+++ /dev/null
-Subject: exit/exec: Seperate mm_release()
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:38 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 4610ba7ad877fafc0a25a30c6c82015304120426 upstream
-
-mm_release() contains the futex exit handling. mm_release() is called from
-do_exit()->exit_mm() and from exec()->exec_mm().
-
-In the exit_mm() case PF_EXITING and the futex state is updated. In the
-exec_mm() case these states are not touched.
-
-As the futex exit code needs further protections against exit races, this
-needs to be split into two functions.
-
-Preparatory only, no functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.240518241@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/exec.c | 2 +-
- include/linux/sched/mm.h | 6 ++++--
- kernel/exit.c | 2 +-
- kernel/fork.c | 12 +++++++++++-
- 4 files changed, 17 insertions(+), 5 deletions(-)
-
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1011,7 +1011,7 @@ static int exec_mmap(struct mm_struct *m
- /* Notify parent that we're no longer interested in the old VM */
- tsk = current;
- old_mm = current->mm;
-- mm_release(tsk, old_mm);
-+ exec_mm_release(tsk, old_mm);
-
- if (old_mm) {
- sync_mm_rss(old_mm);
---- a/include/linux/sched/mm.h
-+++ b/include/linux/sched/mm.h
-@@ -119,8 +119,10 @@ extern struct mm_struct *get_task_mm(str
- * succeeds.
- */
- extern struct mm_struct *mm_access(struct task_struct *task, unsigned int mode);
--/* Remove the current tasks stale references to the old mm_struct */
--extern void mm_release(struct task_struct *, struct mm_struct *);
-+/* Remove the current tasks stale references to the old mm_struct on exit() */
-+extern void exit_mm_release(struct task_struct *, struct mm_struct *);
-+/* Remove the current tasks stale references to the old mm_struct on exec() */
-+extern void exec_mm_release(struct task_struct *, struct mm_struct *);
-
- #ifdef CONFIG_MEMCG
- extern void mm_update_next_owner(struct mm_struct *mm);
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -498,7 +498,7 @@ static void exit_mm(void)
- struct mm_struct *mm = current->mm;
- struct core_state *core_state;
-
-- mm_release(current, mm);
-+ exit_mm_release(current, mm);
- if (!mm)
- return;
- sync_mm_rss(mm);
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -1217,7 +1217,7 @@ static int wait_for_vfork_done(struct ta
- * restoring the old one. . .
- * Eric Biederman 10 January 1998
- */
--void mm_release(struct task_struct *tsk, struct mm_struct *mm)
-+static void mm_release(struct task_struct *tsk, struct mm_struct *mm)
- {
- /* Get rid of any futexes when releasing the mm */
- futex_mm_release(tsk);
-@@ -1254,6 +1254,16 @@ void mm_release(struct task_struct *tsk,
- complete_vfork_done(tsk);
- }
-
-+void exit_mm_release(struct task_struct *tsk, struct mm_struct *mm)
-+{
-+ mm_release(tsk, mm);
-+}
-+
-+void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm)
-+{
-+ mm_release(tsk, mm);
-+}
-+
- /*
- * Allocate a new mm structure and copy contents from the
- * mm structure of the passed in task structure.
+++ /dev/null
-Subject: futex: Add mutex around futex exit
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:44 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 3f186d974826847a07bc7964d79ec4eded475ad9 upstream
-
-The mutex will be used in subsequent changes to replace the busy looping of
-a waiter when the futex owner is currently executing the exit cleanup to
-prevent a potential live lock.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.845798895@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/futex.h | 1 +
- include/linux/sched.h | 1 +
- kernel/futex.c | 16 ++++++++++++++++
- 3 files changed, 18 insertions(+)
-
---- a/include/linux/futex.h
-+++ b/include/linux/futex.h
-@@ -68,6 +68,7 @@ static inline void futex_init_task(struc
- INIT_LIST_HEAD(&tsk->pi_state_list);
- tsk->pi_state_cache = NULL;
- tsk->futex_state = FUTEX_STATE_OK;
-+ mutex_init(&tsk->futex_exit_mutex);
- }
-
- void futex_exit_recursive(struct task_struct *tsk);
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -996,6 +996,7 @@ struct task_struct {
- #endif
- struct list_head pi_state_list;
- struct futex_pi_state *pi_state_cache;
-+ struct mutex futex_exit_mutex;
- unsigned int futex_state;
- #endif
- #ifdef CONFIG_PERF_EVENTS
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3735,12 +3735,23 @@ static void futex_cleanup(struct task_st
- */
- void futex_exit_recursive(struct task_struct *tsk)
- {
-+ /* If the state is FUTEX_STATE_EXITING then futex_exit_mutex is held */
-+ if (tsk->futex_state == FUTEX_STATE_EXITING)
-+ mutex_unlock(&tsk->futex_exit_mutex);
- tsk->futex_state = FUTEX_STATE_DEAD;
- }
-
- static void futex_cleanup_begin(struct task_struct *tsk)
- {
- /*
-+ * Prevent various race issues against a concurrent incoming waiter
-+ * including live locks by forcing the waiter to block on
-+ * tsk->futex_exit_mutex when it observes FUTEX_STATE_EXITING in
-+ * attach_to_pi_owner().
-+ */
-+ mutex_lock(&tsk->futex_exit_mutex);
-+
-+ /*
- * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock.
- *
- * This ensures that all subsequent checks of tsk->futex_state in
-@@ -3763,6 +3774,11 @@ static void futex_cleanup_end(struct tas
- * take another loop until it becomes visible.
- */
- tsk->futex_state = state;
-+ /*
-+ * Drop the exit protection. This unblocks waiters which observed
-+ * FUTEX_STATE_EXITING to reevaluate the state.
-+ */
-+ mutex_unlock(&tsk->futex_exit_mutex);
- }
-
- void futex_exec_release(struct task_struct *tsk)
+++ /dev/null
-Subject: futex: Mark the begin of futex exit explicitly
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:41 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 18f694385c4fd77a09851fd301236746ca83f3cb upstream
-
-Instead of relying on PF_EXITING use an explicit state for the futex exit
-and set it in the futex exit function. This moves the smp barrier and the
-lock/unlock serialization into the futex code.
-
-As with the DEAD state this is restricted to the exit path as exec
-continues to use the same task struct.
