
1461         if ((unlikely((uval & FUTEX_TID_MASK) == vpid)))
1462                 return -EDEADLK;
1463 
1464         if ((unlikely(should_fail_futex(true))))
1465                 return -EDEADLK;
1466 
1467         /*
1468          * Lookup existing state first. If it exists, try to attach to
1469          * its pi_state.
1470          */
1471         top_waiter = futex_top_waiter(hb, key);
1472         if (top_waiter)
1473                 return attach_to_pi_state(uaddr, uval, top_waiter->pi_state, ps);
1474 
1475         /*
1476          * No waiter and user TID is 0. We are here because the
1477          * waiters or the owner died bit is set or called from
1478          * requeue_cmp_pi or for whatever reason something took the
1479          * syscall.
1480          */
1481         if (!(uval & FUTEX_TID_MASK)) {
1482                 /*
1483                  * We take over the futex. No other waiters and the user space
1484                  * TID is 0. We preserve the owner died bit.
1485                  */
1486                 newval = uval & FUTEX_OWNER_DIED;
1487                 newval |= vpid;
1488 
1489                 /* The futex requeue_pi code can enforce the waiters bit */
1490                 if (set_waiters)
1491                         newval |= FUTEX_WAITERS;
1492 
1493                 ret = lock_pi_update_atomic(uaddr, uval, newval);
1494                 /* If the take over worked, return 1 */
1495                 return ret < 0 ? ret : 1;
1496         }
1497 
1498         /*
1499          * First waiter. Set the waiters bit before attaching ourself to
1500          * the owner. If owner tries to unlock, it will be forced into
1501          * the kernel and blocked on hb->lock.
1502          */
1503         newval = uval | FUTEX_WAITERS;
1504         ret = lock_pi_update_atomic(uaddr, uval, newval);
1505         if (ret)
1506                 return ret;
1507         /*
1508          * If the update of the user space value succeeded, we try to
1509          * attach to the owner. If that fails, no harm done, we only
1510          * set the FUTEX_WAITERS bit in the user space variable.
1511          */
1512         return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
1513 }
1514 
1515 /**
1516  * __unqueue_futex() - Remove the futex_q from its futex_hash_bucket
1517  * @q:  The futex_q to unqueue
1518  *
1519  * The q->lock_ptr must not be NULL and must be held by the caller.
1520  */
1521 static void __unqueue_futex(struct futex_q *q)
1522 {
1523         struct futex_hash_bucket *hb;
1524 
1525         if (WARN_ON_SMP(!q->lock_ptr) || WARN_ON(plist_node_empty(&q->list)))
1526                 return;
1527         lockdep_assert_held(q->lock_ptr);
1528 
1529         hb = container_of(q->lock_ptr, struct futex_hash_bucket, lock);
1530         plist_del(&q->list, &hb->chain);
1531         hb_waiters_dec(hb);
1532 }
1533 
1534 /*
1535  * The hash bucket lock must be held when this is called.
1536  * Afterwards, the futex_q must not be accessed. Callers
1537  * must ensure to later call wake_up_q() for the actual
1538  * wakeups to occur.
1539  */
1540 static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q)
1541 {
1542         struct task_struct *p = q->task;
1543 
1544         if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
1545                 return;
1546 
1547         get_task_struct(p);
1548         __unqueue_futex(q);
1549         /*
1550          * The waiting task can free the futex_q as soon as q->lock_ptr = NULL
1551          * is written, without taking any locks. This is possible in the event
1552          * of a spurious wakeup, for example. A memory barrier is required here
1553          * to prevent the following store to lock_ptr from getting ahead of the
1554          * plist_del in __unqueue_futex().
1555          */
1556         smp_store_release(&q->lock_ptr, NULL);
1557 
1558         /*
1559          * Queue the task for later wakeup for after we've released
1560          * the hb->lock. wake_q_add() grabs reference to p.
1561          */
1562         wake_q_add_safe(wake_q, p);
1563 }
1564 
1565 /*
1566  * Caller must hold a reference on @pi_state.
1567  */
1568 static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state)
1569 {
1570         u32 uninitialized_var(curval), newval;
1571         struct task_struct *new_owner;
1572         bool postunlock = false;
1573         DEFINE_WAKE_Q(wake_q);
1574         int ret = 0;
1575 
1576         new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
1577         if (WARN_ON_ONCE(!new_owner)) {
1578                 /*
1579                  * As per the comment in futex_unlock_pi() this should not happen.
1580                  *
1581                  * When this happens, give up our locks and try again, giving
1582                  * the futex_lock_pi() instance time to complete, either by
1583                  * waiting on the rtmutex or removing itself from the futex
1584                  * queue.
1585                  */
1586                 ret = -EAGAIN;
1587                 goto out_unlock;
1588         }
1589 
1590         /*
1591          * We pass it to the next owner. The WAITERS bit is always kept
1592          * enabled while there is PI state around. We cleanup the owner
1593          * died bit, because we are the owner.
1594          */
1595         newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
1596 
1597         if (unlikely(should_fail_futex(true)))
1598                 ret = -EFAULT;
1599 
1600         ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
1601         if (!ret && (curval != uval)) {
1602                 /*
1603                  * If a unconditional UNLOCK_PI operation (user space did not
1604                  * try the TID->0 transition) raced with a waiter setting the
1605                  * FUTEX_WAITERS flag between get_user() and locking the hash
1606                  * bucket lock, retry the operation.
1607                  */
1608                 if ((FUTEX_TID_MASK & curval) == uval)
1609                         ret = -EAGAIN;
1610                 else
1611                         ret = -EINVAL;
1612         }
1613 
1614         if (ret)
1615                 goto out_unlock;
1616 
1617         /*
1618          * This is a point of no return; once we modify the uval there is no
1619          * going back and subsequent operations must not fail.
1620          */
1621 
1622         raw_spin_lock(&pi_state->owner->pi_lock);
1623         WARN_ON(list_empty(&pi_state->list));
1624         list_del_init(&pi_state->list);
1625         raw_spin_unlock(&pi_state->owner->pi_lock);
1626 
1627         raw_spin_lock(&new_owner->pi_lock);
1628         WARN_ON(!list_empty(&pi_state->list));
1629         list_add(&pi_state->list, &new_owner->pi_state_list);
1630         pi_state->owner = new_owner;
1631         raw_spin_unlock(&new_owner->pi_lock);
1632 
1633         postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q);
1634 
1635 out_unlock:
1636         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1637 
1638         if (postunlock)
1639                 rt_mutex_postunlock(&wake_q);
1640 
1641         return ret;
1642 }
1643 
1644 /*
1645  * Express the locking dependencies for lockdep:
1646  */
1647 static inline void
1648 double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
1649 {
1650         if (hb1 <= hb2) {
1651                 spin_lock(&hb1->lock);
1652                 if (hb1 < hb2)
1653                         spin_lock_nested(&hb2->lock, SINGLE_DEPTH_NESTING);
1654         } else { /* hb1 > hb2 */
1655                 spin_lock(&hb2->lock);
1656                 spin_lock_nested(&hb1->lock, SINGLE_DEPTH_NESTING);
1657         }
1658 }
1659 
1660 static inline void
1661 double_unlock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
1662 {
1663         spin_unlock(&hb1->lock);
1664         if (hb1 != hb2)
1665                 spin_unlock(&hb2->lock);
1666 }
1667 
1668 /*
1669  * Wake up waiters matching bitset queued on this futex (uaddr).
1670  */
1671 static int
1672 futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
1673 {
1674         struct futex_hash_bucket *hb;
1675         struct futex_q *this, *next;
1676         union futex_key key = FUTEX_KEY_INIT;
1677         int ret;
1678         DEFINE_WAKE_Q(wake_q);
1679 
1680         if (!bitset)
1681                 return -EINVAL;
1682 
1683         ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_READ);
1684         if (unlikely(ret != 0))
1685                 goto out;
1686 
1687         hb = hash_futex(&key);
1688 
1689         /* Make sure we really have tasks to wakeup */
1690         if (!hb_waiters_pending(hb))
1691                 goto out_put_key;
1692 
1693         spin_lock(&hb->lock);
1694 
1695         plist_for_each_entry_safe(this, next, &hb->chain, list) {
1696                 if (match_futex (&this->key, &key)) {
1697                         if (this->pi_state || this->rt_waiter) {
1698                                 ret = -EINVAL;
1699                                 break;
1700                         }
1701 
1702                         /* Check if one of the bits is set in both bitsets */
1703                         if (!(this->bitset & bitset))
1704                                 continue;
1705 
1706                         mark_wake_futex(&wake_q, this);
1707                         if (++ret >= nr_wake)
1708                                 break;
1709                 }
1710         }
1711 
1712         spin_unlock(&hb->lock);
1713         wake_up_q(&wake_q);
1714 out_put_key:
1715         put_futex_key(&key);
1716 out:
1717         return ret;
1718 }
1719 
1720 static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
1721 {
1722         unsigned int op =         (encoded_op & 0x70000000) >> 28;
1723         unsigned int cmp =        (encoded_op & 0x0f000000) >> 24;
1724         int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 11);
1725         int cmparg = sign_extend32(encoded_op & 0x00000fff, 11);
1726         int oldval, ret;
1727 
1728         if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
1729                 if (oparg < 0 || oparg > 31) {
1730                         char comm[sizeof(current->comm)];
1731                         /*
1732                          * kill this print and return -EINVAL when userspace
1733                          * is sane again
1734                          */
1735                         pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d; fix this program\n",
1736                                         get_task_comm(comm, current), oparg);
1737                         oparg &= 31;
1738                 }
1739                 oparg = 1 << oparg;
1740         }
1741 
1742         if (!access_ok(uaddr, sizeof(u32)))
1743                 return -EFAULT;
1744 
1745         ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
1746         if (ret)
1747                 return ret;
1748 
1749         switch (cmp) {
1750         case FUTEX_OP_CMP_EQ:
1751                 return oldval == cmparg;
1752         case FUTEX_OP_CMP_NE:
1753                 return oldval != cmparg;
1754         case FUTEX_OP_CMP_LT:
1755                 return oldval < cmparg;
1756         case FUTEX_OP_CMP_GE:
1757                 return oldval >= cmparg;
1758         case FUTEX_OP_CMP_LE:
1759                 return oldval <= cmparg;
1760         case FUTEX_OP_CMP_GT:
1761                 return oldval > cmparg;
1762         default:
1763                 return -ENOSYS;
1764         }
1765 }
1766 
1767 /*
1768  * Wake up all waiters hashed on the physical page that is mapped
1769  * to this virtual address:
1770  */
1771 static int
1772 futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
1773               int nr_wake, int nr_wake2, int op)
1774 {
1775         union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
1776         struct futex_hash_bucket *hb1, *hb2;
1777         struct futex_q *this, *next;
1778         int ret, op_ret;
1779         DEFINE_WAKE_Q(wake_q);
1780 
1781 retry:
1782         ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
1783         if (unlikely(ret != 0))
1784                 goto out;
1785         ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
1786         if (unlikely(ret != 0))
1787                 goto out_put_key1;
1788 
1789         hb1 = hash_futex(&key1);
1790         hb2 = hash_futex(&key2);
1791 
1792 retry_private:
1793         double_lock_hb(hb1, hb2);
1794         op_ret = futex_atomic_op_inuser(op, uaddr2);
1795         if (unlikely(op_ret < 0)) {
1796                 double_unlock_hb(hb1, hb2);
1797 
1798                 if (!IS_ENABLED(CONFIG_MMU) ||
1799                     unlikely(op_ret != -EFAULT && op_ret != -EAGAIN)) {
1800                         /*
1801                          * we don't get EFAULT from MMU faults if we don't have
1802                          * an MMU, but we might get them from range checking
1803                          */
1804                         ret = op_ret;
1805                         goto out_put_keys;
1806                 }
1807 
1808                 if (op_ret == -EFAULT) {
1809                         ret = fault_in_user_writeable(uaddr2);
1810                         if (ret)
1811                                 goto out_put_keys;
1812                 }
1813 
1814                 if (!(flags & FLAGS_SHARED)) {
1815                         cond_resched();
1816                         goto retry_private;
1817                 }
1818 
1819                 put_futex_key(&key2);
1820                 put_futex_key(&key1);
1821                 cond_resched();
1822                 goto retry;
1823         }
1824 
1825         plist_for_each_entry_safe(this, next, &hb1->chain, list) {
1826                 if (match_futex (&this->key, &key1)) {
1827                         if (this->pi_state || this->rt_waiter) {
1828                                 ret = -EINVAL;
1829                                 goto out_unlock;
1830                         }
1831                         mark_wake_futex(&wake_q, this);
1832                         if (++ret >= nr_wake)
1833                                 break;
1834                 }
1835         }
1836 
1837         if (op_ret > 0) {
1838                 op_ret = 0;
1839                 plist_for_each_entry_safe(this, next, &hb2->chain, list) {
1840                         if (match_futex (&this->key, &key2)) {
1841                                 if (this->pi_state || this->rt_waiter) {
1842                                         ret = -EINVAL;
1843                                         goto out_unlock;
1844                                 }
1845                                 mark_wake_futex(&wake_q, this);
1846                                 if (++op_ret >= nr_wake2)
1847                                         break;
1848                         }
1849                 }
1850                 ret += op_ret;
1851         }
1852 
1853 out_unlock:
1854         double_unlock_hb(hb1, hb2);
1855         wake_up_q(&wake_q);
1856 out_put_keys:
1857         put_futex_key(&key2);
1858 out_put_key1:
1859         put_futex_key(&key1);
1860 out:
1861         return ret;
1862 }
1863 
1864 /**
1865  * requeue_futex() - Requeue a futex_q from one hb to another
1866  * @q:          the futex_q to requeue
1867  * @hb1:        the source hash_bucket
1868  * @hb2:        the target hash_bucket
1869  * @key2:       the new key for the requeued futex_q
1870  */
1871 static inline
1872 void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
1873                    struct futex_hash_bucket *hb2, union futex_key *key2)
1874 {
1875 
1876         /*
1877          * If key1 and key2 hash to the same bucket, no need to
1878          * requeue.
