diff options
Diffstat (limited to 'patches/0008-futex-Pull-rt_mutex_futex_unlock-out-from-under-hb-l.patch')
-rw-r--r-- | patches/0008-futex-Pull-rt_mutex_futex_unlock-out-from-under-hb-l.patch | 357 |
1 files changed, 0 insertions, 357 deletions
diff --git a/patches/0008-futex-Pull-rt_mutex_futex_unlock-out-from-under-hb-l.patch b/patches/0008-futex-Pull-rt_mutex_futex_unlock-out-from-under-hb-l.patch deleted file mode 100644 index aba723367584..000000000000 --- a/patches/0008-futex-Pull-rt_mutex_futex_unlock-out-from-under-hb-l.patch +++ /dev/null @@ -1,357 +0,0 @@ -From: Peter Zijlstra <peterz@infradead.org> -Date: Wed, 22 Mar 2017 11:35:55 +0100 -Subject: [PATCH] futex: Pull rt_mutex_futex_unlock() out from under hb->lock - -Upstream commit 16ffa12d742534d4ff73e8b3a4e81c1de39196f0 - -There's a number of 'interesting' problems, all caused by holding -hb->lock while doing the rt_mutex_unlock() equivalient. - -Notably: - - - a PI inversion on hb->lock; and, - - - a SCHED_DEADLINE crash because of pointer instability. - -The previous changes: - - - changed the locking rules to cover {uval,pi_state} with wait_lock. - - - allow to do rt_mutex_futex_unlock() without dropping wait_lock; which in - turn allows to rely on wait_lock atomicity completely. - - - simplified the waiter conundrum. - -It's now sufficient to hold rtmutex::wait_lock and a reference on the -pi_state to protect the state consistency, so hb->lock can be dropped -before calling rt_mutex_futex_unlock(). - -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: juri.lelli@arm.com -Cc: bigeasy@linutronix.de -Cc: xlpang@redhat.com -Cc: rostedt@goodmis.org -Cc: mathieu.desnoyers@efficios.com -Cc: jdesfossez@efficios.com -Cc: dvhart@infradead.org -Cc: bristot@redhat.com -Link: http://lkml.kernel.org/r/20170322104151.900002056@infradead.org -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> ---- - kernel/futex.c | 154 +++++++++++++++++++++++++++++++++++++-------------------- - 1 file changed, 100 insertions(+), 54 deletions(-) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -921,10 +921,12 @@ void exit_pi_state_list(struct task_stru - pi_state->owner = NULL; - raw_spin_unlock_irq(&curr->pi_lock); - -- rt_mutex_futex_unlock(&pi_state->pi_mutex); -- -+ get_pi_state(pi_state); - spin_unlock(&hb->lock); - -+ rt_mutex_futex_unlock(&pi_state->pi_mutex); -+ put_pi_state(pi_state); -+ - raw_spin_lock_irq(&curr->pi_lock); - } - raw_spin_unlock_irq(&curr->pi_lock); -@@ -1037,6 +1039,11 @@ static int attach_to_pi_state(u32 __user - * has dropped the hb->lock in between queue_me() and unqueue_me_pi(), - * which in turn means that futex_lock_pi() still has a reference on - * our pi_state. -+ * -+ * The waiter holding a reference on @pi_state also protects against -+ * the unlocked put_pi_state() in futex_unlock_pi(), futex_lock_pi() -+ * and futex_wait_requeue_pi() as it cannot go to 0 and consequently -+ * free pi_state before we can take a reference ourselves. - */ - WARN_ON(!atomic_read(&pi_state->refcount)); - -@@ -1380,48 +1387,40 @@ static void mark_wake_futex(struct wake_ - smp_store_release(&q->lock_ptr, NULL); - } - --static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *top_waiter, -- struct futex_hash_bucket *hb) -+/* -+ * Caller must hold a reference on @pi_state. -+ */ -+static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state) - { -- struct task_struct *new_owner; -- struct futex_pi_state *pi_state = top_waiter->pi_state; - u32 uninitialized_var(curval), newval; -+ struct task_struct *new_owner; -+ bool deboost = false; - DEFINE_WAKE_Q(wake_q); -- bool deboost; - int ret = 0; - -- if (!pi_state) -- return -EINVAL; -- -- /* -- * If current does not own the pi_state then the futex is -- * inconsistent and user space fiddled with the futex value. -- */ -- if (pi_state->owner != current) -- return -EINVAL; -- - raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); - new_owner = rt_mutex_next_owner(&pi_state->pi_mutex); -- -- /* -- * When we interleave with futex_lock_pi() where it does -- * rt_mutex_timed_futex_lock(), we might observe @this futex_q waiter, -- * but the rt_mutex's wait_list can be empty (either still, or again, -- * depending on which side we land). -- * -- * When this happens, give up our locks and try again, giving the -- * futex_lock_pi() instance time to complete, either by waiting on the -- * rtmutex or removing itself from the futex queue. -- */ - if (!new_owner) { -- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); -- return -EAGAIN; -+ /* -+ * Since we held neither hb->lock nor wait_lock when coming -+ * into this function, we could have raced with futex_lock_pi() -+ * such that we might observe @this futex_q waiter, but the -+ * rt_mutex's wait_list can be empty (either still, or again, -+ * depending on which side we land). -+ * -+ * When this happens, give up our locks and try again, giving -+ * the futex_lock_pi() instance time to complete, either by -+ * waiting on the rtmutex or removing itself from the futex -+ * queue. -+ */ -+ ret = -EAGAIN; -+ goto out_unlock; - } - - /* -- * We pass it to the next owner. The WAITERS bit is always -- * kept enabled while there is PI state around. We cleanup the -- * owner died bit, because we are the owner. -+ * We pass it to the next owner. The WAITERS bit is always kept -+ * enabled while there is PI state around. We cleanup the owner -+ * died bit, because we are the owner. - */ - newval = FUTEX_WAITERS | task_pid_vnr(new_owner); - -@@ -1444,10 +1443,8 @@ static int wake_futex_pi(u32 __user *uad - ret = -EINVAL; - } - -- if (ret) { -- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); -- return ret; -- } -+ if (ret) -+ goto out_unlock; - - raw_spin_lock(&pi_state->owner->pi_lock); - WARN_ON(list_empty(&pi_state->list)); -@@ -1465,15 +1462,15 @@ static int wake_futex_pi(u32 __user *uad - */ - deboost = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q); - -+out_unlock: - raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); -- spin_unlock(&hb->lock); - - if (deboost) { - wake_up_q(&wake_q); - rt_mutex_adjust_prio(current); - } - -- return 0; -+ return ret; - } - - /* -@@ -2232,7 +2229,8 @@ static int fixup_pi_state_owner(u32 __us - /* - * We are here either because we stole the rtmutex from the - * previous highest priority waiter or we are the highest priority -- * waiter but failed to get the rtmutex the first time. -+ * waiter but have failed to get the rtmutex the first time. -+ * - * We have to replace the newowner TID in the user space variable. - * This must be atomic as we have to preserve the owner died bit here. - * -@@ -2249,7 +2247,7 @@ static int fixup_pi_state_owner(u32 __us - if (get_futex_value_locked(&uval, uaddr)) - goto handle_fault; - -- while (1) { -+ for (;;) { - newval = (uval & FUTEX_OWNER_DIED) | newtid; - - if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -@@ -2345,6 +2343,10 @@ static int fixup_owner(u32 __user *uaddr - /* - * Got the lock. We might not be the anticipated owner if we - * did a lock-steal - fix up the PI-state in that case: -+ * -+ * We can safely read pi_state->owner without holding wait_lock -+ * because we now own the rt_mutex, only the owner will attempt -+ * to change it. - */ - if (q->pi_state->owner != current) - ret = fixup_pi_state_owner(uaddr, q, current); -@@ -2584,6 +2586,7 @@ static int futex_lock_pi(u32 __user *uad - ktime_t *time, int trylock) - { - struct hrtimer_sleeper timeout, *to = NULL; -+ struct futex_pi_state *pi_state = NULL; - struct futex_hash_bucket *hb; - struct futex_q q = futex_q_init; - int res, ret; -@@ -2670,12 +2673,19 @@ static int futex_lock_pi(u32 __user *uad - * If fixup_owner() faulted and was unable to handle the fault, unlock - * it and return the fault to userspace. - */ -- if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current)) -- rt_mutex_futex_unlock(&q.pi_state->pi_mutex); -+ if (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current)) { -+ pi_state = q.pi_state; -+ get_pi_state(pi_state); -+ } - - /* Unqueue and drop the lock */ - unqueue_me_pi(&q); - -+ if (pi_state) { -+ rt_mutex_futex_unlock(&pi_state->pi_mutex); -+ put_pi_state(pi_state); -+ } -+ - goto out_put_key; - - out_unlock_put_key: -@@ -2738,10 +2748,36 @@ static int futex_unlock_pi(u32 __user *u - */ - top_waiter = futex_top_waiter(hb, &key); - if (top_waiter) { -- ret = wake_futex_pi(uaddr, uval, top_waiter, hb); -+ struct futex_pi_state *pi_state = top_waiter->pi_state; -+ -+ ret = -EINVAL; -+ if (!pi_state) -+ goto out_unlock; -+ -+ /* -+ * If current does not own the pi_state then the futex is -+ * inconsistent and user space fiddled with the futex value. -+ */ -+ if (pi_state->owner != current) -+ goto out_unlock; -+ -+ /* -+ * Grab a reference on the pi_state and drop hb->lock. -+ * -+ * The reference ensures pi_state lives, dropping the hb->lock -+ * is tricky.. wake_futex_pi() will take rt_mutex::wait_lock to -+ * close the races against futex_lock_pi(), but in case of -+ * _any_ fail we'll abort and retry the whole deal. -+ */ -+ get_pi_state(pi_state); -+ spin_unlock(&hb->lock); -+ -+ ret = wake_futex_pi(uaddr, uval, pi_state); -+ -+ put_pi_state(pi_state); -+ - /* -- * In case of success wake_futex_pi dropped the hash -- * bucket lock. -+ * Success, we're done! No tricky corner cases. - */ - if (!ret) - goto out_putkey; -@@ -2756,7 +2792,6 @@ static int futex_unlock_pi(u32 __user *u - * setting the FUTEX_WAITERS bit. Try again. - */ - if (ret == -EAGAIN) { -- spin_unlock(&hb->lock); - put_futex_key(&key); - goto retry; - } -@@ -2764,7 +2799,7 @@ static int futex_unlock_pi(u32 __user *u - * wake_futex_pi has detected invalid state. Tell user - * space. - */ -- goto out_unlock; -+ goto out_putkey; - } - - /* -@@ -2774,8 +2809,10 @@ static int futex_unlock_pi(u32 __user *u - * preserve the WAITERS bit not the OWNER_DIED one. We are the - * owner. - */ -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, 0)) -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, 0)) { -+ spin_unlock(&hb->lock); - goto pi_faulted; -+ } - - /* - * If uval has changed, let user space handle it. -@@ -2789,7 +2826,6 @@ static int futex_unlock_pi(u32 __user *u - return ret; - - pi_faulted: -- spin_unlock(&hb->lock); - put_futex_key(&key); - - ret = fault_in_user_writeable(uaddr); -@@ -2893,6 +2929,7 @@ static int futex_wait_requeue_pi(u32 __u - u32 __user *uaddr2) - { - struct hrtimer_sleeper timeout, *to = NULL; -+ struct futex_pi_state *pi_state = NULL; - struct rt_mutex_waiter rt_waiter; - struct futex_hash_bucket *hb; - union futex_key key2 = FUTEX_KEY_INIT; -@@ -2977,8 +3014,10 @@ static int futex_wait_requeue_pi(u32 __u - if (q.pi_state && (q.pi_state->owner != current)) { - spin_lock(q.lock_ptr); - ret = fixup_pi_state_owner(uaddr2, &q, current); -- if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) -- rt_mutex_futex_unlock(&q.pi_state->pi_mutex); -+ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { -+ pi_state = q.pi_state; -+ get_pi_state(pi_state); -+ } - /* - * Drop the reference to the pi state which - * the requeue_pi() code acquired for us. -@@ -3017,13 +3056,20 @@ static int futex_wait_requeue_pi(u32 __u - * the fault, unlock the rt_mutex and return the fault to - * userspace. - */ -- if (ret && rt_mutex_owner(pi_mutex) == current) -- rt_mutex_futex_unlock(pi_mutex); -+ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) { -+ pi_state = q.pi_state; -+ get_pi_state(pi_state); -+ } - - /* Unqueue and drop the lock. */ - unqueue_me_pi(&q); - } - -+ if (pi_state) { -+ rt_mutex_futex_unlock(&pi_state->pi_mutex); -+ put_pi_state(pi_state); -+ } -+ - if (ret == -EINTR) { - /* - * We've already been requeued, but cannot restart by calling |