-
-This allows to simplify that logic in a next step.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.539409004@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/futex.h | 31 +++----------------------------
- kernel/exit.c | 13 +------------
- kernel/futex.c | 37 ++++++++++++++++++++++++++++++++++++-
- 3 files changed, 40 insertions(+), 41 deletions(-)
-
---- a/include/linux/futex.h
-+++ b/include/linux/futex.h
-@@ -55,6 +55,7 @@ union futex_key {
- #ifdef CONFIG_FUTEX
- enum {
- FUTEX_STATE_OK,
-+ FUTEX_STATE_EXITING,
- FUTEX_STATE_DEAD,
- };
-
-@@ -69,33 +70,7 @@ static inline void futex_init_task(struc
- tsk->futex_state = FUTEX_STATE_OK;
- }
-
--/**
-- * futex_exit_done - Sets the tasks futex state to FUTEX_STATE_DEAD
-- * @tsk: task to set the state on
-- *
-- * Set the futex exit state of the task lockless. The futex waiter code
-- * observes that state when a task is exiting and loops until the task has
-- * actually finished the futex cleanup. The worst case for this is that the
-- * waiter runs through the wait loop until the state becomes visible.
-- *
-- * This has two callers:
-- *
-- * - futex_mm_release() after the futex exit cleanup has been done
-- *
-- * - do_exit() from the recursive fault handling path.
-- *
-- * In case of a recursive fault this is best effort. Either the futex exit
-- * code has run already or not. If the OWNER_DIED bit has been set on the
-- * futex then the waiter can take it over. If not, the problem is pushed
-- * back to user space. If the futex exit code did not run yet, then an
-- * already queued waiter might block forever, but there is nothing which
-- * can be done about that.
-- */
--static inline void futex_exit_done(struct task_struct *tsk)
--{
-- tsk->futex_state = FUTEX_STATE_DEAD;
--}
--
-+void futex_exit_recursive(struct task_struct *tsk);
- void futex_exit_release(struct task_struct *tsk);
- void futex_exec_release(struct task_struct *tsk);
-
-@@ -103,7 +78,7 @@ long do_futex(u32 __user *uaddr, int op,
- u32 __user *uaddr2, u32 val2, u32 val3);
- #else
- static inline void futex_init_task(struct task_struct *tsk) { }
--static inline void futex_exit_done(struct task_struct *tsk) { }
-+static inline void futex_exit_recursive(struct task_struct *tsk) { }
- static inline void futex_exit_release(struct task_struct *tsk) { }
- static inline void futex_exec_release(struct task_struct *tsk) { }
- static inline long do_futex(u32 __user *uaddr, int op, u32 val,
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -818,23 +818,12 @@ void __noreturn do_exit(long code)
- */
- if (unlikely(tsk->flags & PF_EXITING)) {
- pr_alert("Fixing recursive fault but reboot is needed!\n");
-- futex_exit_done(tsk);
-+ futex_exit_recursive(tsk);
- set_current_state(TASK_UNINTERRUPTIBLE);
- schedule();
- }
-
- exit_signals(tsk); /* sets PF_EXITING */
-- /*
-- * Ensure that all new tsk->pi_lock acquisitions must observe
-- * PF_EXITING. Serializes against futex.c:attach_to_pi_owner().
-- */
-- smp_mb();
-- /*
-- * Ensure that we must observe the pi_state in exit_mm() ->
-- * mm_release() -> exit_pi_state_list().
-- */
-- raw_spin_lock_irq(&tsk->pi_lock);
-- raw_spin_unlock_irq(&tsk->pi_lock);
-
- /* sync mm's RSS info before statistics gathering */
- if (tsk->mm)
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3716,10 +3716,45 @@ void futex_exec_release(struct task_stru
- exit_pi_state_list(tsk);
- }
-
-+/**
-+ * futex_exit_recursive - Set the tasks futex state to FUTEX_STATE_DEAD
-+ * @tsk: task to set the state on
-+ *
-+ * Set the futex exit state of the task lockless. The futex waiter code
-+ * observes that state when a task is exiting and loops until the task has
-+ * actually finished the futex cleanup. The worst case for this is that the
-+ * waiter runs through the wait loop until the state becomes visible.
-+ *
-+ * This is called from the recursive fault handling path in do_exit().
-+ *
-+ * This is best effort. Either the futex exit code has run already or
-+ * not. If the OWNER_DIED bit has been set on the futex then the waiter can
-+ * take it over. If not, the problem is pushed back to user space. If the
-+ * futex exit code did not run yet, then an already queued waiter might
-+ * block forever, but there is nothing which can be done about that.
-+ */
-+void futex_exit_recursive(struct task_struct *tsk)
-+{
-+ tsk->futex_state = FUTEX_STATE_DEAD;
-+}
-+
- void futex_exit_release(struct task_struct *tsk)
- {
-+ tsk->futex_state = FUTEX_STATE_EXITING;
-+ /*
-+ * Ensure that all new tsk->pi_lock acquisitions must observe
-+ * FUTEX_STATE_EXITING. Serializes against attach_to_pi_owner().
-+ */
-+ smp_mb();
-+ /*
-+ * Ensure that we must observe the pi_state in exit_pi_state_list().
-+ */
-+ raw_spin_lock_irq(&tsk->pi_lock);
-+ raw_spin_unlock_irq(&tsk->pi_lock);
-+
- futex_exec_release(tsk);
-- futex_exit_done(tsk);
-+
-+ tsk->futex_state = FUTEX_STATE_DEAD;
- }
-
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+++ /dev/null
-Subject: futex: Move futex exit handling into futex code
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:36 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit ba31c1a48538992316cc71ce94fa9cd3e7b427c0 upstream
-
-The futex exit handling is #ifdeffed into mm_release() which is not pretty
-to begin with. But upcoming changes to address futex exit races need to add
-more functionality to this exit code.
-
-Split it out into a function, move it into futex code and make the various
-futex exit functions static.
-
-Preparatory only and no functional change.