1879          */
1880         if (likely(&hb1->chain != &hb2->chain)) {
1881                 plist_del(&q->list, &hb1->chain);
1882                 hb_waiters_dec(hb1);
1883                 hb_waiters_inc(hb2);
1884                 plist_add(&q->list, &hb2->chain);
1885                 q->lock_ptr = &hb2->lock;
1886         }
1887         get_futex_key_refs(key2);
1888         q->key = *key2;
1889 }
1890 
1891 /**
1892  * requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue
1893  * @q:          the futex_q
1894  * @key:        the key of the requeue target futex
1895  * @hb:         the hash_bucket of the requeue target futex
1896  *
1897  * During futex_requeue, with requeue_pi=1, it is possible to acquire the
1898  * target futex if it is uncontended or via a lock steal.  Set the futex_q key
1899  * to the requeue target futex so the waiter can detect the wakeup on the right
1900  * futex, but remove it from the hb and NULL the rt_waiter so it can detect
1901  * atomic lock acquisition.  Set the q->lock_ptr to the requeue target hb->lock
1902  * to protect access to the pi_state to fixup the owner later.  Must be called
1903  * with both q->lock_ptr and hb->lock held.
1904  */
1905 static inline
1906 void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
1907                            struct futex_hash_bucket *hb)
1908 {
1909         get_futex_key_refs(key);
1910         q->key = *key;
1911 
1912         __unqueue_futex(q);
1913 
1914         WARN_ON(!q->rt_waiter);
1915         q->rt_waiter = NULL;
1916 
1917         q->lock_ptr = &hb->lock;
1918 
1919         wake_up_state(q->task, TASK_NORMAL);
1920 }
1921 
1922 /**
1923  * futex_proxy_trylock_atomic() - Attempt an atomic lock for the top waiter
1924  * @pifutex:            the user address of the to futex
1925  * @hb1:                the from futex hash bucket, must be locked by the caller
1926  * @hb2:                the to futex hash bucket, must be locked by the caller
1927  * @key1:               the from futex key
1928  * @key2:               the to futex key
1929  * @ps:                 address to store the pi_state pointer
1930  * @exiting:            Pointer to store the task pointer of the owner task
1931  *                      which is in the middle of exiting
1932  * @set_waiters:        force setting the FUTEX_WAITERS bit (1) or not (0)
1933  *
1934  * Try and get the lock on behalf of the top waiter if we can do it atomically.
1935  * Wake the top waiter if we succeed.  If the caller specified set_waiters,
1936  * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit.
1937  * hb1 and hb2 must be held by the caller.
1938  *
1939  * @exiting is only set when the return value is -EBUSY. If so, this holds
1940  * a refcount on the exiting task on return and the caller needs to drop it
1941  * after waiting for the exit to complete.
1942  *
1943  * Return:
1944  *  -  0 - failed to acquire the lock atomically;
1945  *  - >0 - acquired the lock, return value is vpid of the top_waiter
1946  *  - <0 - error
1947  */
1948 static int
1949 futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
1950                            struct futex_hash_bucket *hb2, union futex_key *key1,
1951                            union futex_key *key2, struct futex_pi_state **ps,
1952                            struct task_struct **exiting, int set_waiters)
1953 {
1954         struct futex_q *top_waiter = NULL;
1955         u32 curval;
1956         int ret, vpid;
1957 
1958         if (get_futex_value_locked(&curval, pifutex))
1959                 return -EFAULT;
1960 
1961         if (unlikely(should_fail_futex(true)))
1962                 return -EFAULT;
1963 
1964         /*
1965          * Find the top_waiter and determine if there are additional waiters.
1966          * If the caller intends to requeue more than 1 waiter to pifutex,
1967          * force futex_lock_pi_atomic() to set the FUTEX_WAITERS bit now,
1968          * as we have means to handle the possible fault.  If not, don't set
1969          * the bit unecessarily as it will force the subsequent unlock to enter
1970          * the kernel.
1971          */
1972         top_waiter = futex_top_waiter(hb1, key1);
1973 
1974         /* There are no waiters, nothing for us to do. */
1975         if (!top_waiter)
1976                 return 0;
1977 
1978         /* Ensure we requeue to the expected futex. */
1979         if (!match_futex(top_waiter->requeue_pi_key, key2))
1980                 return -EINVAL;
1981 
1982         /*
1983          * Try to take the lock for top_waiter.  Set the FUTEX_WAITERS bit in
1984          * the contended case or if set_waiters is 1.  The pi_state is returned
1985          * in ps in contended cases.
1986          */
1987         vpid = task_pid_vnr(top_waiter->task);
1988         ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
1989                                    exiting, set_waiters);
1990         if (ret == 1) {
1991                 requeue_pi_wake_futex(top_waiter, key2, hb2);
1992                 return vpid;
1993         }
1994         return ret;
1995 }
1996 
1997 /**
1998  * futex_requeue() - Requeue waiters from uaddr1 to uaddr2
1999  * @uaddr1:     source futex user address
2000  * @flags:      futex flags (FLAGS_SHARED, etc.)
2001  * @uaddr2:     target futex user address
2002  * @nr_wake:    number of waiters to wake (must be 1 for requeue_pi)
2003  * @nr_requeue: number of waiters to requeue (0-INT_MAX)
2004  * @cmpval:     @uaddr1 expected value (or %NULL)
2005  * @requeue_pi: if we are attempting to requeue from a non-pi futex to a
2006  *              pi futex (pi to pi requeue is not supported)
2007  *
2008  * Requeue waiters on uaddr1 to uaddr2. In the requeue_pi case, try to acquire
2009  * uaddr2 atomically on behalf of the top waiter.
2010  *
2011  * Return:
2012  *  - >=0 - on success, the number of tasks requeued or woken;
2013  *  -  <0 - on error
2014  */
2015 static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
2016                          u32 __user *uaddr2, int nr_wake, int nr_requeue,
2017                          u32 *cmpval, int requeue_pi)
2018 {
2019         union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
2020         int drop_count = 0, task_count = 0, ret;
2021         struct futex_pi_state *pi_state = NULL;
2022         struct futex_hash_bucket *hb1, *hb2;
2023         struct futex_q *this, *next;
2024         DEFINE_WAKE_Q(wake_q);
2025 
2026         if (nr_wake < 0 || nr_requeue < 0)
2027                 return -EINVAL;
2028 
2029         /*
2030          * When PI not supported: return -ENOSYS if requeue_pi is true,
2031          * consequently the compiler knows requeue_pi is always false past
2032          * this point which will optimize away all the conditional code
2033          * further down.
2034          */
2035         if (!IS_ENABLED(CONFIG_FUTEX_PI) && requeue_pi)
2036                 return -ENOSYS;
2037 
2038         if (requeue_pi) {
2039                 /*
2040                  * Requeue PI only works on two distinct uaddrs. This
2041                  * check is only valid for private futexes. See below.
2042                  */
2043                 if (uaddr1 == uaddr2)
2044                         return -EINVAL;
2045 
2046                 /*
2047                  * requeue_pi requires a pi_state, try to allocate it now
2048                  * without any locks in case it fails.
2049                  */
2050                 if (refill_pi_state_cache())
2051                         return -ENOMEM;
2052                 /*
2053                  * requeue_pi must wake as many tasks as it can, up to nr_wake
2054                  * + nr_requeue, since it acquires the rt_mutex prior to
2055                  * returning to userspace, so as to not leave the rt_mutex with
2056                  * waiters and no owner.  However, second and third wake-ups
2057                  * cannot be predicted as they involve race conditions with the
2058                  * first wake and a fault while looking up the pi_state.  Both
2059                  * pthread_cond_signal() and pthread_cond_broadcast() should
2060                  * use nr_wake=1.
2061                  */
2062                 if (nr_wake != 1)
2063                         return -EINVAL;
2064         }
2065 
2066 retry:
2067         ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
2068         if (unlikely(ret != 0))
2069                 goto out;
2070         ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
2071                             requeue_pi ? FUTEX_WRITE : FUTEX_READ);
2072         if (unlikely(ret != 0))
2073                 goto out_put_key1;
2074 
2075         /*
2076          * The check above which compares uaddrs is not sufficient for
2077          * shared futexes. We need to compare the keys:
2078          */
2079         if (requeue_pi && match_futex(&key1, &key2)) {
2080                 ret = -EINVAL;
2081                 goto out_put_keys;
2082         }
2083 
2084         hb1 = hash_futex(&key1);
2085         hb2 = hash_futex(&key2);
2086 
2087 retry_private:
2088         hb_waiters_inc(hb2);
2089         double_lock_hb(hb1, hb2);
2090 
2091         if (likely(cmpval != NULL)) {
2092                 u32 curval;
2093 
2094                 ret = get_futex_value_locked(&curval, uaddr1);
2095 
2096                 if (unlikely(ret)) {
2097                         double_unlock_hb(hb1, hb2);
2098                         hb_waiters_dec(hb2);
2099 
2100                         ret = get_user(curval, uaddr1);
2101                         if (ret)
2102                                 goto out_put_keys;
2103 
2104                         if (!(flags & FLAGS_SHARED))
2105                                 goto retry_private;
2106 
2107                         put_futex_key(&key2);
2108                         put_futex_key(&key1);
2109                         goto retry;
2110                 }
2111                 if (curval != *cmpval) {
2112                         ret = -EAGAIN;
2113                         goto out_unlock;
2114                 }
2115         }
2116 
2117         if (requeue_pi && (task_count - nr_wake < nr_requeue)) {
2118                 struct task_struct *exiting = NULL;
2119 
2120                 /*
2121                  * Attempt to acquire uaddr2 and wake the top waiter. If we
2122                  * intend to requeue waiters, force setting the FUTEX_WAITERS
2123                  * bit.  We force this here where we are able to easily handle
2124                  * faults rather in the requeue loop below.
2125                  */
2126                 ret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1,
2127                                                  &key2, &pi_state,
2128                                                  &exiting, nr_requeue);
2129 
2130                 /*
2131                  * At this point the top_waiter has either taken uaddr2 or is
2132                  * waiting on it.  If the former, then the pi_state will not
2133                  * exist yet, look it up one more time to ensure we have a
2134                  * reference to it. If the lock was taken, ret contains the
2135                  * vpid of the top waiter task.
2136                  * If the lock was not taken, we have pi_state and an initial
2137                  * refcount on it. In case of an error we have nothing.
