| blob | ebdd76b4ecbbacd315d679689f88fbe2671769e8 |
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Fast Userspace Mutexes (which I call "Futexes!").
4 * (C) Rusty Russell, IBM 2002
5 *
6 * Generalized futexes, futex requeueing, misc fixes by Ingo Molnar
7 * (C) Copyright 2003 Red Hat Inc, All Rights Reserved
8 *
9 * Removed page pinning, fix privately mapped COW pages and other cleanups
10 * (C) Copyright 2003, 2004 Jamie Lokier
11 *
12 * Robust futex support started by Ingo Molnar
13 * (C) Copyright 2006 Red Hat Inc, All Rights Reserved
14 * Thanks to Thomas Gleixner for suggestions, analysis and fixes.
15 *
16 * PI-futex support started by Ingo Molnar and Thomas Gleixner
17 * Copyright (C) 2006 Red Hat, Inc., Ingo Molnar <mingo@redhat.com>
18 * Copyright (C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
19 *
20 * PRIVATE futexes by Eric Dumazet
21 * Copyright (C) 2007 Eric Dumazet <dada1@cosmosbay.com>
22 *
23 * Requeue-PI support by Darren Hart <dvhltc@us.ibm.com>
24 * Copyright (C) IBM Corporation, 2009
25 * Thanks to Thomas Gleixner for conceptual design and careful reviews.
26 *
27 * Thanks to Ben LaHaise for yelling "hashed waitqueues" loudly
28 * enough at me, Linus for the original (flawed) idea, Matthew
29 * Kirkwood for proof-of-concept implementation.
30 *
31 * "The futexes are also cursed."
32 * "But they come in a choice of three flavours!"
33 */
34 #include <linux/compat.h>
35 #include <linux/jhash.h>
36 #include <linux/pagemap.h>
37 #include <linux/debugfs.h>
38 #include <linux/plist.h>
39 #include <linux/memblock.h>
40 #include <linux/fault-inject.h>
41 #include <linux/slab.h>
46 /*
47 * The base of the bucket array and its size are always used together
48 * (after initialization only in futex_hash()), so ensure that they
49 * reside in the same cacheline.
50 */
55 #define futex_queues (__futex_data.queues)
56 #define futex_hashsize (__futex_data.hashsize)
59 /*
60 * Fault injections for futexes.
61 */
62 #ifdef CONFIG_FAIL_FUTEX
71 };
74 {
76 }
80 {
85 }
87 #ifdef CONFIG_FAULT_INJECTION_DEBUG_FS
90 {
102 }
110 /**
111 * futex_hash - Return the hash bucket in the global hash
112 * @key: Pointer to the futex key for which the hash is calculated
113 *
114 * We hash on the keys returned from get_futex_key (see below) and return the
115 * corresponding hash bucket in the global hash.
116 */
118 {
123 }
126 /**
127 * futex_setup_timer - set up the sleeping hrtimer.
128 * @time: ptr to the given timeout value
129 * @timeout: the hrtimer_sleeper structure to be set up
130 * @flags: futex flags
131 * @range_ns: optional range in ns
132 *
133 * Return: Initialized hrtimer_sleeper structure or NULL if no timeout
134 * value given
135 */
139 {
145 HRTIMER_MODE_ABS);
146 /*
147 * If range_ns is 0, calling hrtimer_set_expires_range_ns() is
148 * effectively the same as calling hrtimer_set_expires().
149 */
153 }
155 /*
156 * Generate a machine wide unique identifier for this inode.
157 *
158 * This relies on u64 not wrapping in the life-time of the machine; which with
159 * 1ns resolution means almost 585 years.
160 *
161 * This further relies on the fact that a well formed program will not unmap
162 * the file while it has a (shared) futex waiting on it. This mapping will have
163 * a file reference which pins the mount and inode.
164 *
165 * If for some reason an inode gets evicted and read back in again, it will get
166 * a new sequence number and will _NOT_ match, even though it is the exact same
167 * file.
168 *
169 * It is important that futex_match() will never have a false-positive, esp.
170 * for PI futexes that can mess up the state. The above argues that false-negatives
171 * are only possible for malformed programs.
172 */
174 {
176 u64 old;
178 /* Does the inode already have a sequence number? */
192 }
193 }
195 /**
196 * get_futex_key() - Get parameters which are the keys for a futex
197 * @uaddr: virtual address of the futex
198 * @flags: FLAGS_*
199 * @key: address where result is stored.