-
-Folded build fix from Borislav.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.049705556@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/compat.h | 2 --
- include/linux/futex.h | 29 ++++++++++++++++-------------
- kernel/fork.c | 25 +++----------------------
- kernel/futex.c | 33 +++++++++++++++++++++++++++++----
- 4 files changed, 48 insertions(+), 41 deletions(-)
-
---- a/include/linux/compat.h
-+++ b/include/linux/compat.h
-@@ -445,8 +445,6 @@ struct compat_kexec_segment;
- struct compat_mq_attr;
- struct compat_msgbuf;
-
--extern void compat_exit_robust_list(struct task_struct *curr);
--
- #define BITS_PER_COMPAT_LONG (8*sizeof(compat_long_t))
-
- #define BITS_TO_COMPAT_LONGS(bits) DIV_ROUND_UP(bits, BITS_PER_COMPAT_LONG)
---- a/include/linux/futex.h
-+++ b/include/linux/futex.h
-@@ -2,7 +2,9 @@
- #ifndef _LINUX_FUTEX_H
- #define _LINUX_FUTEX_H
-
-+#include <linux/sched.h>
- #include <linux/ktime.h>
-+
- #include <uapi/linux/futex.h>
-
- struct inode;
-@@ -51,15 +53,24 @@ union futex_key {
- #define FUTEX_KEY_INIT (union futex_key) { .both = { .ptr = 0ULL } }
-
- #ifdef CONFIG_FUTEX
--extern void exit_robust_list(struct task_struct *curr);
-
--long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
-- u32 __user *uaddr2, u32 val2, u32 val3);
--#else
--static inline void exit_robust_list(struct task_struct *curr)
-+static inline void futex_init_task(struct task_struct *tsk)
- {
-+ tsk->robust_list = NULL;
-+#ifdef CONFIG_COMPAT
-+ tsk->compat_robust_list = NULL;
-+#endif
-+ INIT_LIST_HEAD(&tsk->pi_state_list);
-+ tsk->pi_state_cache = NULL;
- }
-
-+void futex_mm_release(struct task_struct *tsk);
-+
-+long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
-+ u32 __user *uaddr2, u32 val2, u32 val3);
-+#else
-+static inline void futex_init_task(struct task_struct *tsk) { }
-+static inline void futex_mm_release(struct task_struct *tsk) { }
- static inline long do_futex(u32 __user *uaddr, int op, u32 val,
- ktime_t *timeout, u32 __user *uaddr2,
- u32 val2, u32 val3)
-@@ -68,12 +79,4 @@ static inline long do_futex(u32 __user *
- }
- #endif
-
--#ifdef CONFIG_FUTEX_PI
--extern void exit_pi_state_list(struct task_struct *curr);
--#else
--static inline void exit_pi_state_list(struct task_struct *curr)
--{
--}
--#endif
--
- #endif
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -1220,20 +1220,7 @@ static int wait_for_vfork_done(struct ta
- void mm_release(struct task_struct *tsk, struct mm_struct *mm)
- {
- /* Get rid of any futexes when releasing the mm */
--#ifdef CONFIG_FUTEX
-- if (unlikely(tsk->robust_list)) {
-- exit_robust_list(tsk);
-- tsk->robust_list = NULL;
-- }
--#ifdef CONFIG_COMPAT
-- if (unlikely(tsk->compat_robust_list)) {
-- compat_exit_robust_list(tsk);
-- tsk->compat_robust_list = NULL;
-- }
--#endif
-- if (unlikely(!list_empty(&tsk->pi_state_list)))
-- exit_pi_state_list(tsk);
--#endif
-+ futex_mm_release(tsk);
-
- uprobe_free_utask(tsk);
-
-@@ -1937,14 +1924,8 @@ static __latent_entropy struct task_stru
- #ifdef CONFIG_BLOCK
- p->plug = NULL;
- #endif
--#ifdef CONFIG_FUTEX
-- p->robust_list = NULL;
--#ifdef CONFIG_COMPAT
-- p->compat_robust_list = NULL;
--#endif
-- INIT_LIST_HEAD(&p->pi_state_list);
-- p->pi_state_cache = NULL;
--#endif
-+ futex_init_task(p);
-+
- /*
- * sigaltstack should be cleared when sharing the same VM
- */
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -341,6 +341,12 @@ static inline bool should_fail_futex(boo
- }
- #endif /* CONFIG_FAIL_FUTEX */
-
-+#ifdef CONFIG_COMPAT
-+static void compat_exit_robust_list(struct task_struct *curr);
-+#else
-+static inline void compat_exit_robust_list(struct task_struct *curr) { }
-+#endif
-+
- static inline void futex_get_mm(union futex_key *key)
- {
- mmgrab(key->private.mm);
-@@ -890,7 +896,7 @@ static void put_pi_state(struct futex_pi
- * Kernel cleans up PI-state, but userspace is likely hosed.
- * (Robust-futex cleanup is separate and might save the day for userspace.)
- */
--void exit_pi_state_list(struct task_struct *curr)
-+static void exit_pi_state_list(struct task_struct *curr)
- {
- struct list_head *next, *head = &curr->pi_state_list;
- struct futex_pi_state *pi_state;
-@@ -960,7 +966,8 @@ void exit_pi_state_list(struct task_stru
- }
- raw_spin_unlock_irq(&curr->pi_lock);
- }
--
-+#else
-+static inline void exit_pi_state_list(struct task_struct *curr) { }
- #endif
-
- /*
-@@ -3625,7 +3632,7 @@ static inline int fetch_robust_entry(str
- *
- * We silently return on any sign of list-walking problem.
- */
--void exit_robust_list(struct task_struct *curr)
-+static void exit_robust_list(struct task_struct *curr)
- {
- struct robust_list_head __user *head = curr->robust_list;
- struct robust_list __user *entry, *next_entry, *pending;
-@@ -3690,6 +3697,24 @@ void exit_robust_list(struct task_struct
- }
- }
-
-+void futex_mm_release(struct task_struct *tsk)
-+{
-+ if (unlikely(tsk->robust_list)) {
-+ exit_robust_list(tsk);
-+ tsk->robust_list = NULL;
-+ }
-+
-+#ifdef CONFIG_COMPAT
-+ if (unlikely(tsk->compat_robust_list)) {
-+ compat_exit_robust_list(tsk);
-+ tsk->compat_robust_list = NULL;
-+ }
-+#endif
-+
-+ if (unlikely(!list_empty(&tsk->pi_state_list)))
-+ exit_pi_state_list(tsk);
-+}
-+
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
- u32 __user *uaddr2, u32 val2, u32 val3)
- {
-@@ -3817,7 +3842,7 @@ static void __user *futex_uaddr(struct r
- *
- * We silently return on any sign of list-walking problem.