2138                  */
2139                 if (ret > 0) {
2140                         WARN_ON(pi_state);
2141                         drop_count++;
2142                         task_count++;
2143                         /*
2144                          * If we acquired the lock, then the user space value
2145                          * of uaddr2 should be vpid. It cannot be changed by
2146                          * the top waiter as it is blocked on hb2 lock if it
2147                          * tries to do so. If something fiddled with it behind
2148                          * our back the pi state lookup might unearth it. So
2149                          * we rather use the known value than rereading and
2150                          * handing potential crap to lookup_pi_state.
2151                          *
2152                          * If that call succeeds then we have pi_state and an
2153                          * initial refcount on it.
2154                          */
2155                         ret = lookup_pi_state(uaddr2, ret, hb2, &key2,
2156                                               &pi_state, &exiting);
2157                 }
2158 
2159                 switch (ret) {
2160                 case 0:
2161                         /* We hold a reference on the pi state. */
2162                         break;
2163 
2164                         /* If the above failed, then pi_state is NULL */
2165                 case -EFAULT:
2166                         double_unlock_hb(hb1, hb2);
2167                         hb_waiters_dec(hb2);
2168                         put_futex_key(&key2);
2169                         put_futex_key(&key1);
2170                         ret = fault_in_user_writeable(uaddr2);
2171                         if (!ret)
2172                                 goto retry;
2173                         goto out;
2174                 case -EBUSY:
2175                 case -EAGAIN:
2176                         /*
2177                          * Two reasons for this:
2178                          * - EBUSY: Owner is exiting and we just wait for the
2179                          *   exit to complete.
2180                          * - EAGAIN: The user space value changed.
2181                          */
2182                         double_unlock_hb(hb1, hb2);
2183                         hb_waiters_dec(hb2);
2184                         put_futex_key(&key2);
2185                         put_futex_key(&key1);
2186                         /*
2187                          * Handle the case where the owner is in the middle of
2188                          * exiting. Wait for the exit to complete otherwise
2189                          * this task might loop forever, aka. live lock.
2190                          */
2191                         wait_for_owner_exiting(ret, exiting);
2192                         cond_resched();
2193                         goto retry;
2194                 default:
2195                         goto out_unlock;
2196                 }
2197         }
2198 
2199         plist_for_each_entry_safe(this, next, &hb1->chain, list) {
2200                 if (task_count - nr_wake >= nr_requeue)
2201                         break;
2202 
2203                 if (!match_futex(&this->key, &key1))
2204                         continue;
2205 
2206                 /*
2207                  * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
2208                  * be paired with each other and no other futex ops.
2209                  *
2210                  * We should never be requeueing a futex_q with a pi_state,
2211                  * which is awaiting a futex_unlock_pi().
2212                  */
2213                 if ((requeue_pi && !this->rt_waiter) ||
2214                     (!requeue_pi && this->rt_waiter) ||
2215                     this->pi_state) {
2216                         ret = -EINVAL;
2217                         break;
2218                 }
2219 
2220                 /*
2221                  * Wake nr_wake waiters.  For requeue_pi, if we acquired the
2222                  * lock, we already woke the top_waiter.  If not, it will be
2223                  * woken by futex_unlock_pi().
2224                  */
2225                 if (++task_count <= nr_wake && !requeue_pi) {
2226                         mark_wake_futex(&wake_q, this);
2227                         continue;
2228                 }
2229 
2230                 /* Ensure we requeue to the expected futex for requeue_pi. */
2231                 if (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) {
2232                         ret = -EINVAL;
2233                         break;
2234                 }
2235 
2236                 /*
2237                  * Requeue nr_requeue waiters and possibly one more in the case
2238                  * of requeue_pi if we couldn't acquire the lock atomically.
2239                  */
2240                 if (requeue_pi) {
2241                         /*
2242                          * Prepare the waiter to take the rt_mutex. Take a
2243                          * refcount on the pi_state and store the pointer in
2244                          * the futex_q object of the waiter.
2245                          */
2246                         get_pi_state(pi_state);
2247                         this->pi_state = pi_state;
2248                         ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
2249                                                         this->rt_waiter,
2250                                                         this->task);
2251                         if (ret == 1) {
2252                                 /*
2253                                  * We got the lock. We do neither drop the
2254                                  * refcount on pi_state nor clear
2255                                  * this->pi_state because the waiter needs the
2256                                  * pi_state for cleaning up the user space
2257                                  * value. It will drop the refcount after
2258                                  * doing so.
2259                                  */
2260                                 requeue_pi_wake_futex(this, &key2, hb2);
2261                                 drop_count++;
2262                                 continue;
2263                         } else if (ret) {
2264                                 /*
2265                                  * rt_mutex_start_proxy_lock() detected a
2266                                  * potential deadlock when we tried to queue
2267                                  * that waiter. Drop the pi_state reference
2268                                  * which we took above and remove the pointer
2269                                  * to the state from the waiters futex_q
2270                                  * object.
2271                                  */
2272                                 this->pi_state = NULL;
2273                                 put_pi_state(pi_state);
2274                                 /*
2275                                  * We stop queueing more waiters and let user
2276                                  * space deal with the mess.
2277                                  */
2278                                 break;
2279                         }
2280                 }
2281                 requeue_futex(this, hb1, hb2, &key2);
2282                 drop_count++;
2283         }
2284 
2285         /*
2286          * We took an extra initial reference to the pi_state either
2287          * in futex_proxy_trylock_atomic() or in lookup_pi_state(). We
2288          * need to drop it here again.
2289          */
2290         put_pi_state(pi_state);
2291 
2292 out_unlock:
2293         double_unlock_hb(hb1, hb2);
2294         wake_up_q(&wake_q);
2295         hb_waiters_dec(hb2);
2296 
2297         /*
2298          * drop_futex_key_refs() must be called outside the spinlocks. During
2299          * the requeue we moved futex_q's from the hash bucket at key1 to the
2300          * one at key2 and updated their key pointer.  We no longer need to
2301          * hold the references to key1.
2302          */
2303         while (--drop_count >= 0)
2304                 drop_futex_key_refs(&key1);
2305 
2306 out_put_keys:
2307         put_futex_key(&key2);
2308 out_put_key1:
2309         put_futex_key(&key1);
2310 out:
2311         return ret ? ret : task_count;
2312 }
2313 
2314 /* The key must be already stored in q->key. */
2315 static inline struct futex_hash_bucket *queue_lock(struct futex_q *q)
2316         __acquires(&hb->lock)
2317 {
2318         struct futex_hash_bucket *hb;
2319 
2320         hb = hash_futex(&q->key);
2321 
2322         /*
2323          * Increment the counter before taking the lock so that
2324          * a potential waker won't miss a to-be-slept task that is
2325          * waiting for the spinlock. This is safe as all queue_lock()
2326          * users end up calling queue_me(). Similarly, for housekeeping,
2327          * decrement the counter at queue_unlock() when some error has
2328          * occurred and we don't end up adding the task to the list.
2329          */
2330         hb_waiters_inc(hb); /* implies smp_mb(); (A) */
2331 
2332         q->lock_ptr = &hb->lock;
2333 
2334         spin_lock(&hb->lock);
2335         return hb;
2336 }
2337 
2338 static inline void
2339 queue_unlock(struct futex_hash_bucket *hb)
2340         __releases(&hb->lock)
2341 {
2342         spin_unlock(&hb->lock);
2343         hb_waiters_dec(hb);
2344 }
2345 
2346 static inline void __queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
2347 {
2348         int prio;
2349 
2350         /*
2351          * The priority used to register this element is
2352          * - either the real thread-priority for the real-time threads
2353          * (i.e. threads with a priority lower than MAX_RT_PRIO)
2354          * - or MAX_RT_PRIO for non-RT threads.
2355          * Thus, all RT-threads are woken first in priority order, and
2356          * the others are woken last, in FIFO order.
2357          */
2358         prio = min(current->normal_prio, MAX_RT_PRIO);
2359 
2360         plist_node_init(&q->list, prio);
2361         plist_add(&q->list, &hb->chain);
2362         q->task = current;
2363 }
2364 
2365 /**
2366  * queue_me() - Enqueue the futex_q on the futex_hash_bucket
2367  * @q:  The futex_q to enqueue
2368  * @hb: The destination hash bucket
2369  *
2370  * The hb->lock must be held by the caller, and is released here. A call to
2371  * queue_me() is typically paired with exactly one call to unqueue_me().  The
2372  * exceptions involve the PI related operations, which may use unqueue_me_pi()
2373  * or nothing if the unqueue is done as part of the wake process and the unqueue
2374  * state is implicit in the state of woken task (see futex_wait_requeue_pi() for
2375  * an example).
2376  */
2377 static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
2378         __releases(&hb->lock)
2379 {
2380         __queue_me(q, hb);
2381         spin_unlock(&hb->lock);
2382 }
2383 
2384 /**
2385  * unqueue_me() - Remove the futex_q from its futex_hash_bucket
2386  * @q:  The futex_q to unqueue
2387  *
2388  * The q->lock_ptr must not be held by the caller. A call to unqueue_me() must
2389  * be paired with exactly one earlier call to queue_me().
2390  *
2391  * Return:
2392  *  - 1 - if the futex_q was still queued (and we removed unqueued it);
2393  *  - 0 - if the futex_q was already removed by the waking thread
2394  */
2395 static int unqueue_me(struct futex_q *q)
2396 {
2397         spinlock_t *lock_ptr;
2398         int ret = 0;
2399 
2400         /* In the common case we don't take the spinlock, which is nice. */
2401 retry:
2402         /*
2403          * q->lock_ptr can change between this read and the following spin_lock.
2404          * Use READ_ONCE to forbid the compiler from reloading q->lock_ptr and
2405          * optimizing lock_ptr out of the logic below.
2406          */
2407         lock_ptr = READ_ONCE(q->lock_ptr);
2408         if (lock_ptr != NULL) {
2409                 spin_lock(lock_ptr);
2410                 /*
2411                  * q->lock_ptr can change between reading it and
2412                  * spin_lock(), causing us to take the wrong lock.  This
2413                  * corrects the race condition.
2414                  *
2415                  * Reasoning goes like this: if we have the wrong lock,
2416                  * q->lock_ptr must have changed (maybe several times)
2417                  * between reading it and the spin_lock().  It can
2418                  * change again after the spin_lock() but only if it was
2419                  * already changed before the spin_lock().  It cannot,
2420                  * however, change back to the original value.  Therefore
2421                  * we can detect whether we acquired the correct lock.
2422                  */
2423                 if (unlikely(lock_ptr != q->lock_ptr)) {
2424                         spin_unlock(lock_ptr);
2425                         goto retry;
2426                 }
2427                 __unqueue_futex(q);
2428 
2429                 BUG_ON(q->pi_state);
2430 
2431                 spin_unlock(lock_ptr);
2432                 ret = 1;
2433         }
2434 
2435         drop_futex_key_refs(&q->key);
2436         return ret;
2437 }
2438 
2439 /*
2440  * PI futexes can not be requeued and must remove themself from the
2441  * hash bucket. The hash bucket lock (i.e. lock_ptr) is held on entry
2442  * and dropped here.
2443  */
2444 static void unqueue_me_pi(struct futex_q *q)
2445         __releases(q->lock_ptr)
2446 {
2447         __unqueue_futex(q);
2448 
2449         BUG_ON(!q->pi_state);
2450         put_pi_state(q->pi_state);
2451         q->pi_state = NULL;
2452 
2453         spin_unlock(q->lock_ptr);
2454 }
2455 
2456 static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
2457                                 struct task_struct *argowner)
2458 {
2459         struct futex_pi_state *pi_state = q->pi_state;
2460         u32 uval, uninitialized_var(curval), newval;
2461         struct task_struct *oldowner, *newowner;
2462         u32 newtid;
2463         int ret, err = 0;
2464 
2465         lockdep_assert_held(q->lock_ptr);
2466 
2467         raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
2468 
2469         oldowner = pi_state->owner;
2470 
2471         /*
2472          * We are here because either:
2473          *
2474          *  - we stole the lock and pi_state->owner needs updating to reflect
2475          *    that (@argowner == current),
2476          *
2477          * or:
2478          *
2479          *  - someone stole our lock and we need to fix things to point to the
2480          *    new owner (@argowner == NULL).
2481          *
2482          * Either way, we have to replace the TID in the user space variable.
2483          * This must be atomic as we have to preserve the owner died bit here.