200 * @rw: mapping needs to be read/write (values: FUTEX_READ,
201 * FUTEX_WRITE)
202 *
203 * Return: a negative error code or 0
204 *
205 * The key words are stored in @key on success.
206 *
207 * For shared mappings (when @fshared), the key is:
208 *
209 * ( inode->i_sequence, page->index, offset_within_page )
210 *
211 * [ also see get_inode_sequence_number() ]
212 *
213 * For private mappings (or when !@fshared), the key is:
214 *
215 * ( current->mm, address, 0 )
216 *
217 * This allows (cross process, where applicable) identification of the futex
218 * without keeping the page pinned for the duration of the FUTEX_WAIT.
219 *
220 * lock_page() might sleep, the caller should not hold a spinlock.
221 */
224 {
235 /*
236 * The futex address must be "naturally" aligned.
237 */
249 /*
250 * PROCESS_PRIVATE futexes are fast.
251 * As the mm cannot disappear under us and the 'key' only needs
252 * virtual address, we dont even have to find the underlying vma.
253 * Note : We do have to check 'uaddr' is a valid user address,
254 * but access_ok() should be faster than find_vma()
255 */
257 /*
258 * On no-MMU, shared futexes are treated as private, therefore
259 * we must not include the current process in the key. Since
260 * there is only one address space, the address is a unique key
261 * on its own.
262 */
265 else
270 }
272 again:
273 /* Ignore any VERIFY_READ mapping (futex common case) */
278 /*
279 * If write access is not required (eg. FUTEX_WAIT), try
280 * and get read-only access.
281 */
285 }
288 else
291 /*
292 * The treatment of mapping from this point on is critical. The folio
293 * lock protects many things but in this context the folio lock
294 * stabilizes mapping, prevents inode freeing in the shared
295 * file-backed region case and guards against movement to swap cache.
296 *
297 * Strictly speaking the folio lock is not needed in all cases being
298 * considered here and folio lock forces unnecessarily serialization.
299 * From this point on, mapping will be re-verified if necessary and
300 * folio lock will be acquired only if it is unavoidable
301 *
302 * Mapping checks require the folio so it is looked up now. For
303 * anonymous pages, it does not matter if the folio is split
304 * in the future as the key is based on the address. For
305 * filesystem-backed pages, the precise page is required as the
306 * index of the page determines the key.
307 */
311 /*
312 * If folio->mapping is NULL, then it cannot be an anonymous
313 * page; but it might be the ZERO_PAGE or in the gate area or
314 * in a special mapping (all cases which we are happy to fail);
315 * or it may have been a good file page when get_user_pages_fast
316 * found it, but truncated or holepunched or subjected to
317 * invalidate_complete_page2 before we got the folio lock (also
318 * cases which we are happy to fail). And we hold a reference,
319 * so refcount care in invalidate_inode_page's remove_mapping
320 * prevents drop_caches from setting mapping to NULL beneath us.
321 *
322 * The case we do have to guard against is when memory pressure made
323 * shmem_writepage move it from filecache to swapcache beneath us:
324 * an unlikely race, but we do need to retry for folio->mapping.
325 */
329 /*
330 * Folio lock is required to identify which special case above
331 * applies. If this is really a shmem page then the folio lock
332 * will prevent unexpected transitions.
333 */
343 }
345 /*
346 * Private mappings are handled in a simple way.
347 *
348 * If the futex key is stored in anonymous memory, then the associated
349 * object is the mm which is implicitly pinned by the calling process.
350 *
351 * NOTE: When userspace waits on a MAP_SHARED mapping, even if
352 * it's a read-only handle, it's expected that futexes attach to
353 * the object not the particular process.
354 */
356 /*
357 * A RO anonymous page will never change and thus doesn't make
358 * sense for futex operations.
359 */
363 }
372 /*
373 * The associated futex object in this case is the inode and
374 * the folio->mapping must be traversed. Ordinarily this should
375 * be stabilised under folio lock but it's not strictly
376 * necessary in this case as we just want to pin the inode, not
377 * update i_pages or anything like that.
378 *
379 * The RCU read lock is taken as the inode is finally freed
380 * under RCU. If the mapping still matches expectations then the
381 * mapping->host can be safely accessed as being a valid inode.