- */
--void compat_exit_robust_list(struct task_struct *curr)
-+static void compat_exit_robust_list(struct task_struct *curr)
- {
- struct compat_robust_list_head __user *head = curr->compat_robust_list;
- struct robust_list __user *entry, *next_entry, *pending;
+++ /dev/null
-Subject: futex: Prevent exit livelock
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:46 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 3ef240eaff36b8119ac9e2ea17cbf41179c930ba upstream
-
-Oleg provided the following test case:
-
-int main(void)
-{
- struct sched_param sp = {};
-
- sp.sched_priority = 2;
- assert(sched_setscheduler(0, SCHED_FIFO, &sp) == 0);
-
- int lock = vfork();
- if (!lock) {
- sp.sched_priority = 1;
- assert(sched_setscheduler(0, SCHED_FIFO, &sp) == 0);
- _exit(0);
- }
-
- syscall(__NR_futex, &lock, FUTEX_LOCK_PI, 0,0,0);
- return 0;
-}
-
-This creates an unkillable RT process spinning in futex_lock_pi() on a UP
-machine or if the process is affine to a single CPU. The reason is:
-
- parent child
-
- set FIFO prio 2
-
- vfork() -> set FIFO prio 1
- implies wait_for_child() sched_setscheduler(...)
- exit()
- do_exit()
- ....
- mm_release()
- tsk->futex_state = FUTEX_STATE_EXITING;
- exit_futex(); (NOOP in this case)
- complete() --> wakes parent
- sys_futex()
- loop infinite because
- tsk->futex_state == FUTEX_STATE_EXITING
-
-The same problem can happen just by regular preemption as well:
-
- task holds futex
- ...
- do_exit()
- tsk->futex_state = FUTEX_STATE_EXITING;
-
- --> preemption (unrelated wakeup of some other higher prio task, e.g. timer)
-
- switch_to(other_task)
-
- return to user
- sys_futex()
- loop infinite as above
-
-Just for the fun of it the futex exit cleanup could trigger the wakeup
-itself before the task sets its futex state to DEAD.
-
-To cure this, the handling of the exiting owner is changed so:
-
- - A refcount is held on the task
-
- - The task pointer is stored in a caller visible location
-
- - The caller drops all locks (hash bucket, mmap_sem) and blocks
- on task::futex_exit_mutex. When the mutex is acquired then
- the exiting task has completed the cleanup and the state
- is consistent and can be reevaluated.
-
-This is not a pretty solution, but there is no choice other than returning
-an error code to user space, which would break the state consistency
-guarantee and open another can of problems including regressions.
-
-For stable backports the preparatory commits ac31c7ff8624 .. ba31c1a48538
-are required as well, but for anything older than 5.3.y the backports are
-going to be provided when this hits mainline as the other dependencies for
-those kernels are definitely not stable material.
-
-Fixes: 778e9a9c3e71 ("pi-futex: fix exit races and locking problems")
-Reported-by: Oleg Nesterov <oleg@redhat.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Stable Team <stable@vger.kernel.org>
-Link: https://lkml.kernel.org/r/20191106224557.041676471@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 91 insertions(+), 15 deletions(-)
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1176,6 +1176,36 @@ out_error:
- return ret;
- }
-
-+/**
-+ * wait_for_owner_exiting - Block until the owner has exited
-+ * @exiting: Pointer to the exiting task
-+ *
-+ * Caller must hold a refcount on @exiting.
-+ */
-+static void wait_for_owner_exiting(int ret, struct task_struct *exiting)
-+{
-+ if (ret != -EBUSY) {
-+ WARN_ON_ONCE(exiting);
-+ return;
-+ }
-+
-+ if (WARN_ON_ONCE(ret == -EBUSY && !exiting))
-+ return;
-+
-+ mutex_lock(&exiting->futex_exit_mutex);
-+ /*
-+ * No point in doing state checking here. If the waiter got here
-+ * while the task was in exec()->exec_futex_release() then it can
-+ * have any FUTEX_STATE_* value when the waiter has acquired the
-+ * mutex. OK, if running, EXITING or DEAD if it reached exit()
-+ * already. Highly unlikely and not a problem. Just one more round
-+ * through the futex maze.
-+ */
-+ mutex_unlock(&exiting->futex_exit_mutex);
-+
-+ put_task_struct(exiting);
-+}
-+
- static int handle_exit_race(u32 __user *uaddr, u32 uval,
- struct task_struct *tsk)
- {
-@@ -1237,7 +1267,8 @@ static int handle_exit_race(u32 __user *
- * it after doing proper sanity checks.
- */
- static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
-- struct futex_pi_state **ps)
-+ struct futex_pi_state **ps,
-+ struct task_struct **exiting)
- {
- pid_t pid = uval & FUTEX_TID_MASK;
- struct futex_pi_state *pi_state;
-@@ -1276,7 +1307,19 @@ static int attach_to_pi_owner(u32 __user
- int ret = handle_exit_race(uaddr, uval, p);
-
- raw_spin_unlock_irq(&p->pi_lock);
-- put_task_struct(p);
-+ /*
-+ * If the owner task is between FUTEX_STATE_EXITING and
-+ * FUTEX_STATE_DEAD then store the task pointer and keep
-+ * the reference on the task struct. The calling code will
-+ * drop all locks, wait for the task to reach
-+ * FUTEX_STATE_DEAD and then drop the refcount. This is
-+ * required to prevent a live lock when the current task
-+ * preempted the exiting task between the two states.
-+ */
-+ if (ret == -EBUSY)
-+ *exiting = p;
-+ else
-+ put_task_struct(p);
- return ret;
- }
-
-@@ -1315,7 +1358,8 @@ static int attach_to_pi_owner(u32 __user
-
- static int lookup_pi_state(u32 __user *uaddr, u32 uval,
- struct futex_hash_bucket *hb,
-- union futex_key *key, struct futex_pi_state **ps)
-+ union futex_key *key, struct futex_pi_state **ps,
-+ struct task_struct **exiting)
- {
- struct futex_q *top_waiter = futex_top_waiter(hb, key);
-
-@@ -1330,7 +1374,7 @@ static int lookup_pi_state(u32 __user *u
- * We are the first waiter - try to look up the owner based on
- * @uval and attach to it.