2484          *
2485          * Note: We write the user space value _before_ changing the pi_state
2486          * because we can fault here. Imagine swapped out pages or a fork
2487          * that marked all the anonymous memory readonly for cow.
2488          *
2489          * Modifying pi_state _before_ the user space value would leave the
2490          * pi_state in an inconsistent state when we fault here, because we
2491          * need to drop the locks to handle the fault. This might be observed
2492          * in the PID check in lookup_pi_state.
2493          */
2494 retry:
2495         if (!argowner) {
2496                 if (oldowner != current) {
2497                         /*
2498                          * We raced against a concurrent self; things are
2499                          * already fixed up. Nothing to do.
2500                          */
2501                         ret = 0;
2502                         goto out_unlock;
2503                 }
2504 
2505                 if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
2506                         /* We got the lock after all, nothing to fix. */
2507                         ret = 0;
2508                         goto out_unlock;
2509                 }
2510 
2511                 /*
2512                  * Since we just failed the trylock; there must be an owner.
2513                  */
2514                 newowner = rt_mutex_owner(&pi_state->pi_mutex);
2515                 BUG_ON(!newowner);
2516         } else {
2517                 WARN_ON_ONCE(argowner != current);
2518                 if (oldowner == current) {
2519                         /*
2520                          * We raced against a concurrent self; things are
2521                          * already fixed up. Nothing to do.
2522                          */
2523                         ret = 0;
2524                         goto out_unlock;
2525                 }
2526                 newowner = argowner;
2527         }
2528 
2529         newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
2530         /* Owner died? */
2531         if (!pi_state->owner)
2532                 newtid |= FUTEX_OWNER_DIED;
2533 
2534         err = get_futex_value_locked(&uval, uaddr);
2535         if (err)
2536                 goto handle_err;
2537 
2538         for (;;) {
2539                 newval = (uval & FUTEX_OWNER_DIED) | newtid;
2540 
2541                 err = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
2542                 if (err)
2543                         goto handle_err;
2544 
2545                 if (curval == uval)
2546                         break;
2547                 uval = curval;
2548         }
2549 
2550         /*
2551          * We fixed up user space. Now we need to fix the pi_state
2552          * itself.
2553          */
2554         if (pi_state->owner != NULL) {
2555                 raw_spin_lock(&pi_state->owner->pi_lock);
2556                 WARN_ON(list_empty(&pi_state->list));
2557                 list_del_init(&pi_state->list);
2558                 raw_spin_unlock(&pi_state->owner->pi_lock);
2559         }
2560 
2561         pi_state->owner = newowner;
2562 
2563         raw_spin_lock(&newowner->pi_lock);
2564         WARN_ON(!list_empty(&pi_state->list));
2565         list_add(&pi_state->list, &newowner->pi_state_list);
2566         raw_spin_unlock(&newowner->pi_lock);
2567         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
2568 
2569         return 0;
2570 
2571         /*
2572          * In order to reschedule or handle a page fault, we need to drop the
2573          * locks here. In the case of a fault, this gives the other task
2574          * (either the highest priority waiter itself or the task which stole
2575          * the rtmutex) the chance to try the fixup of the pi_state. So once we
2576          * are back from handling the fault we need to check the pi_state after
2577          * reacquiring the locks and before trying to do another fixup. When
2578          * the fixup has been done already we simply return.
2579          *
2580          * Note: we hold both hb->lock and pi_mutex->wait_lock. We can safely
2581          * drop hb->lock since the caller owns the hb -> futex_q relation.
2582          * Dropping the pi_mutex->wait_lock requires the state revalidate.
2583          */
2584 handle_err:
2585         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
2586         spin_unlock(q->lock_ptr);
2587 
2588         switch (err) {
2589         case -EFAULT:
2590                 ret = fault_in_user_writeable(uaddr);
2591                 break;
2592 
2593         case -EAGAIN:
2594                 cond_resched();
2595                 ret = 0;
2596                 break;
2597 
2598         default:
2599                 WARN_ON_ONCE(1);
2600                 ret = err;
2601                 break;
2602         }
2603 
2604         spin_lock(q->lock_ptr);
2605         raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
2606 
2607         /*
2608          * Check if someone else fixed it for us:
2609          */
2610         if (pi_state->owner != oldowner) {
2611                 ret = 0;
2612                 goto out_unlock;
2613         }
2614 
2615         if (ret)
2616                 goto out_unlock;
2617 
2618         goto retry;
2619 
2620 out_unlock:
2621         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
2622         return ret;
2623 }
2624 
2625 static long futex_wait_restart(struct restart_block *restart);
2626 
2627 /**
2628  * fixup_owner() - Post lock pi_state and corner case management
2629  * @uaddr:      user address of the futex
2630  * @q:          futex_q (contains pi_state and access to the rt_mutex)
2631  * @locked:     if the attempt to take the rt_mutex succeeded (1) or not (0)
2632  *
2633  * After attempting to lock an rt_mutex, this function is called to cleanup
2634  * the pi_state owner as well as handle race conditions that may allow us to
2635  * acquire the lock. Must be called with the hb lock held.
2636  *
2637  * Return:
2638  *  -  1 - success, lock taken;
2639  *  -  0 - success, lock not taken;
2640  *  - <0 - on error (-EFAULT)
2641  */
2642 static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
2643 {
2644         int ret = 0;
2645 
2646         if (locked) {
2647                 /*
2648                  * Got the lock. We might not be the anticipated owner if we
2649                  * did a lock-steal - fix up the PI-state in that case:
2650                  *
2651                  * Speculative pi_state->owner read (we don't hold wait_lock);
2652                  * since we own the lock pi_state->owner == current is the
2653                  * stable state, anything else needs more attention.
2654                  */
2655                 if (q->pi_state->owner != current)
2656                         ret = fixup_pi_state_owner(uaddr, q, current);
2657                 goto out;
2658         }
2659 
2660         /*
2661          * If we didn't get the lock; check if anybody stole it from us. In
2662          * that case, we need to fix up the uval to point to them instead of
2663          * us, otherwise bad things happen. [10]
2664          *
2665          * Another speculative read; pi_state->owner == current is unstable
2666          * but needs our attention.
2667          */
2668         if (q->pi_state->owner == current) {
2669                 ret = fixup_pi_state_owner(uaddr, q, NULL);
2670                 goto out;
2671         }
2672 
2673         /*
2674          * Paranoia check. If we did not take the lock, then we should not be
2675          * the owner of the rt_mutex.
2676          */
2677         if (rt_mutex_owner(&q->pi_state->pi_mutex) == current) {
2678                 printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p "
2679                                 "pi-state %p\n", ret,
2680                                 q->pi_state->pi_mutex.owner,
2681                                 q->pi_state->owner);
2682         }
2683 
2684 out:
2685         return ret ? ret : locked;
2686 }
2687 
2688 /**
2689  * futex_wait_queue_me() - queue_me() and wait for wakeup, timeout, or signal
2690  * @hb:         the futex hash bucket, must be locked by the caller
2691  * @q:          the futex_q to queue up on
2692  * @timeout:    the prepared hrtimer_sleeper, or null for no timeout
2693  */
2694 static void futex_wait_queue_me(struct futex_hash_bucket *hb, struct futex_q *q,
2695                                 struct hrtimer_sleeper *timeout)
2696 {
2697         /*
2698          * The task state is guaranteed to be set before another task can
2699          * wake it. set_current_state() is implemented using smp_store_mb() and
2700          * queue_me() calls spin_unlock() upon completion, both serializing
2701          * access to the hash list and forcing another memory barrier.
2702          */
2703         set_current_state(TASK_INTERRUPTIBLE);
2704         queue_me(q, hb);
2705 
2706         /* Arm the timer */
2707         if (timeout)
2708                 hrtimer_sleeper_start_expires(timeout, HRTIMER_MODE_ABS);
2709 
2710         /*
2711          * If we have been removed from the hash list, then another task
2712          * has tried to wake us, and we can skip the call to schedule().
2713          */
2714         if (likely(!plist_node_empty(&q->list))) {
2715                 /*
2716                  * If the timer has already expired, current will already be
2717                  * flagged for rescheduling. Only call schedule if there
2718                  * is no timeout, or if it has yet to expire.
2719                  */
2720                 if (!timeout || timeout->task)
2721                         freezable_schedule();
2722         }
2723         __set_current_state(TASK_RUNNING);
2724 }
2725 
2726 /**
2727  * futex_wait_setup() - Prepare to wait on a futex
2728  * @uaddr:      the futex userspace address
2729  * @val:        the expected value
2730  * @flags:      futex flags (FLAGS_SHARED, etc.)
2731  * @q:          the associated futex_q
2732  * @hb:         storage for hash_bucket pointer to be returned to caller
2733  *
2734  * Setup the futex_q and locate the hash_bucket.  Get the futex value and
2735  * compare it with the expected value.  Handle atomic faults internally.
2736  * Return with the hb lock held and a q.key reference on success, and unlocked
2737  * with no q.key reference on failure.
2738  *
2739  * Return:
2740  *  -  0 - uaddr contains val and hb has been locked;
2741  *  - <1 - -EFAULT or -EWOULDBLOCK (uaddr does not contain val) and hb is unlocked
2742  */
2743 static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
2744                            struct futex_q *q, struct futex_hash_bucket **hb)
2745 {
2746         u32 uval;
2747         int ret;
2748 
2749         /*
2750          * Access the page AFTER the hash-bucket is locked.
2751          * Order is important:
2752          *
2753          *   Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
2754          *   Userspace waker:  if (cond(var)) { var = new; futex_wake(&var); }
2755          *
2756          * The basic logical guarantee of a futex is that it blocks ONLY
2757          * if cond(var) is known to be true at the time of blocking, for
2758          * any cond.  If we locked the hash-bucket after testing *uaddr, that
2759          * would open a race condition where we could block indefinitely with
2760          * cond(var) false, which would violate the guarantee.
2761          *
2762          * On the other hand, we insert q and release the hash-bucket only
2763          * after testing *uaddr.  This guarantees that futex_wait() will NOT
2764          * absorb a wakeup if *uaddr does not match the desired values
2765          * while the syscall executes.
2766          */
2767 retry:
2768         ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, FUTEX_READ);
2769         if (unlikely(ret != 0))
2770                 return ret;
2771 
2772 retry_private:
2773         *hb = queue_lock(q);
2774 
2775         ret = get_futex_value_locked(&uval, uaddr);
2776 
2777         if (ret) {
2778                 queue_unlock(*hb);
2779 
2780                 ret = get_user(uval, uaddr);
2781                 if (ret)
2782                         goto out;
2783 
2784                 if (!(flags & FLAGS_SHARED))
2785                         goto retry_private;
2786 
2787                 put_futex_key(&q->key);
2788                 goto retry;
2789         }
2790 
2791         if (uval != val) {
2792                 queue_unlock(*hb);
2793                 ret = -EWOULDBLOCK;
2794         }
2795 
2796 out:
2797         if (ret)
2798                 put_futex_key(&q->key);
2799         return ret;
2800 }
2801 
2802 static int futex_wait(u32 __user *uaddr, unsigned int flags, u32 val,
2803                       ktime_t *abs_time, u32 bitset)
2804 {
2805         struct hrtimer_sleeper timeout, *to;
2806         struct restart_block *restart;
2807         struct futex_hash_bucket *hb;
2808         struct futex_q q = futex_q_init;
2809         int ret;
2810 
2811         if (!bitset)
2812                 return -EINVAL;
2813         q.bitset = bitset;
2814 
2815         to = futex_setup_timer(abs_time, &timeout, flags,
2816                                current->timer_slack_ns);
2817 retry:
2818         /*
2819          * Prepare to wait on uaddr. On success, holds hb lock and increments
2820          * q.key refs.
2821          */
2822         ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
2823         if (ret)
2824                 goto out;
2825 
2826         /* queue_me and wait for wakeup, timeout, or a signal. */
2827         futex_wait_queue_me(hb, &q, to);
2828 
2829         /* If we were woken (and unqueued), we succeeded, whatever. */
2830         ret = 0;
2831         /* unqueue_me() drops q.key ref */
2832         if (!unqueue_me(&q))
2833                 goto out;
2834         ret = -ETIMEDOUT;
2835         if (to && !to->task)
2836                 goto out;
2837 
2838         /*
2839          * We expect signal_pending(current), but we might be the
2840          * victim of a spurious wakeup as well.