382 */
390 }
398 }
404 }
406 out:
409 }
411 /**
412 * fault_in_user_writeable() - Fault in user address and verify RW access
413 * @uaddr: pointer to faulting user space address
414 *
415 * Slow path to fixup the fault we just took in the atomic write
416 * access to @uaddr.
417 *
418 * We have no generic implementation of a non-destructive write to the
419 * user address. We know that we faulted in the atomic pagefault
420 * disabled section so we can as well avoid the #PF overhead by
421 * calling get_user_pages() right away.
422 */
424 {
434 }
436 /**
437 * futex_top_waiter() - Return the highest priority waiter on a futex
438 * @hb: the hash bucket the futex_q's reside in
439 * @key: the futex key (to distinguish it from other futex futex_q's)
440 *
441 * Must be called with the hb lock held.
442 */
444 {
450 }
452 }
454 /**
455 * wait_for_owner_exiting - Block until the owner has exited
456 * @ret: owner's current futex lock status
457 * @exiting: Pointer to the exiting task
458 *
459 * Caller must hold a refcount on @exiting.
460 */
462 {
466 }
472 /*
473 * No point in doing state checking here. If the waiter got here
474 * while the task was in exec()->exec_futex_release() then it can
475 * have any FUTEX_STATE_* value when the waiter has acquired the
476 * mutex. OK, if running, EXITING or DEAD if it reached exit()
477 * already. Highly unlikely and not a problem. Just one more round
478 * through the futex maze.
479 */
483 }
485 /**
486 * __futex_unqueue() - Remove the futex_q from its futex_hash_bucket
487 * @q: The futex_q to unqueue
488 *
489 * The q->lock_ptr must not be NULL and must be held by the caller.
490 */
492 {
502 }
504 /* The key must be already stored in q->key. */
507 {
512 /*
513 * Increment the counter before taking the lock so that
514 * a potential waker won't miss a to-be-slept task that is
515 * waiting for the spinlock. This is safe as all futex_q_lock()
516 * users end up calling futex_queue(). Similarly, for housekeeping,
517 * decrement the counter at futex_q_unlock() when some error has
518 * occurred and we don't end up adding the task to the list.
519 */
526 }
530 {
533 }
536 {
539 /*
540 * The priority used to register this element is
541 * - either the real thread-priority for the real-time threads
542 * (i.e. threads with a priority lower than MAX_RT_PRIO)
543 * - or MAX_RT_PRIO for non-RT threads.
544 * Thus, all RT-threads are woken first in priority order, and
545 * the others are woken last, in FIFO order.
546 */
552 }
554 /**
555 * futex_unqueue() - Remove the futex_q from its futex_hash_bucket
556 * @q: The futex_q to unqueue
557 *
558 * The q->lock_ptr must not be held by the caller. A call to futex_unqueue() must
559 * be paired with exactly one earlier call to futex_queue().
560 *
561 * Return:
562 * - 1 - if the futex_q was still queued (and we removed unqueued it);
563 * - 0 - if the futex_q was already removed by the waking thread
564 */
566 {
570 /* In the common case we don't take the spinlock, which is nice. */
571 retry:
572 /*
573 * q->lock_ptr can change between this read and the following spin_lock.
574 * Use READ_ONCE to forbid the compiler from reloading q->lock_ptr and
575 * optimizing lock_ptr out of the logic below.
576 */
580 /*
581 * q->lock_ptr can change between reading it and
582 * spin_lock(), causing us to take the wrong lock. This
583 * corrects the race condition.
584 *
585 * Reasoning goes like this: if we have the wrong lock,
586 * q->lock_ptr must have changed (maybe several times)
587 * between reading it and the spin_lock(). It can
588 * change again after the spin_lock() but only if it was
589 * already changed before the spin_lock(). It cannot,
590 * however, change back to the original value. Therefore
591 * we can detect whether we acquired the correct lock.
592 */
596 }
603 }
606 }
608 /*
609 * PI futexes can not be requeued and must remove themselves from the hash
610 * bucket. The hash bucket lock (i.e. lock_ptr) is held.
611 */
613 {
614 /*
615 * If the lock was not acquired (due to timeout or signal) then the
616 * rt_waiter is removed before futex_q is. If this is observed by
617 * an unlocker after dropping the rtmutex wait lock and before
618 * acquiring the hash bucket lock, then the unlocker dequeues the
619 * futex_q from the hash bucket list to guarantee consistent state
620 * vs. userspace. Therefore the dequeue here must be conditional.