- */
-- return attach_to_pi_owner(uaddr, uval, key, ps);
-+ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
- }
-
- static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
-@@ -1358,6 +1402,8 @@ static int lock_pi_update_atomic(u32 __u
- * lookup
- * @task: the task to perform the atomic lock work for. This will
- * be "current" except in the case of requeue pi.
-+ * @exiting: Pointer to store the task pointer of the owner task
-+ * which is in the middle of exiting
- * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0)
- *
- * Return:
-@@ -1366,11 +1412,17 @@ static int lock_pi_update_atomic(u32 __u
- * - <0 - error
- *
- * The hb->lock and futex_key refs shall be held by the caller.
-+ *
-+ * @exiting is only set when the return value is -EBUSY. If so, this holds
-+ * a refcount on the exiting task on return and the caller needs to drop it
-+ * after waiting for the exit to complete.
- */
- static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
- union futex_key *key,
- struct futex_pi_state **ps,
-- struct task_struct *task, int set_waiters)
-+ struct task_struct *task,
-+ struct task_struct **exiting,
-+ int set_waiters)
- {
- u32 uval, newval, vpid = task_pid_vnr(task);
- struct futex_q *top_waiter;
-@@ -1440,7 +1492,7 @@ static int futex_lock_pi_atomic(u32 __us
- * attach to the owner. If that fails, no harm done, we only
- * set the FUTEX_WAITERS bit in the user space variable.
- */
-- return attach_to_pi_owner(uaddr, newval, key, ps);
-+ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
- }
-
- /**
-@@ -1861,6 +1913,8 @@ void requeue_pi_wake_futex(struct futex_
- * @key1: the from futex key
- * @key2: the to futex key
- * @ps: address to store the pi_state pointer
-+ * @exiting: Pointer to store the task pointer of the owner task
-+ * which is in the middle of exiting
- * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0)
- *
- * Try and get the lock on behalf of the top waiter if we can do it atomically.
-@@ -1868,16 +1922,20 @@ void requeue_pi_wake_futex(struct futex_
- * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit.
- * hb1 and hb2 must be held by the caller.
- *
-+ * @exiting is only set when the return value is -EBUSY. If so, this holds
-+ * a refcount on the exiting task on return and the caller needs to drop it
-+ * after waiting for the exit to complete.
-+ *
- * Return:
- * - 0 - failed to acquire the lock atomically;
- * - >0 - acquired the lock, return value is vpid of the top_waiter
- * - <0 - error
- */
--static int futex_proxy_trylock_atomic(u32 __user *pifutex,
-- struct futex_hash_bucket *hb1,
-- struct futex_hash_bucket *hb2,
-- union futex_key *key1, union futex_key *key2,
-- struct futex_pi_state **ps, int set_waiters)
-+static int
-+futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
-+ struct futex_hash_bucket *hb2, union futex_key *key1,
-+ union futex_key *key2, struct futex_pi_state **ps,
-+ struct task_struct **exiting, int set_waiters)
- {
- struct futex_q *top_waiter = NULL;
- u32 curval;
-@@ -1914,7 +1972,7 @@ static int futex_proxy_trylock_atomic(u3
- */
- vpid = task_pid_vnr(top_waiter->task);
- ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
-- set_waiters);
-+ exiting, set_waiters);
- if (ret == 1) {
- requeue_pi_wake_futex(top_waiter, key2, hb2);
- return vpid;
-@@ -2043,6 +2101,8 @@ retry_private:
- }
-
- if (requeue_pi && (task_count - nr_wake < nr_requeue)) {
-+ struct task_struct *exiting = NULL;
-+
- /*
- * Attempt to acquire uaddr2 and wake the top waiter. If we
- * intend to requeue waiters, force setting the FUTEX_WAITERS
-@@ -2050,7 +2110,8 @@ retry_private:
- * faults rather in the requeue loop below.
- */
- ret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1,
-- &key2, &pi_state, nr_requeue);
-+ &key2, &pi_state,
-+ &exiting, nr_requeue);
-
- /*
- * At this point the top_waiter has either taken uaddr2 or is
-@@ -2077,7 +2138,8 @@ retry_private:
- * If that call succeeds then we have pi_state and an
- * initial refcount on it.
- */
-- ret = lookup_pi_state(uaddr2, ret, hb2, &key2, &pi_state);
-+ ret = lookup_pi_state(uaddr2, ret, hb2, &key2,
-+ &pi_state, &exiting);
- }
-
- switch (ret) {
-@@ -2107,6 +2169,12 @@ retry_private:
- hb_waiters_dec(hb2);
- put_futex_key(&key2);
- put_futex_key(&key1);
-+ /*
-+ * Handle the case where the owner is in the middle of
-+ * exiting. Wait for the exit to complete otherwise
-+ * this task might loop forever, aka. live lock.
-+ */
-+ wait_for_owner_exiting(ret, exiting);
- cond_resched();
- goto retry;
- default:
-@@ -2834,6 +2902,7 @@ static int futex_lock_pi(u32 __user *uad
- {
- struct hrtimer_sleeper timeout, *to = NULL;
- struct futex_pi_state *pi_state = NULL;
-+ struct task_struct *exiting = NULL;
- struct rt_mutex_waiter rt_waiter;
- struct futex_hash_bucket *hb;
- struct futex_q q = futex_q_init;
-@@ -2861,7 +2930,8 @@ retry:
- retry_private:
- hb = queue_lock(&q);
-
-- ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);
-+ ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current,
-+ &exiting, 0);
- if (unlikely(ret)) {
- /*
- * Atomic work succeeded and we got the lock,
-@@ -2884,6 +2954,12 @@ retry_private:
- */
- queue_unlock(hb);
- put_futex_key(&q.key);
-+ /*
-+ * Handle the case where the owner is in the middle of
-+ * exiting. Wait for the exit to complete otherwise
-+ * this task might loop forever, aka. live lock.