2841          */
2842         if (!signal_pending(current))
2843                 goto retry;
2844 
2845         ret = -ERESTARTSYS;
2846         if (!abs_time)
2847                 goto out;
2848 
2849         restart = &current->restart_block;
2850         restart->fn = futex_wait_restart;
2851         restart->futex.uaddr = uaddr;
2852         restart->futex.val = val;
2853         restart->futex.time = *abs_time;
2854         restart->futex.bitset = bitset;
2855         restart->futex.flags = flags | FLAGS_HAS_TIMEOUT;
2856 
2857         ret = -ERESTART_RESTARTBLOCK;
2858 
2859 out:
2860         if (to) {
2861                 hrtimer_cancel(&to->timer);
2862                 destroy_hrtimer_on_stack(&to->timer);
2863         }
2864         return ret;
2865 }
2866 
2867 
2868 static long futex_wait_restart(struct restart_block *restart)
2869 {
2870         u32 __user *uaddr = restart->futex.uaddr;
2871         ktime_t t, *tp = NULL;
2872 
2873         if (restart->futex.flags & FLAGS_HAS_TIMEOUT) {
2874                 t = restart->futex.time;
2875                 tp = &t;
2876         }
2877         restart->fn = do_no_restart_syscall;
2878 
2879         return (long)futex_wait(uaddr, restart->futex.flags,
2880                                 restart->futex.val, tp, restart->futex.bitset);
2881 }
2882 
2883 
2884 /*
2885  * Userspace tried a 0 -> TID atomic transition of the futex value
2886  * and failed. The kernel side here does the whole locking operation:
2887  * if there are waiters then it will block as a consequence of relying
2888  * on rt-mutexes, it does PI, etc. (Due to races the kernel might see
2889  * a 0 value of the futex too.).
2890  *
2891  * Also serves as futex trylock_pi()'ing, and due semantics.
2892  */
2893 static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
2894                          ktime_t *time, int trylock)
2895 {
2896         struct hrtimer_sleeper timeout, *to;
2897         struct futex_pi_state *pi_state = NULL;
2898         struct task_struct *exiting = NULL;
2899         struct rt_mutex_waiter rt_waiter;
2900         struct futex_hash_bucket *hb;
2901         struct futex_q q = futex_q_init;
2902         int res, ret;
2903 
2904         if (!IS_ENABLED(CONFIG_FUTEX_PI))
2905                 return -ENOSYS;
2906 
2907         if (refill_pi_state_cache())
2908                 return -ENOMEM;
2909 
2910         to = futex_setup_timer(time, &timeout, FLAGS_CLOCKRT, 0);
2911 
2912 retry:
2913         ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
2914         if (unlikely(ret != 0))
2915                 goto out;
2916 
2917 retry_private:
2918         hb = queue_lock(&q);
2919 
2920         ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current,
2921                                    &exiting, 0);
2922         if (unlikely(ret)) {
2923                 /*
2924                  * Atomic work succeeded and we got the lock,
2925                  * or failed. Either way, we do _not_ block.
2926                  */
2927                 switch (ret) {
2928                 case 1:
2929                         /* We got the lock. */
2930                         ret = 0;
2931                         goto out_unlock_put_key;
2932                 case -EFAULT:
2933                         goto uaddr_faulted;
2934                 case -EBUSY:
2935                 case -EAGAIN:
2936                         /*
2937                          * Two reasons for this:
2938                          * - EBUSY: Task is exiting and we just wait for the
2939                          *   exit to complete.
2940                          * - EAGAIN: The user space value changed.
2941                          */
2942                         queue_unlock(hb);
2943                         put_futex_key(&q.key);
2944                         /*
2945                          * Handle the case where the owner is in the middle of
2946                          * exiting. Wait for the exit to complete otherwise
2947                          * this task might loop forever, aka. live lock.
2948                          */
2949                         wait_for_owner_exiting(ret, exiting);
2950                         cond_resched();
2951                         goto retry;
2952                 default:
2953                         goto out_unlock_put_key;
2954                 }
2955         }
2956 
2957         WARN_ON(!q.pi_state);
2958 
2959         /*
2960          * Only actually queue now that the atomic ops are done:
2961          */
2962         __queue_me(&q, hb);
2963 
2964         if (trylock) {
2965                 ret = rt_mutex_futex_trylock(&q.pi_state->pi_mutex);
2966                 /* Fixup the trylock return value: */
2967                 ret = ret ? 0 : -EWOULDBLOCK;
2968                 goto no_block;
2969         }
2970 
2971         rt_mutex_init_waiter(&rt_waiter);
2972 
2973         /*
2974          * On PREEMPT_RT_FULL, when hb->lock becomes an rt_mutex, we must not
2975          * hold it while doing rt_mutex_start_proxy(), because then it will
2976          * include hb->lock in the blocking chain, even through we'll not in
2977          * fact hold it while blocking. This will lead it to report -EDEADLK
2978          * and BUG when futex_unlock_pi() interleaves with this.
2979          *
2980          * Therefore acquire wait_lock while holding hb->lock, but drop the
2981          * latter before calling __rt_mutex_start_proxy_lock(). This
2982          * interleaves with futex_unlock_pi() -- which does a similar lock
2983          * handoff -- such that the latter can observe the futex_q::pi_state
2984          * before __rt_mutex_start_proxy_lock() is done.
2985          */
2986         raw_spin_lock_irq(&q.pi_state->pi_mutex.wait_lock);
2987         spin_unlock(q.lock_ptr);
2988         /*
2989          * __rt_mutex_start_proxy_lock() unconditionally enqueues the @rt_waiter
2990          * such that futex_unlock_pi() is guaranteed to observe the waiter when
2991          * it sees the futex_q::pi_state.
2992          */
2993         ret = __rt_mutex_start_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter, current);
2994         raw_spin_unlock_irq(&q.pi_state->pi_mutex.wait_lock);
2995 
2996         if (ret) {
2997                 if (ret == 1)
2998                         ret = 0;
2999                 goto cleanup;
3000         }
3001 
3002         if (unlikely(to))
3003                 hrtimer_sleeper_start_expires(to, HRTIMER_MODE_ABS);
3004 
3005         ret = rt_mutex_wait_proxy_lock(&q.pi_state->pi_mutex, to, &rt_waiter);
3006 
3007 cleanup:
3008         spin_lock(q.lock_ptr);
3009         /*
3010          * If we failed to acquire the lock (deadlock/signal/timeout), we must
3011          * first acquire the hb->lock before removing the lock from the
3012          * rt_mutex waitqueue, such that we can keep the hb and rt_mutex wait
3013          * lists consistent.
3014          *
3015          * In particular; it is important that futex_unlock_pi() can not
3016          * observe this inconsistency.
3017          */
3018         if (ret && !rt_mutex_cleanup_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter))
3019                 ret = 0;
3020 
3021 no_block:
3022         /*
3023          * Fixup the pi_state owner and possibly acquire the lock if we
3024          * haven't already.
3025          */
3026         res = fixup_owner(uaddr, &q, !ret);
3027         /*
3028          * If fixup_owner() returned an error, proprogate that.  If it acquired
3029          * the lock, clear our -ETIMEDOUT or -EINTR.
3030          */
3031         if (res)
3032                 ret = (res < 0) ? res : 0;
3033 
3034         /*
3035          * If fixup_owner() faulted and was unable to handle the fault, unlock
3036          * it and return the fault to userspace.
3037          */
3038         if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current)) {
3039                 pi_state = q.pi_state;
3040                 get_pi_state(pi_state);
3041         }
3042 
3043         /* Unqueue and drop the lock */
3044         unqueue_me_pi(&q);
3045 
3046         if (pi_state) {
3047                 rt_mutex_futex_unlock(&pi_state->pi_mutex);
3048                 put_pi_state(pi_state);
3049         }
3050 
3051         goto out_put_key;
3052 
3053 out_unlock_put_key:
3054         queue_unlock(hb);
3055 
3056 out_put_key:
3057         put_futex_key(&q.key);
3058 out:
3059         if (to) {
3060                 hrtimer_cancel(&to->timer);
3061                 destroy_hrtimer_on_stack(&to->timer);
3062         }
3063         return ret != -EINTR ? ret : -ERESTARTNOINTR;
3064 
3065 uaddr_faulted:
3066         queue_unlock(hb);
3067 
3068         ret = fault_in_user_writeable(uaddr);
3069         if (ret)
3070                 goto out_put_key;
3071 
3072         if (!(flags & FLAGS_SHARED))
3073                 goto retry_private;
3074 
3075         put_futex_key(&q.key);
3076         goto retry;
3077 }
3078 
3079 /*
3080  * Userspace attempted a TID -> 0 atomic transition, and failed.
3081  * This is the in-kernel slowpath: we look up the PI state (if any),
3082  * and do the rt-mutex unlock.
3083  */
3084 static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
3085 {
3086         u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
3087         union futex_key key = FUTEX_KEY_INIT;
3088         struct futex_hash_bucket *hb;
3089         struct futex_q *top_waiter;
3090         int ret;
3091 
3092         if (!IS_ENABLED(CONFIG_FUTEX_PI))
3093                 return -ENOSYS;
3094 
3095 retry:
3096         if (get_user(uval, uaddr))
3097                 return -EFAULT;
3098         /*
3099          * We release only a lock we actually own:
3100          */
3101         if ((uval & FUTEX_TID_MASK) != vpid)
3102                 return -EPERM;
3103 
3104         ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_WRITE);
3105         if (ret)
3106                 return ret;
3107 
3108         hb = hash_futex(&key);
3109         spin_lock(&hb->lock);
3110 
3111         /*
3112          * Check waiters first. We do not trust user space values at
3113          * all and we at least want to know if user space fiddled
3114          * with the futex value instead of blindly unlocking.
3115          */
3116         top_waiter = futex_top_waiter(hb, &key);
3117         if (top_waiter) {
3118                 struct futex_pi_state *pi_state = top_waiter->pi_state;
3119 
3120                 ret = -EINVAL;
3121                 if (!pi_state)
3122                         goto out_unlock;
3123 
3124                 /*
3125                  * If current does not own the pi_state then the futex is
3126                  * inconsistent and user space fiddled with the futex value.
3127                  */
3128                 if (pi_state->owner != current)
3129                         goto out_unlock;
3130 
3131                 get_pi_state(pi_state);
3132                 /*
3133                  * By taking wait_lock while still holding hb->lock, we ensure
3134                  * there is no point where we hold neither; and therefore
3135                  * wake_futex_pi() must observe a state consistent with what we
3136                  * observed.
3137                  *
3138                  * In particular; this forces __rt_mutex_start_proxy() to
3139                  * complete such that we're guaranteed to observe the
3140                  * rt_waiter. Also see the WARN in wake_futex_pi().
3141                  */
3142                 raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
3143                 spin_unlock(&hb->lock);
3144 
3145                 /* drops pi_state->pi_mutex.wait_lock */
3146                 ret = wake_futex_pi(uaddr, uval, pi_state);
3147 
3148                 put_pi_state(pi_state);
3149 
3150                 /*
3151                  * Success, we're done! No tricky corner cases.
3152                  */
3153                 if (!ret)
3154                         goto out_putkey;
3155                 /*
3156                  * The atomic access to the futex value generated a
3157                  * pagefault, so retry the user-access and the wakeup:
3158                  */
3159                 if (ret == -EFAULT)
3160                         goto pi_faulted;
3161                 /*
3162                  * A unconditional UNLOCK_PI op raced against a waiter
3163                  * setting the FUTEX_WAITERS bit. Try again.
3164                  */
3165                 if (ret == -EAGAIN)
3166                         goto pi_retry;
3167                 /*
3168                  * wake_futex_pi has detected invalid state. Tell user
3169                  * space.
3170                  */
3171                 goto out_putkey;
3172         }
3173 
3174         /*
3175          * We have no kernel internal state, i.e. no waiters in the
3176          * kernel. Waiters which are about to queue themselves are stuck
3177          * on hb->lock. So we can safely ignore them. We do neither
3178          * preserve the WAITERS bit not the OWNER_DIED one. We are the
3179          * owner.
3180          */
3181         if ((ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, 0))) {
3182                 spin_unlock(&hb->lock);
3183                 switch (ret) {
3184                 case -EFAULT:
3185                         goto pi_faulted;
3186 
3187                 case -EAGAIN:
3188                         goto pi_retry;
3189 
3190                 default:
3191                         WARN_ON_ONCE(1);
3192                         goto out_putkey;
3193                 }
3194         }
3195 
3196         /*
3197          * If uval has changed, let user space handle it.