621 */
628 }
630 /* Constants for the pending_op argument of handle_futex_death */
631 #define HANDLE_DEATH_PENDING true
632 #define HANDLE_DEATH_LIST false
634 /*
635 * Process a futex-list entry, check whether it's owned by the
636 * dying task, and do notification if so:
637 */
640 {
642 pid_t owner;
645 /* Futex address must be 32bit aligned */
649 retry:
653 /*
654 * Special case for regular (non PI) futexes. The unlock path in
655 * user space has two race scenarios:
656 *
657 * 1. The unlock path releases the user space futex value and
658 * before it can execute the futex() syscall to wake up
659 * waiters it is killed.
660 *
661 * 2. A woken up waiter is killed before it can acquire the
662 * futex in user space.
663 *
664 * In the second case, the wake up notification could be generated
665 * by the unlock path in user space after setting the futex value
666 * to zero or by the kernel after setting the OWNER_DIED bit below.
667 *
668 * In both cases the TID validation below prevents a wakeup of
669 * potential waiters which can cause these waiters to block
670 * forever.
671 *
672 * In both cases the following conditions are met:
673 *
674 * 1) task->robust_list->list_op_pending != NULL
675 * @pending_op == true
676 * 2) The owner part of user space futex value == 0
677 * 3) Regular futex: @pi == false
678 *
679 * If these conditions are met, it is safe to attempt waking up a
680 * potential waiter without touching the user space futex value and
681 * trying to set the OWNER_DIED bit. If the futex value is zero,
682 * the rest of the user space mutex state is consistent, so a woken
683 * waiter will just take over the uncontended futex. Setting the
684 * OWNER_DIED bit would create inconsistent state and malfunction
685 * of the user space owner died handling. Otherwise, the OWNER_DIED
686 * bit is already set, and the woken waiter is expected to deal with
687 * this.
688 */
693 FUTEX_BITSET_MATCH_ANY);
695 }
700 /*
701 * Ok, this dying thread is truly holding a futex
702 * of interest. Set the OWNER_DIED bit atomically
703 * via cmpxchg, and if the value had FUTEX_WAITERS
704 * set, wake up a waiter (if any). (We have to do a
705 * futex_wake() even if OWNER_DIED is already set -
706 * to handle the rare but possible case of recursive
707 * thread-death.) The rest of the cleanup is done in
708 * userspace.
709 */
712 /*
713 * We are not holding a lock here, but we want to have
714 * the pagefault_disable/enable() protection because
715 * we want to handle the fault gracefully. If the
716 * access fails we try to fault in the futex with R/W
717 * verification via get_user_pages. get_user() above
718 * does not guarantee R/W access. If that fails we
719 * give up and leave the futex locked.
720 */
735 }
736 }
741 /*
742 * Wake robust non-PI futexes here. The wakeup of
743 * PI futexes happens in exit_pi_state():
744 */
747 FUTEX_BITSET_MATCH_ANY);
748 }
751 }
753 /*
754 * Fetch a robust-list pointer. Bit 0 signals PI futexes:
755 */
759 {
769 }
771 /*
772 * Walk curr->robust_list (very carefully, it's a userspace list!)
773 * and mark any locks found there dead, and notify any waiters.
774 *
775 * We silently return on any sign of list-walking problem.
776 */
778 {
786 /*
787 * Fetch the list head (which was registered earlier, via
788 * sys_set_robust_list()):
789 */
792 /*
793 * Fetch the relative futex offset:
794 */
797 /*
798 * Fetch any possibly pending lock-add first, and handle it
799 * if it exists:
800 */
806 /*
807 * Fetch the next entry in the list before calling
808 * handle_futex_death:
809 */
811 /*
812 * A pending lock might already be on the list, so
813 * don't process it twice:
814 */
819 }
824 /*
825 * Avoid excessively long or circular lists:
826 */
831 }
836 }
837 }
839 #ifdef CONFIG_COMPAT
841 compat_long_t futex_offset)
842 {
847 }
849 /*
850 * Fetch a robust-list pointer. Bit 0 signals PI futexes:
851 */
855 {
863 }
865 /*
866 * Walk curr->robust_list (very carefully, it's a userspace list!)
867 * and mark any locks found there dead, and notify any waiters.
868 *
869 * We silently return on any sign of list-walking problem.