-+ */
-+ wait_for_owner_exiting(ret, exiting);
- cond_resched();
- goto retry;
- default:
+++ /dev/null
-Subject: futex: Provide distinct return value when owner is exiting
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:45 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-`
-commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream
-
-attach_to_pi_owner() returns -EAGAIN for various cases:
-
- - Owner task is exiting
- - Futex value has changed
-
-The caller drops the held locks (hash bucket, mmap_sem) and retries the
-operation. In case of the owner task exiting this can result in a live
-lock.
-
-As a preparatory step for seperating those cases, provide a distinct return
-value (EBUSY) for the owner exiting case.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.935606117@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1182,11 +1182,11 @@ static int handle_exit_race(u32 __user *
- u32 uval2;
-
- /*
-- * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
-- * for it to finish.
-+ * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the
-+ * caller that the alleged owner is busy.
- */
- if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
-- return -EAGAIN;
-+ return -EBUSY;
-
- /*
- * Reread the user space value to handle the following situation:
-@@ -2095,12 +2095,13 @@ retry_private:
- if (!ret)
- goto retry;
- goto out;
-+ case -EBUSY:
- case -EAGAIN:
- /*
- * Two reasons for this:
-- * - Owner is exiting and we just wait for the
-+ * - EBUSY: Owner is exiting and we just wait for the
- * exit to complete.
-- * - The user space value changed.
-+ * - EAGAIN: The user space value changed.
- */
- double_unlock_hb(hb1, hb2);
- hb_waiters_dec(hb2);
-@@ -2873,12 +2874,13 @@ retry_private:
- goto out_unlock_put_key;
- case -EFAULT:
- goto uaddr_faulted;
-+ case -EBUSY:
- case -EAGAIN:
- /*
- * Two reasons for this:
-- * - Task is exiting and we just wait for the
-+ * - EBUSY: Task is exiting and we just wait for the
- * exit to complete.
-- * - The user space value changed.
-+ * - EAGAIN: The user space value changed.
- */
- queue_unlock(hb);
- put_futex_key(&q.key);
+++ /dev/null
-Subject: futex: Provide state handling for exec() as well
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:43 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit af8cbda2cfcaa5515d61ec500498d46e9a8247e2 upstream
-
-exec() attempts to handle potentially held futexes gracefully by running
-the futex exit handling code like exit() does.
-
-The current implementation has no protection against concurrent incoming
-waiters. The reason is that the futex state cannot be set to
-FUTEX_STATE_DEAD after the cleanup because the task struct is still active
-and just about to execute the new binary.
-
-While its arguably buggy when a task holds a futex over exec(), for
-consistency sake the state handling can at least cover the actual futex
-exit cleanup section. This provides state consistency protection accross
-the cleanup. As the futex state of the task becomes FUTEX_STATE_OK after the
-cleanup has been finished, this cannot prevent subsequent attempts to
-attach to the task in case that the cleanup was not successfull in mopping
-up all leftovers.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.753355618@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 38 ++++++++++++++++++++++++++++++++++----
- 1 file changed, 34 insertions(+), 4 deletions(-)
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3698,7 +3698,7 @@ static void exit_robust_list(struct task
- }
- }
-
--void futex_exec_release(struct task_struct *tsk)
-+static void futex_cleanup(struct task_struct *tsk)
- {
- if (unlikely(tsk->robust_list)) {
- exit_robust_list(tsk);
-@@ -3738,7 +3738,7 @@ void futex_exit_recursive(struct task_st
- tsk->futex_state = FUTEX_STATE_DEAD;
- }
-
--void futex_exit_release(struct task_struct *tsk)
-+static void futex_cleanup_begin(struct task_struct *tsk)
- {
- /*
- * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock.
-@@ -3754,10 +3754,40 @@ void futex_exit_release(struct task_stru
- raw_spin_lock_irq(&tsk->pi_lock);
- tsk->futex_state = FUTEX_STATE_EXITING;
- raw_spin_unlock_irq(&tsk->pi_lock);
-+}
-
-- futex_exec_release(tsk);
-+static void futex_cleanup_end(struct task_struct *tsk, int state)
-+{
-+ /*
-+ * Lockless store. The only side effect is that an observer might
-+ * take another loop until it becomes visible.
-+ */
-+ tsk->futex_state = state;
-+}
-
-- tsk->futex_state = FUTEX_STATE_DEAD;
-+void futex_exec_release(struct task_struct *tsk)
-+{
-+ /*
-+ * The state handling is done for consistency, but in the case of
-+ * exec() there is no way to prevent futher damage as the PID stays
-+ * the same. But for the unlikely and arguably buggy case that a
-+ * futex is held on exec(), this provides at least as much state
-+ * consistency protection which is possible.
-+ */
-+ futex_cleanup_begin(tsk);
-+ futex_cleanup(tsk);
-+ /*
-+ * Reset the state to FUTEX_STATE_OK. The task is alive and about
-+ * exec a new binary.
-+ */
-+ futex_cleanup_end(tsk, FUTEX_STATE_OK);
-+}
-+
-+void futex_exit_release(struct task_struct *tsk)
-+{
-+ futex_cleanup_begin(tsk);
-+ futex_cleanup(tsk);
-+ futex_cleanup_end(tsk, FUTEX_STATE_DEAD);
- }
-
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+++ /dev/null
-Subject: futex: Replace PF_EXITPIDONE with a state
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:37 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 3d4775df0a89240f671861c6ab6e8d59af8e9e41 upstream
-
-The futex exit handling relies on PF_ flags. That's suboptimal as it
-requires a smp_mb() and an ugly lock/unlock of the exiting tasks pi_lock in
-the middle of do_exit() to enforce the observability of PF_EXITING in the
-futex code.
-
-Add a futex_state member to task_struct and convert the PF_EXITPIDONE logic
-over to the new state. The PF_EXITING dependency will be cleaned up in a
-later step.