3198          */
3199         ret = (curval == uval) ? 0 : -EAGAIN;
3200 
3201 out_unlock:
3202         spin_unlock(&hb->lock);
3203 out_putkey:
3204         put_futex_key(&key);
3205         return ret;
3206 
3207 pi_retry:
3208         put_futex_key(&key);
3209         cond_resched();
3210         goto retry;
3211 
3212 pi_faulted:
3213         put_futex_key(&key);
3214 
3215         ret = fault_in_user_writeable(uaddr);
3216         if (!ret)
3217                 goto retry;
3218 
3219         return ret;
3220 }
3221 
3222 /**
3223  * handle_early_requeue_pi_wakeup() - Detect early wakeup on the initial futex
3224  * @hb:         the hash_bucket futex_q was original enqueued on
3225  * @q:          the futex_q woken while waiting to be requeued
3226  * @key2:       the futex_key of the requeue target futex
3227  * @timeout:    the timeout associated with the wait (NULL if none)
3228  *
3229  * Detect if the task was woken on the initial futex as opposed to the requeue
3230  * target futex.  If so, determine if it was a timeout or a signal that caused
3231  * the wakeup and return the appropriate error code to the caller.  Must be
3232  * called with the hb lock held.
3233  *
3234  * Return:
3235  *  -  0 = no early wakeup detected;
3236  *  - <0 = -ETIMEDOUT or -ERESTARTNOINTR
3237  */
3238 static inline
3239 int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
3240                                    struct futex_q *q, union futex_key *key2,
3241                                    struct hrtimer_sleeper *timeout)
3242 {
3243         int ret = 0;
3244 
3245         /*
3246          * With the hb lock held, we avoid races while we process the wakeup.
3247          * We only need to hold hb (and not hb2) to ensure atomicity as the
3248          * wakeup code can't change q.key from uaddr to uaddr2 if we hold hb.
3249          * It can't be requeued from uaddr2 to something else since we don't
3250          * support a PI aware source futex for requeue.
3251          */
3252         if (!match_futex(&q->key, key2)) {
3253                 WARN_ON(q->lock_ptr && (&hb->lock != q->lock_ptr));
3254                 /*
3255                  * We were woken prior to requeue by a timeout or a signal.
3256                  * Unqueue the futex_q and determine which it was.
3257                  */
3258                 plist_del(&q->list, &hb->chain);
3259                 hb_waiters_dec(hb);
3260 
3261                 /* Handle spurious wakeups gracefully */
3262                 ret = -EWOULDBLOCK;
3263                 if (timeout && !timeout->task)
3264                         ret = -ETIMEDOUT;
3265                 else if (signal_pending(current))
3266                         ret = -ERESTARTNOINTR;
3267         }
3268         return ret;
3269 }
3270 
3271 /**
3272  * futex_wait_requeue_pi() - Wait on uaddr and take uaddr2
3273  * @uaddr:      the futex we initially wait on (non-pi)
3274  * @flags:      futex flags (FLAGS_SHARED, FLAGS_CLOCKRT, etc.), they must be
3275  *              the same type, no requeueing from private to shared, etc.
3276  * @val:        the expected value of uaddr
3277  * @abs_time:   absolute timeout
3278  * @bitset:     32 bit wakeup bitset set by userspace, defaults to all
3279  * @uaddr2:     the pi futex we will take prior to returning to user-space
3280  *
3281  * The caller will wait on uaddr and will be requeued by futex_requeue() to
3282  * uaddr2 which must be PI aware and unique from uaddr.  Normal wakeup will wake
3283  * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
3284  * userspace.  This ensures the rt_mutex maintains an owner when it has waiters;
3285  * without one, the pi logic would not know which task to boost/deboost, if
3286  * there was a need to.
3287  *
3288  * We call schedule in futex_wait_queue_me() when we enqueue and return there
3289  * via the following--
3290  * 1) wakeup on uaddr2 after an atomic lock acquisition by futex_requeue()
3291  * 2) wakeup on uaddr2 after a requeue
3292  * 3) signal
3293  * 4) timeout
3294  *
3295  * If 3, cleanup and return -ERESTARTNOINTR.
3296  *
3297  * If 2, we may then block on trying to take the rt_mutex and return via:
3298  * 5) successful lock
3299  * 6) signal
3300  * 7) timeout
3301  * 8) other lock acquisition failure
3302  *
3303  * If 6, return -EWOULDBLOCK (restarting the syscall would do the same).
3304  *
3305  * If 4 or 7, we cleanup and return with -ETIMEDOUT.
3306  *
3307  * Return:
3308  *  -  0 - On success;
3309  *  - <0 - On error
3310  */
3311 static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
3312                                  u32 val, ktime_t *abs_time, u32 bitset,
3313                                  u32 __user *uaddr2)
3314 {
3315         struct hrtimer_sleeper timeout, *to;
3316         struct futex_pi_state *pi_state = NULL;
3317         struct rt_mutex_waiter rt_waiter;
3318         struct futex_hash_bucket *hb;
3319         union futex_key key2 = FUTEX_KEY_INIT;
3320         struct futex_q q = futex_q_init;
3321         int res, ret;
3322 
3323         if (!IS_ENABLED(CONFIG_FUTEX_PI))
3324                 return -ENOSYS;
3325 
3326         if (uaddr == uaddr2)
3327                 return -EINVAL;
3328 
3329         if (!bitset)
3330                 return -EINVAL;
3331 
3332         to = futex_setup_timer(abs_time, &timeout, flags,
3333                                current->timer_slack_ns);
3334 
3335         /*
3336          * The waiter is allocated on our stack, manipulated by the requeue
3337          * code while we sleep on uaddr.
3338          */
3339         rt_mutex_init_waiter(&rt_waiter);
3340 
3341         ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
3342         if (unlikely(ret != 0))
3343                 goto out;
3344 
3345         q.bitset = bitset;
3346         q.rt_waiter = &rt_waiter;
3347         q.requeue_pi_key = &key2;
3348 
3349         /*
3350          * Prepare to wait on uaddr. On success, increments q.key (key1) ref
3351          * count.
3352          */
3353         ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
3354         if (ret)
3355                 goto out_key2;
3356 
3357         /*
3358          * The check above which compares uaddrs is not sufficient for
3359          * shared futexes. We need to compare the keys:
3360          */
3361         if (match_futex(&q.key, &key2)) {
3362                 queue_unlock(hb);
3363                 ret = -EINVAL;
3364                 goto out_put_keys;
3365         }
3366 
3367         /* Queue the futex_q, drop the hb lock, wait for wakeup. */
3368         futex_wait_queue_me(hb, &q, to);
3369 
3370         spin_lock(&hb->lock);
3371         ret = handle_early_requeue_pi_wakeup(hb, &q, &key2, to);
3372         spin_unlock(&hb->lock);
3373         if (ret)
3374                 goto out_put_keys;
3375 
3376         /*
3377          * In order for us to be here, we know our q.key == key2, and since
3378          * we took the hb->lock above, we also know that futex_requeue() has
3379          * completed and we no longer have to concern ourselves with a wakeup
3380          * race with the atomic proxy lock acquisition by the requeue code. The
3381          * futex_requeue dropped our key1 reference and incremented our key2
3382          * reference count.
3383          */
3384 
3385         /* Check if the requeue code acquired the second futex for us. */
3386         if (!q.rt_waiter) {
3387                 /*
3388                  * Got the lock. We might not be the anticipated owner if we
3389                  * did a lock-steal - fix up the PI-state in that case.
3390                  */
3391                 if (q.pi_state && (q.pi_state->owner != current)) {
3392                         spin_lock(q.lock_ptr);
3393                         ret = fixup_pi_state_owner(uaddr2, &q, current);
3394                         if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
3395                                 pi_state = q.pi_state;
3396                                 get_pi_state(pi_state);
3397                         }
3398                         /*
3399                          * Drop the reference to the pi state which
3400                          * the requeue_pi() code acquired for us.
3401                          */
3402                         put_pi_state(q.pi_state);
3403                         spin_unlock(q.lock_ptr);
3404                 }
3405         } else {
3406                 struct rt_mutex *pi_mutex;
3407 
3408                 /*
3409                  * We have been woken up by futex_unlock_pi(), a timeout, or a
3410                  * signal.  futex_unlock_pi() will not destroy the lock_ptr nor
3411                  * the pi_state.
3412                  */
3413                 WARN_ON(!q.pi_state);
3414                 pi_mutex = &q.pi_state->pi_mutex;
3415                 ret = rt_mutex_wait_proxy_lock(pi_mutex, to, &rt_waiter);
3416 
3417                 spin_lock(q.lock_ptr);
3418                 if (ret && !rt_mutex_cleanup_proxy_lock(pi_mutex, &rt_waiter))
3419                         ret = 0;
3420 
3421                 debug_rt_mutex_free_waiter(&rt_waiter);
3422                 /*
3423                  * Fixup the pi_state owner and possibly acquire the lock if we
3424                  * haven't already.
3425                  */
3426                 res = fixup_owner(uaddr2, &q, !ret);
3427                 /*
3428                  * If fixup_owner() returned an error, proprogate that.  If it
3429                  * acquired the lock, clear -ETIMEDOUT or -EINTR.
3430                  */
3431                 if (res)
3432                         ret = (res < 0) ? res : 0;
3433 
3434                 /*
3435                  * If fixup_pi_state_owner() faulted and was unable to handle
3436                  * the fault, unlock the rt_mutex and return the fault to
3437                  * userspace.
3438                  */
3439                 if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) {
3440                         pi_state = q.pi_state;
3441                         get_pi_state(pi_state);
3442                 }
3443 
3444                 /* Unqueue and drop the lock. */
3445                 unqueue_me_pi(&q);
3446         }
3447 
3448         if (pi_state) {
3449                 rt_mutex_futex_unlock(&pi_state->pi_mutex);
3450                 put_pi_state(pi_state);
3451         }
3452 
3453         if (ret == -EINTR) {
3454                 /*
3455                  * We've already been requeued, but cannot restart by calling
3456                  * futex_lock_pi() directly. We could restart this syscall, but
3457                  * it would detect that the user space "val" changed and return
3458                  * -EWOULDBLOCK.  Save the overhead of the restart and return
3459                  * -EWOULDBLOCK directly.
3460                  */
3461                 ret = -EWOULDBLOCK;
3462         }
3463 
3464 out_put_keys:
3465         put_futex_key(&q.key);
3466 out_key2:
3467         put_futex_key(&key2);
3468 
3469 out:
3470         if (to) {
3471                 hrtimer_cancel(&to->timer);
3472                 destroy_hrtimer_on_stack(&to->timer);
3473         }
3474         return ret;
3475 }
3476 
3477 /*
3478  * Support for robust futexes: the kernel cleans up held futexes at
3479  * thread exit time.
3480  *
3481  * Implementation: user-space maintains a per-thread list of locks it
3482  * is holding. Upon do_exit(), the kernel carefully walks this list,
3483  * and marks all locks that are owned by this thread with the
3484  * FUTEX_OWNER_DIED bit, and wakes up a waiter (if any). The list is
3485  * always manipulated with the lock held, so the list is private and
3486  * per-thread. Userspace also maintains a per-thread 'list_op_pending'
3487  * field, to allow the kernel to clean up if the thread dies after
3488  * acquiring the lock, but just before it could have added itself to
3489  * the list. There can only be one such pending lock.