870 */
872 {
878 compat_long_t futex_offset;
881 /*
882 * Fetch the list head (which was registered earlier, via
883 * sys_set_robust_list()):
884 */
887 /*
888 * Fetch the relative futex offset:
889 */
892 /*
893 * Fetch any possibly pending lock-add first, and handle it
894 * if it exists:
895 */
902 /*
903 * Fetch the next entry in the list before calling
904 * handle_futex_death:
905 */
908 /*
909 * A pending lock might already be on the list, so
910 * dont process it twice:
911 */
916 HANDLE_DEATH_LIST))
918 }
924 /*
925 * Avoid excessively long or circular lists:
926 */
931 }
936 }
937 }
938 #endif
940 #ifdef CONFIG_FUTEX_PI
942 /*
943 * This task is holding PI mutexes at exit time => bad.
944 * Kernel cleans up PI-state, but userspace is likely hosed.
945 * (Robust-futex cleanup is separate and might save the day for userspace.)
946 */
948 {
954 /*
955 * We are a ZOMBIE and nobody can enqueue itself on
956 * pi_state_list anymore, but we have to be careful
957 * versus waiters unqueueing themselves:
958 */
966 /*
967 * We can race against put_pi_state() removing itself from the
968 * list (a waiter going away). put_pi_state() will first
969 * decrement the reference count and then modify the list, so
970 * its possible to see the list entry but fail this reference
971 * acquire.
972 *
973 * In that case; drop the locks to let put_pi_state() make
974 * progress and retry the loop.
975 */
981 }
987 /*
988 * We dropped the pi-lock, so re-check whether this
989 * task still owns the PI-state:
990 */
992 /* retain curr->pi_lock for the loop invariant */
997 }
1012 }
1014 }
1015 #else
1017 #endif
1020 {
1024 }
1026 #ifdef CONFIG_COMPAT
1030 }
1031 #endif
1035 }
1037 /**
1038 * futex_exit_recursive - Set the tasks futex state to FUTEX_STATE_DEAD
1039 * @tsk: task to set the state on
1040 *
1041 * Set the futex exit state of the task lockless. The futex waiter code
1042 * observes that state when a task is exiting and loops until the task has
1043 * actually finished the futex cleanup. The worst case for this is that the
1044 * waiter runs through the wait loop until the state becomes visible.
1045 *
1046 * This is called from the recursive fault handling path in make_task_dead().
1047 *
1048 * This is best effort. Either the futex exit code has run already or
1049 * not. If the OWNER_DIED bit has been set on the futex then the waiter can
1050 * take it over. If not, the problem is pushed back to user space. If the
1051 * futex exit code did not run yet, then an already queued waiter might
1052 * block forever, but there is nothing which can be done about that.
1053 */
1055 {
1056 /* If the state is FUTEX_STATE_EXITING then futex_exit_mutex is held */
1060 }
1063 {
1064 /*
1065 * Prevent various race issues against a concurrent incoming waiter
1066 * including live locks by forcing the waiter to block on
1067 * tsk->futex_exit_mutex when it observes FUTEX_STATE_EXITING in
1068 * attach_to_pi_owner().
1069 */
1072 /*
1073 * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock.
1074 *
1075 * This ensures that all subsequent checks of tsk->futex_state in
1076 * attach_to_pi_owner() must observe FUTEX_STATE_EXITING with
1077 * tsk->pi_lock held.
1078 *
1079 * It guarantees also that a pi_state which was queued right before
1080 * the state change under tsk->pi_lock by a concurrent waiter must
1081 * be observed in exit_pi_state_list().
1082 */
1086 }
1089 {
1090 /*
1091 * Lockless store. The only side effect is that an observer might
1092 * take another loop until it becomes visible.
1093 */
1095 /*
1096 * Drop the exit protection. This unblocks waiters which observed
1097 * FUTEX_STATE_EXITING to reevaluate the state.
1098 */
1100 }
1103 {
1104 /*
1105 * The state handling is done for consistency, but in the case of
1106 * exec() there is no way to prevent further damage as the PID stays
1107 * the same. But for the unlikely and arguably buggy case that a
1108 * futex is held on exec(), this provides at least as much state
1109 * consistency protection which is possible.
1110 */
1113 /*
1114 * Reset the state to FUTEX_STATE_OK. The task is alive and about
1115 * exec a new binary.
1116 */
1118 }
1121 {
1125 }
1128 {
1132 #ifdef CONFIG_BASE_SMALL
1134 #else
1136 #endif
1148 }
1151 }