-
-This prepares for handling various futex exit issues later.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.149449274@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/futex.h | 33 +++++++++++++++++++++++++++++++++
- include/linux/sched.h | 2 +-
- kernel/exit.c | 18 ++----------------
- kernel/futex.c | 25 +++++++++++++------------
- 4 files changed, 49 insertions(+), 29 deletions(-)
-
---- a/include/linux/futex.h
-+++ b/include/linux/futex.h
-@@ -53,6 +53,10 @@ union futex_key {
- #define FUTEX_KEY_INIT (union futex_key) { .both = { .ptr = 0ULL } }
-
- #ifdef CONFIG_FUTEX
-+enum {
-+ FUTEX_STATE_OK,
-+ FUTEX_STATE_DEAD,
-+};
-
- static inline void futex_init_task(struct task_struct *tsk)
- {
-@@ -62,6 +66,34 @@ static inline void futex_init_task(struc
- #endif
- INIT_LIST_HEAD(&tsk->pi_state_list);
- tsk->pi_state_cache = NULL;
-+ tsk->futex_state = FUTEX_STATE_OK;
-+}
-+
-+/**
-+ * futex_exit_done - Sets the tasks futex state to FUTEX_STATE_DEAD
-+ * @tsk: task to set the state on
-+ *
-+ * Set the futex exit state of the task lockless. The futex waiter code
-+ * observes that state when a task is exiting and loops until the task has
-+ * actually finished the futex cleanup. The worst case for this is that the
-+ * waiter runs through the wait loop until the state becomes visible.
-+ *
-+ * This has two callers:
-+ *
-+ * - futex_mm_release() after the futex exit cleanup has been done
-+ *
-+ * - do_exit() from the recursive fault handling path.
-+ *
-+ * In case of a recursive fault this is best effort. Either the futex exit
-+ * code has run already or not. If the OWNER_DIED bit has been set on the
-+ * futex then the waiter can take it over. If not, the problem is pushed
-+ * back to user space. If the futex exit code did not run yet, then an
-+ * already queued waiter might block forever, but there is nothing which
-+ * can be done about that.
-+ */
-+static inline void futex_exit_done(struct task_struct *tsk)
-+{
-+ tsk->futex_state = FUTEX_STATE_DEAD;
- }
-
- void futex_mm_release(struct task_struct *tsk);
-@@ -71,6 +103,7 @@ long do_futex(u32 __user *uaddr, int op,
- #else
- static inline void futex_init_task(struct task_struct *tsk) { }
- static inline void futex_mm_release(struct task_struct *tsk) { }
-+static inline void futex_exit_done(struct task_struct *tsk) { }
- static inline long do_futex(u32 __user *uaddr, int op, u32 val,
- ktime_t *timeout, u32 __user *uaddr2,
- u32 val2, u32 val3)
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -996,6 +996,7 @@ struct task_struct {
- #endif
- struct list_head pi_state_list;
- struct futex_pi_state *pi_state_cache;
-+ unsigned int futex_state;
- #endif
- #ifdef CONFIG_PERF_EVENTS
- struct perf_event_context *perf_event_ctxp[perf_nr_task_contexts];
-@@ -1377,7 +1378,6 @@ extern struct pid *cad_pid;
- */
- #define PF_IDLE 0x00000002 /* I am an IDLE thread */
- #define PF_EXITING 0x00000004 /* Getting shut down */
--#define PF_EXITPIDONE 0x00000008 /* PI exit done on shut down */
- #define PF_VCPU 0x00000010 /* I'm a virtual CPU */
- #define PF_WQ_WORKER 0x00000020 /* I'm a workqueue worker */
- #define PF_FORKNOEXEC 0x00000040 /* Forked but didn't exec */
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -818,16 +818,7 @@ void __noreturn do_exit(long code)
- */
- if (unlikely(tsk->flags & PF_EXITING)) {
- pr_alert("Fixing recursive fault but reboot is needed!\n");
-- /*
-- * We can do this unlocked here. The futex code uses
-- * this flag just to verify whether the pi state
-- * cleanup has been done or not. In the worst case it
-- * loops once more. We pretend that the cleanup was
-- * done as there is no way to return. Either the
-- * OWNER_DIED bit is set by now or we push the blocked
-- * task into the wait for ever nirwana as well.
-- */
-- tsk->flags |= PF_EXITPIDONE;
-+ futex_exit_done(tsk);
- set_current_state(TASK_UNINTERRUPTIBLE);
- schedule();
- }
-@@ -918,12 +909,7 @@ void __noreturn do_exit(long code)
- * Make sure we are holding no locks:
- */
- debug_check_no_locks_held();
-- /*
-- * We can do this unlocked here. The futex code uses this flag
-- * just to verify whether the pi state cleanup has been done
-- * or not. In the worst case it loops once more.
-- */
-- tsk->flags |= PF_EXITPIDONE;
-+ futex_exit_done(tsk);
-
- if (tsk->io_context)
- exit_io_context(tsk);
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1182,9 +1182,10 @@ static int handle_exit_race(u32 __user *
- u32 uval2;
-
- /*
-- * If PF_EXITPIDONE is not yet set, then try again.
-+ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
-+ * for it to finish.
- */
-- if (tsk && !(tsk->flags & PF_EXITPIDONE))
-+ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
- return -EAGAIN;
-
- /*
-@@ -1203,8 +1204,9 @@ static int handle_exit_race(u32 __user *
- * *uaddr = 0xC0000000; tsk = get_task(PID);
- * } if (!tsk->flags & PF_EXITING) {
- * ... attach();
-- * tsk->flags |= PF_EXITPIDONE; } else {
-- * if (!(tsk->flags & PF_EXITPIDONE))
-+ * tsk->futex_state = } else {
-+ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
-+ * FUTEX_STATE_DEAD)
- * return -EAGAIN;
- * return -ESRCH; <--- FAIL
- * }
-@@ -1260,17 +1262,16 @@ static int attach_to_pi_owner(u32 __user
- }
-
- /*
-- * We need to look at the task state flags to figure out,
-- * whether the task is exiting. To protect against the do_exit
-- * change of the task flags, we do this protected by
-- * p->pi_lock:
-+ * We need to look at the task state to figure out, whether the
-+ * task is exiting. To protect against the change of the task state
-+ * in futex_exit_release(), we do this protected by p->pi_lock:
- */
- raw_spin_lock_irq(&p->pi_lock);
-- if (unlikely(p->flags & PF_EXITING)) {
-+ if (unlikely(p->futex_state != FUTEX_STATE_OK)) {
- /*
-- * The task is on the way out. When PF_EXITPIDONE is
-- * set, we know that the task has finished the
-- * cleanup:
-+ * The task is on the way out. When the futex state is
-+ * FUTEX_STATE_DEAD, we know that the task has finished
-+ * the cleanup:
- */
- int ret = handle_exit_race(uaddr, uval, p);
-
+++ /dev/null
-Subject: futex: Sanitize exit state handling
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:42 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 4a8e991b91aca9e20705d434677ac013974e0e30 upstream
-
-Instead of having a smp_mb() and an empty lock/unlock of task::pi_lock move
-the state setting into to the lock section.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.645603214@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3740,16 +3740,19 @@ void futex_exit_recursive(struct task_st
-
- void futex_exit_release(struct task_struct *tsk)
- {
-- tsk->futex_state = FUTEX_STATE_EXITING;
-- /*
-- * Ensure that all new tsk->pi_lock acquisitions must observe
-- * FUTEX_STATE_EXITING. Serializes against attach_to_pi_owner().