3490  */
3491 
3492 /**
3493  * sys_set_robust_list() - Set the robust-futex list head of a task
3494  * @head:       pointer to the list-head
3495  * @len:        length of the list-head, as userspace expects
3496  */
3497 SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
3498                 size_t, len)
3499 {
3500         if (!futex_cmpxchg_enabled)
3501                 return -ENOSYS;
3502         /*
3503          * The kernel knows only one size for now:
3504          */
3505         if (unlikely(len != sizeof(*head)))
3506                 return -EINVAL;
3507 
3508         current->robust_list = head;
3509 
3510         return 0;
3511 }
3512 
3513 /**
3514  * sys_get_robust_list() - Get the robust-futex list head of a task
3515  * @pid:        pid of the process [zero for current task]
3516  * @head_ptr:   pointer to a list-head pointer, the kernel fills it in
3517  * @len_ptr:    pointer to a length field, the kernel fills in the header size
3518  */
3519 SYSCALL_DEFINE3(get_robust_list, int, pid,
3520                 struct robust_list_head __user * __user *, head_ptr,
3521                 size_t __user *, len_ptr)
3522 {
3523         struct robust_list_head __user *head;
3524         unsigned long ret;
3525         struct task_struct *p;
3526 
3527         if (!futex_cmpxchg_enabled)
3528                 return -ENOSYS;
3529 
3530         rcu_read_lock();
3531 
3532         ret = -ESRCH;
3533         if (!pid)
3534                 p = current;
3535         else {
3536                 p = find_task_by_vpid(pid);
3537                 if (!p)
3538                         goto err_unlock;
3539         }
3540 
3541         ret = -EPERM;
3542         if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
3543                 goto err_unlock;
3544 
3545         head = p->robust_list;
3546         rcu_read_unlock();
3547 
3548         if (put_user(sizeof(*head), len_ptr))
3549                 return -EFAULT;
3550         return put_user(head, head_ptr);
3551 
3552 err_unlock:
3553         rcu_read_unlock();
3554 
3555         return ret;
3556 }
3557 
3558 /* Constants for the pending_op argument of handle_futex_death */
3559 #define HANDLE_DEATH_PENDING    true
3560 #define HANDLE_DEATH_LIST       false
3561 
3562 /*
3563  * Process a futex-list entry, check whether it's owned by the
3564  * dying task, and do notification if so:
3565  */
3566 static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
3567                               bool pi, bool pending_op)
3568 {
3569         u32 uval, uninitialized_var(nval), mval;
3570         int err;
3571 
3572         /* Futex address must be 32bit aligned */
3573         if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
3574                 return -1;
3575 
3576 retry:
3577         if (get_user(uval, uaddr))
3578                 return -1;
3579 
3580         /*
3581          * Special case for regular (non PI) futexes. The unlock path in
3582          * user space has two race scenarios:
3583          *
3584          * 1. The unlock path releases the user space futex value and
3585          *    before it can execute the futex() syscall to wake up
3586          *    waiters it is killed.
3587          *
3588          * 2. A woken up waiter is killed before it can acquire the
3589          *    futex in user space.
3590          *
3591          * In both cases the TID validation below prevents a wakeup of
3592          * potential waiters which can cause these waiters to block
3593          * forever.
3594          *
3595          * In both cases the following conditions are met:
3596          *
3597          *      1) task->robust_list->list_op_pending != NULL
3598          *         @pending_op == true
3599          *      2) User space futex value == 0
3600          *      3) Regular futex: @pi == false
3601          *
3602          * If these conditions are met, it is safe to attempt waking up a
3603          * potential waiter without touching the user space futex value and
3604          * trying to set the OWNER_DIED bit. The user space futex value is
3605          * uncontended and the rest of the user space mutex state is
3606          * consistent, so a woken waiter will just take over the
3607          * uncontended futex. Setting the OWNER_DIED bit would create
3608          * inconsistent state and malfunction of the user space owner died
3609          * handling.
3610          */
3611         if (pending_op && !pi && !uval) {
3612                 futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
3613                 return 0;
3614         }
3615 
3616         if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
3617                 return 0;
3618 
3619         /*
3620          * Ok, this dying thread is truly holding a futex
3621          * of interest. Set the OWNER_DIED bit atomically
3622          * via cmpxchg, and if the value had FUTEX_WAITERS
3623          * set, wake up a waiter (if any). (We have to do a
3624          * futex_wake() even if OWNER_DIED is already set -
3625          * to handle the rare but possible case of recursive
3626          * thread-death.) The rest of the cleanup is done in
3627          * userspace.
3628          */
3629         mval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;
3630 
3631         /*
3632          * We are not holding a lock here, but we want to have
3633          * the pagefault_disable/enable() protection because
3634          * we want to handle the fault gracefully. If the
3635          * access fails we try to fault in the futex with R/W
3636          * verification via get_user_pages. get_user() above
3637          * does not guarantee R/W access. If that fails we
3638          * give up and leave the futex locked.
3639          */
3640         if ((err = cmpxchg_futex_value_locked(&nval, uaddr, uval, mval))) {
3641                 switch (err) {
3642                 case -EFAULT:
3643                         if (fault_in_user_writeable(uaddr))
3644                                 return -1;
3645                         goto retry;
3646 
3647                 case -EAGAIN:
3648                         cond_resched();
3649                         goto retry;
3650 
3651                 default:
3652                         WARN_ON_ONCE(1);
3653                         return err;
3654                 }
3655         }
3656 
3657         if (nval != uval)
3658                 goto retry;
3659 
3660         /*
3661          * Wake robust non-PI futexes here. The wakeup of
3662          * PI futexes happens in exit_pi_state():
3663          */
3664         if (!pi && (uval & FUTEX_WAITERS))
3665                 futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
3666 
3667         return 0;
3668 }
3669 
3670 /*
3671  * Fetch a robust-list pointer. Bit 0 signals PI futexes:
3672  */
3673 static inline int fetch_robust_entry(struct robust_list __user **entry,
3674                                      struct robust_list __user * __user *head,
3675                                      unsigned int *pi)
3676 {
3677         unsigned long uentry;
3678 
3679         if (get_user(uentry, (unsigned long __user *)head))
3680                 return -EFAULT;
3681 
3682         *entry = (void __user *)(uentry & ~1UL);
3683         *pi = uentry & 1;
3684 
3685         return 0;
3686 }
3687 
3688 /*
3689  * Walk curr->robust_list (very carefully, it's a userspace list!)
3690  * and mark any locks found there dead, and notify any waiters.
3691  *
3692  * We silently return on any sign of list-walking problem.
3693  */
3694 static void exit_robust_list(struct task_struct *curr)
3695 {
3696         struct robust_list_head __user *head = curr->robust_list;
3697         struct robust_list __user *entry, *next_entry, *pending;
3698         unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
3699         unsigned int uninitialized_var(next_pi);
3700         unsigned long futex_offset;
3701         int rc;
3702 
3703         if (!futex_cmpxchg_enabled)
3704                 return;
3705 
3706         /*
3707          * Fetch the list head (which was registered earlier, via
3708          * sys_set_robust_list()):
3709          */
3710         if (fetch_robust_entry(&entry, &head->list.next, &pi))
3711                 return;
3712         /*
3713          * Fetch the relative futex offset:
3714          */
3715         if (get_user(futex_offset, &head->futex_offset))
3716                 return;
3717         /*
3718          * Fetch any possibly pending lock-add first, and handle it
3719          * if it exists:
3720          */
3721         if (fetch_robust_entry(&pending, &head->list_op_pending, &pip))
3722                 return;
3723 
3724         next_entry = NULL;      /* avoid warning with gcc */
3725         while (entry != &head->list) {
3726                 /*
3727                  * Fetch the next entry in the list before calling
3728                  * handle_futex_death:
3729                  */
3730                 rc = fetch_robust_entry(&next_entry, &entry->next, &next_pi);
3731                 /*
3732                  * A pending lock might already be on the list, so
3733                  * don't process it twice:
3734                  */
3735                 if (entry != pending) {
3736                         if (handle_futex_death((void __user *)entry + futex_offset,
3737                                                 curr, pi, HANDLE_DEATH_LIST))
3738                                 return;
3739                 }
3740                 if (rc)
3741                         return;
3742                 entry = next_entry;
3743                 pi = next_pi;
3744                 /*
3745                  * Avoid excessively long or circular lists:
3746                  */
3747                 if (!--limit)
3748                         break;
3749 
3750                 cond_resched();
3751         }
3752 
3753         if (pending) {
3754                 handle_futex_death((void __user *)pending + futex_offset,
3755                                    curr, pip, HANDLE_DEATH_PENDING);
3756         }
3757 }
3758 
3759 static void futex_cleanup(struct task_struct *tsk)
3760 {
3761         if (unlikely(tsk->robust_list)) {
3762                 exit_robust_list(tsk);
3763                 tsk->robust_list = NULL;
3764         }
3765 
3766 #ifdef CONFIG_COMPAT
3767         if (unlikely(tsk->compat_robust_list)) {
3768                 compat_exit_robust_list(tsk);
3769                 tsk->compat_robust_list = NULL;
3770         }
3771 #endif
3772 
3773         if (unlikely(!list_empty(&tsk->pi_state_list)))
3774                 exit_pi_state_list(tsk);
3775 }
3776 
3777 /**
3778  * futex_exit_recursive - Set the tasks futex state to FUTEX_STATE_DEAD
3779  * @tsk:        task to set the state on
3780  *
3781  * Set the futex exit state of the task lockless. The futex waiter code
3782  * observes that state when a task is exiting and loops until the task has
3783  * actually finished the futex cleanup. The worst case for this is that the
3784  * waiter runs through the wait loop until the state becomes visible.
3785  *
3786  * This is called from the recursive fault handling path in do_exit().
3787  *
3788  * This is best effort. Either the futex exit code has run already or
3789  * not. If the OWNER_DIED bit has been set on the futex then the waiter can
3790  * take it over. If not, the problem is pushed back to user space. If the
3791  * futex exit code did not run yet, then an already queued waiter might
3792  * block forever, but there is nothing which can be done about that.
3793  */
3794 void futex_exit_recursive(struct task_struct *tsk)
3795 {
3796         /* If the state is FUTEX_STATE_EXITING then futex_exit_mutex is held */
3797         if (tsk->futex_state == FUTEX_STATE_EXITING)
3798                 mutex_unlock(&tsk->futex_exit_mutex);
3799         tsk->futex_state = FUTEX_STATE_DEAD;
3800 }
3801 
3802 static void futex_cleanup_begin(struct task_struct *tsk)
3803 {
3804         /*
3805          * Prevent various race issues against a concurrent incoming waiter
3806          * including live locks by forcing the waiter to block on
3807          * tsk->futex_exit_mutex when it observes FUTEX_STATE_EXITING in
3808          * attach_to_pi_owner().
3809          */
3810         mutex_lock(&tsk->futex_exit_mutex);
3811 
3812         /*
3813          * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock.
3814          *
3815          * This ensures that all subsequent checks of tsk->futex_state in
3816          * attach_to_pi_owner() must observe FUTEX_STATE_EXITING with
3817          * tsk->pi_lock held.
3818          *
3819          * It guarantees also that a pi_state which was queued right before
3820          * the state change under tsk->pi_lock by a concurrent waiter must
3821          * be observed in exit_pi_state_list().
3822          */
3823         raw_spin_lock_irq(&tsk->pi_lock);
3824         tsk->futex_state = FUTEX_STATE_EXITING;
3825         raw_spin_unlock_irq(&tsk->pi_lock);
3826 }
3827 
3828 static void futex_cleanup_end(struct task_struct *tsk, int state)
3829 {
3830         /*
3831          * Lockless store. The only side effect is that an observer might
3832          * take another loop until it becomes visible.
3833          */
3834         tsk->futex_state = state;
3835         /*
3836          * Drop the exit protection. This unblocks waiters which observed
3837          * FUTEX_STATE_EXITING to reevaluate the state.
3838          */
3839         mutex_unlock(&tsk->futex_exit_mutex);
3840 }
3841 
3842 void futex_exec_release(struct task_struct *tsk)
3843 {
3844         /*
3845          * The state handling is done for consistency, but in the case of
3846          * exec() there is no way to prevent futher damage as the PID stays
3847          * the same. But for the unlikely and arguably buggy case that a
3848          * futex is held on exec(), this provides at least as much state
3849          * consistency protection which is possible.
3850          */
3851         futex_cleanup_begin(tsk);
3852         futex_cleanup(tsk);
3853         /*
3854          * Reset the state to FUTEX_STATE_OK. The task is alive and about
3855          * exec a new binary.