-- */
-- smp_mb();
- /*
-- * Ensure that we must observe the pi_state in exit_pi_state_list().
-+ * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock.
-+ *
-+ * This ensures that all subsequent checks of tsk->futex_state in
-+ * attach_to_pi_owner() must observe FUTEX_STATE_EXITING with
-+ * tsk->pi_lock held.
-+ *
-+ * It guarantees also that a pi_state which was queued right before
-+ * the state change under tsk->pi_lock by a concurrent waiter must
-+ * be observed in exit_pi_state_list().
- */
- raw_spin_lock_irq(&tsk->pi_lock);
-+ tsk->futex_state = FUTEX_STATE_EXITING;
- raw_spin_unlock_irq(&tsk->pi_lock);
-
- futex_exec_release(tsk);
+++ /dev/null
-Subject: futex: Set task::futex_state to DEAD right after handling futex exit
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:40 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit f24f22435dcc11389acc87e5586239c1819d217c upstream
-
-Setting task::futex_state in do_exit() is rather arbitrarily placed for no
-reason. Move it into the futex code.
-
-Note, this is only done for the exit cleanup as the exec cleanup cannot set
-the state to FUTEX_STATE_DEAD because the task struct is still in active
-use.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.439511191@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/exit.c | 1 -
- kernel/futex.c | 1 +
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -909,7 +909,6 @@ void __noreturn do_exit(long code)
- * Make sure we are holding no locks:
- */
- debug_check_no_locks_held();
-- futex_exit_done(tsk);
-
- if (tsk->io_context)
- exit_io_context(tsk);
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3719,6 +3719,7 @@ void futex_exec_release(struct task_stru
- void futex_exit_release(struct task_struct *tsk)
- {
- futex_exec_release(tsk);
-+ futex_exit_done(tsk);
- }
-
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+++ /dev/null
-Subject: futex: Split futex_mm_release() for exit/exec
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed Nov 6 22:55:39 2019 +0100
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 150d71584b12809144b8145b817e83b81158ae5f upstream
-
-To allow separate handling of the futex exit state in the futex exit code
-for exit and exec, split futex_mm_release() into two functions and invoke
-them from the corresponding exit/exec_mm_release() callsites.
-
-Preparatory only, no functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Link: https://lkml.kernel.org/r/20191106224556.332094221@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/futex.h | 6 ++++--
- kernel/fork.c | 5 ++---
- kernel/futex.c | 7 ++++++-
- 3 files changed, 12 insertions(+), 6 deletions(-)
-
---- a/include/linux/futex.h
-+++ b/include/linux/futex.h
-@@ -96,14 +96,16 @@ static inline void futex_exit_done(struc
- tsk->futex_state = FUTEX_STATE_DEAD;
- }
-
--void futex_mm_release(struct task_struct *tsk);
-+void futex_exit_release(struct task_struct *tsk);
-+void futex_exec_release(struct task_struct *tsk);
-
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
- u32 __user *uaddr2, u32 val2, u32 val3);
- #else
- static inline void futex_init_task(struct task_struct *tsk) { }
--static inline void futex_mm_release(struct task_struct *tsk) { }
- static inline void futex_exit_done(struct task_struct *tsk) { }
-+static inline void futex_exit_release(struct task_struct *tsk) { }
-+static inline void futex_exec_release(struct task_struct *tsk) { }
- static inline long do_futex(u32 __user *uaddr, int op, u32 val,
- ktime_t *timeout, u32 __user *uaddr2,
- u32 val2, u32 val3)
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -1219,9 +1219,6 @@ static int wait_for_vfork_done(struct ta
- */
- static void mm_release(struct task_struct *tsk, struct mm_struct *mm)
- {
-- /* Get rid of any futexes when releasing the mm */
-- futex_mm_release(tsk);
--
- uprobe_free_utask(tsk);
-
- /* Get rid of any cached register state */
-@@ -1256,11 +1253,13 @@ static void mm_release(struct task_struc
-
- void exit_mm_release(struct task_struct *tsk, struct mm_struct *mm)
- {
-+ futex_exit_release(tsk);
- mm_release(tsk, mm);
- }
-
- void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm)
- {
-+ futex_exec_release(tsk);
- mm_release(tsk, mm);
- }
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -3698,7 +3698,7 @@ static void exit_robust_list(struct task
- }
- }
-
--void futex_mm_release(struct task_struct *tsk)
-+void futex_exec_release(struct task_struct *tsk)
- {
- if (unlikely(tsk->robust_list)) {
- exit_robust_list(tsk);
-@@ -3716,6 +3716,11 @@ void futex_mm_release(struct task_struct
- exit_pi_state_list(tsk);
- }
-
-+void futex_exit_release(struct task_struct *tsk)
-+{
-+ futex_exec_release(tsk);
-+}
-+
- long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
- u32 __user *uaddr2, u32 val2, u32 val3)
- {
+++ /dev/null
-futex_Move_futex_exit_handling_into_futex_code.patch
-futex_Replace_PF_EXITPIDONE_with_a_state.patch
-exitexec_Seperate_mm_release().patch
-futex_Split_futex_mm_release()_for_exitexec.patch
-futex_Set_taskfutex_state_to_DEAD_right_after_handling_futex_exit.patch
-futex_Mark_the_begin_of_futex_exit_explicitly.patch
-futex_Sanitize_exit_state_handling.patch
-futex_Provide_state_handling_for_exec()_as_well.patch
-futex_Add_mutex_around_futex_exit.patch
-futex_Provide_distinct_return_value_when_owner_is_exiting.patch
-futex_Prevent_exit_livelock.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