3856          */
3857         futex_cleanup_end(tsk, FUTEX_STATE_OK);
3858 }
3859 
3860 void futex_exit_release(struct task_struct *tsk)
3861 {
3862         futex_cleanup_begin(tsk);
3863         futex_cleanup(tsk);
3864         futex_cleanup_end(tsk, FUTEX_STATE_DEAD);
3865 }
3866 
3867 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
3868                 u32 __user *uaddr2, u32 val2, u32 val3)
3869 {
3870         int cmd = op & FUTEX_CMD_MASK;
3871         unsigned int flags = 0;
3872 
3873         if (!(op & FUTEX_PRIVATE_FLAG))
3874                 flags |= FLAGS_SHARED;
3875 
3876         if (op & FUTEX_CLOCK_REALTIME) {
3877                 flags |= FLAGS_CLOCKRT;
3878                 if (cmd != FUTEX_WAIT && cmd != FUTEX_WAIT_BITSET && \
3879                     cmd != FUTEX_WAIT_REQUEUE_PI)
3880                         return -ENOSYS;
3881         }
3882 
3883         switch (cmd) {
3884         case FUTEX_LOCK_PI:
3885         case FUTEX_UNLOCK_PI:
3886         case FUTEX_TRYLOCK_PI:
3887         case FUTEX_WAIT_REQUEUE_PI:
3888         case FUTEX_CMP_REQUEUE_PI:
3889                 if (!futex_cmpxchg_enabled)
3890                         return -ENOSYS;
3891         }
3892 
3893         switch (cmd) {
3894         case FUTEX_WAIT:
3895                 val3 = FUTEX_BITSET_MATCH_ANY;
3896                 /* fall through */
3897         case FUTEX_WAIT_BITSET:
3898                 return futex_wait(uaddr, flags, val, timeout, val3);
3899         case FUTEX_WAKE:
3900                 val3 = FUTEX_BITSET_MATCH_ANY;
3901                 /* fall through */
3902         case FUTEX_WAKE_BITSET:
3903                 return futex_wake(uaddr, flags, val, val3);
3904         case FUTEX_REQUEUE:
3905                 return futex_requeue(uaddr, flags, uaddr2, val, val2, NULL, 0);
3906         case FUTEX_CMP_REQUEUE:
3907                 return futex_requeue(uaddr, flags, uaddr2, val, val2, &val3, 0);
3908         case FUTEX_WAKE_OP:
3909                 return futex_wake_op(uaddr, flags, uaddr2, val, val2, val3);
3910         case FUTEX_LOCK_PI:
3911                 return futex_lock_pi(uaddr, flags, timeout, 0);
3912         case FUTEX_UNLOCK_PI:
3913                 return futex_unlock_pi(uaddr, flags);
3914         case FUTEX_TRYLOCK_PI:
3915                 return futex_lock_pi(uaddr, flags, NULL, 1);
3916         case FUTEX_WAIT_REQUEUE_PI:
3917                 val3 = FUTEX_BITSET_MATCH_ANY;
3918                 return futex_wait_requeue_pi(uaddr, flags, val, timeout, val3,
3919                                              uaddr2);
3920         case FUTEX_CMP_REQUEUE_PI:
3921                 return futex_requeue(uaddr, flags, uaddr2, val, val2, &val3, 1);
3922         }
3923         return -ENOSYS;
3924 }
3925 
3926 
3927 SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
3928                 struct __kernel_timespec __user *, utime, u32 __user *, uaddr2,
3929                 u32, val3)
3930 {
3931         struct timespec64 ts;
3932         ktime_t t, *tp = NULL;
3933         u32 val2 = 0;
3934         int cmd = op & FUTEX_CMD_MASK;
3935 
3936         if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
3937                       cmd == FUTEX_WAIT_BITSET ||
3938                       cmd == FUTEX_WAIT_REQUEUE_PI)) {
3939                 if (unlikely(should_fail_futex(!(op & FUTEX_PRIVATE_FLAG))))
3940                         return -EFAULT;
3941                 if (get_timespec64(&ts, utime))
3942                         return -EFAULT;
3943                 if (!timespec64_valid(&ts))
3944                         return -EINVAL;
3945 
3946                 t = timespec64_to_ktime(ts);
3947                 if (cmd == FUTEX_WAIT)
3948                         t = ktime_add_safe(ktime_get(), t);
3949                 tp = &t;
3950         }
3951         /*
3952          * requeue parameter in 'utime' if cmd == FUTEX_*_REQUEUE_*.
3953          * number of waiters to wake in 'utime' if cmd == FUTEX_WAKE_OP.
3954          */
3955         if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
3956             cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
3957                 val2 = (u32) (unsigned long) utime;
3958 
3959         return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
3960 }
3961 
3962 #ifdef CONFIG_COMPAT
3963 /*
3964  * Fetch a robust-list pointer. Bit 0 signals PI futexes:
3965  */
3966 static inline int
3967 compat_fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
3968                    compat_uptr_t __user *head, unsigned int *pi)
3969 {
3970         if (get_user(*uentry, head))
3971                 return -EFAULT;
3972 
3973         *entry = compat_ptr((*uentry) & ~1);
3974         *pi = (unsigned int)(*uentry) & 1;
3975 
3976         return 0;
3977 }
3978 
3979 static void __user *futex_uaddr(struct robust_list __user *entry,
3980                                 compat_long_t futex_offset)
3981 {
3982         compat_uptr_t base = ptr_to_compat(entry);
3983         void __user *uaddr = compat_ptr(base + futex_offset);
3984 
3985         return uaddr;
3986 }
3987 
3988 /*
3989  * Walk curr->robust_list (very carefully, it's a userspace list!)
3990  * and mark any locks found there dead, and notify any waiters.
3991  *
3992  * We silently return on any sign of list-walking problem.
3993  */
3994 static void compat_exit_robust_list(struct task_struct *curr)
3995 {
3996         struct compat_robust_list_head __user *head = curr->compat_robust_list;
3997         struct robust_list __user *entry, *next_entry, *pending;
3998         unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
3999         unsigned int uninitialized_var(next_pi);
4000         compat_uptr_t uentry, next_uentry, upending;
4001         compat_long_t futex_offset;
4002         int rc;
4003 
4004         if (!futex_cmpxchg_enabled)
4005                 return;
4006 
4007         /*
4008          * Fetch the list head (which was registered earlier, via
4009          * sys_set_robust_list()):
4010          */
4011         if (compat_fetch_robust_entry(&uentry, &entry, &head->list.next, &pi))
4012                 return;
4013         /*
4014          * Fetch the relative futex offset:
4015          */
4016         if (get_user(futex_offset, &head->futex_offset))
4017                 return;
4018         /*
4019          * Fetch any possibly pending lock-add first, and handle it
4020          * if it exists:
4021          */
4022         if (compat_fetch_robust_entry(&upending, &pending,
4023                                &head->list_op_pending, &pip))
4024                 return;
4025 
4026         next_entry = NULL;      /* avoid warning with gcc */
4027         while (entry != (struct robust_list __user *) &head->list) {
4028                 /*
4029                  * Fetch the next entry in the list before calling
4030                  * handle_futex_death:
4031                  */
4032                 rc = compat_fetch_robust_entry(&next_uentry, &next_entry,
4033                         (compat_uptr_t __user *)&entry->next, &next_pi);
4034                 /*
4035                  * A pending lock might already be on the list, so
4036                  * dont process it twice:
4037                  */
4038                 if (entry != pending) {
4039                         void __user *uaddr = futex_uaddr(entry, futex_offset);
4040 
4041                         if (handle_futex_death(uaddr, curr, pi,
4042                                                HANDLE_DEATH_LIST))
4043                                 return;
4044                 }
4045                 if (rc)
4046                         return;
4047                 uentry = next_uentry;
4048                 entry = next_entry;
4049                 pi = next_pi;
4050                 /*
4051                  * Avoid excessively long or circular lists:
4052                  */
4053                 if (!--limit)
4054                         break;
4055 
4056                 cond_resched();
4057         }
4058         if (pending) {
4059                 void __user *uaddr = futex_uaddr(pending, futex_offset);
4060 
4061                 handle_futex_death(uaddr, curr, pip, HANDLE_DEATH_PENDING);
4062         }
4063 }
4064 
4065 COMPAT_SYSCALL_DEFINE2(set_robust_list,
4066                 struct compat_robust_list_head __user *, head,
4067                 compat_size_t, len)
4068 {
4069         if (!futex_cmpxchg_enabled)
4070                 return -ENOSYS;
4071 
4072         if (unlikely(len != sizeof(*head)))
4073                 return -EINVAL;
4074 
4075         current->compat_robust_list = head;
4076 
4077         return 0;
4078 }
4079 
4080 COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
4081                         compat_uptr_t __user *, head_ptr,
4082                         compat_size_t __user *, len_ptr)
4083 {
4084         struct compat_robust_list_head __user *head;
4085         unsigned long ret;
4086         struct task_struct *p;
4087 
4088         if (!futex_cmpxchg_enabled)
4089                 return -ENOSYS;
4090 
4091         rcu_read_lock();
4092 
4093         ret = -ESRCH;
4094         if (!pid)
4095                 p = current;
4096         else {
4097                 p = find_task_by_vpid(pid);
4098                 if (!p)
4099                         goto err_unlock;
4100         }
4101 
4102         ret = -EPERM;
4103         if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
4104                 goto err_unlock;
4105 
4106         head = p->compat_robust_list;
4107         rcu_read_unlock();
4108 
4109         if (put_user(sizeof(*head), len_ptr))
4110                 return -EFAULT;
4111         return put_user(ptr_to_compat(head), head_ptr);
4112 
4113 err_unlock:
4114         rcu_read_unlock();
4115 
4116         return ret;
4117 }
4118 #endif /* CONFIG_COMPAT */
4119 
4120 #ifdef CONFIG_COMPAT_32BIT_TIME
4121 SYSCALL_DEFINE6(futex_time32, u32 __user *, uaddr, int, op, u32, val,
4122                 struct old_timespec32 __user *, utime, u32 __user *, uaddr2,
4123                 u32, val3)
4124 {
4125         struct timespec64 ts;
4126         ktime_t t, *tp = NULL;
4127         int val2 = 0;
4128         int cmd = op & FUTEX_CMD_MASK;
4129 
4130         if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
4131                       cmd == FUTEX_WAIT_BITSET ||
4132                       cmd == FUTEX_WAIT_REQUEUE_PI)) {
4133                 if (get_old_timespec32(&ts, utime))
4134                         return -EFAULT;
4135                 if (!timespec64_valid(&ts))
4136                         return -EINVAL;
4137 
4138                 t = timespec64_to_ktime(ts);
4139                 if (cmd == FUTEX_WAIT)
4140                         t = ktime_add_safe(ktime_get(), t);
4141                 tp = &t;
4142         }
4143         if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
4144             cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
4145                 val2 = (int) (unsigned long) utime;
4146 
4147         return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
4148 }
4149 #endif /* CONFIG_COMPAT_32BIT_TIME */
4150 
4151 static void __init futex_detect_cmpxchg(void)
4152 {
4153 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
4154         u32 curval;
4155 
4156         /*
4157          * This will fail and we want it. Some arch implementations do
4158          * runtime detection of the futex_atomic_cmpxchg_inatomic()
4159          * functionality. We want to know that before we call in any
4160          * of the complex code paths. Also we want to prevent
4161          * registration of robust lists in that case. NULL is
4162          * guaranteed to fault and we get -EFAULT on functional
4163          * implementation, the non-functional ones will return
4164          * -ENOSYS.
4165          */
4166         if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
4167                 futex_cmpxchg_enabled = 1;
4168 #endif
4169 }
4170 
4171 static int __init futex_init(void)
4172 {
4173         unsigned int futex_shift;
4174         unsigned long i;
4175 
4176 #if CONFIG_BASE_SMALL
4177         futex_hashsize = 16;
4178 #else
4179         futex_hashsize = roundup_pow_of_two(256 * num_possible_cpus());
4180 #endif
4181 
4182         futex_queues = alloc_large_system_hash("futex", sizeof(*futex_queues),
4183                                                futex_hashsize, 0,
4184                                                futex_hashsize < 256 ? HASH_SMALL : 0,
4185                                                &futex_shift, NULL,
4186                                                futex_hashsize, futex_hashsize);
4187         futex_hashsize = 1UL << futex_shift;
4188 
4189         futex_detect_cmpxchg();
4190 
4191         for (i = 0; i < futex_hashsize; i++) {
4192                 atomic_set(&futex_queues[i].waiters, 0);
4193                 plist_head_init(&futex_queues[i].chain);
4194                 spin_lock_init(&futex_queues[i].lock);
4195         }
4196 
4197         return 0;
4198 }
4199 core_initcall(futex_init);

/* [<][>][^][v][top][bottom][index][help] */