2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2009-2021 Dmitry Chagin <dchagin@FreeBSD.org>
5 * Copyright (c) 2008 Roman Divacky
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include "opt_compat.h"
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/imgact.h>
37 #include <sys/imgact_elf.h>
39 #include <sys/mutex.h>
42 #include <sys/sched.h>
43 #include <sys/umtxvar.h>
46 #include <machine/../linux32/linux.h>
47 #include <machine/../linux32/linux32_proto.h>
49 #include <machine/../linux/linux.h>
50 #include <machine/../linux/linux_proto.h>
52 #include <compat/linux/linux_emul.h>
53 #include <compat/linux/linux_futex.h>
54 #include <compat/linux/linux_misc.h>
55 #include <compat/linux/linux_timer.h>
56 #include <compat/linux/linux_util.h>
58 #define FUTEX_SHARED 0x8 /* shared futex */
59 #define FUTEX_UNOWNED 0
61 #define GET_SHARED(a) (a->flags & FUTEX_SHARED) ? AUTO_SHARE : THREAD_SHARE
63 static int futex_atomic_op(struct thread *, int, uint32_t *, int *);
64 static int handle_futex_death(struct thread *td, struct linux_emuldata *,
65 uint32_t *, unsigned int, bool);
66 static int fetch_robust_entry(struct linux_robust_list **,
67 struct linux_robust_list **, unsigned int *);
69 struct linux_futex_args {
82 static inline int futex_key_get(const void *, int, int, struct umtx_key *);
83 static void linux_umtx_abs_timeout_init(struct umtx_abs_timeout *,
84 struct linux_futex_args *);
85 static int linux_futex(struct thread *, struct linux_futex_args *);
86 static int linux_futex_wait(struct thread *, struct linux_futex_args *);
87 static int linux_futex_wake(struct thread *, struct linux_futex_args *);
88 static int linux_futex_requeue(struct thread *, struct linux_futex_args *);
89 static int linux_futex_wakeop(struct thread *, struct linux_futex_args *);
90 static int linux_futex_lock_pi(struct thread *, bool, struct linux_futex_args *);
91 static int linux_futex_unlock_pi(struct thread *, bool,
92 struct linux_futex_args *);
93 static int futex_wake_pi(struct thread *, uint32_t *, bool);
96 futex_key_get(const void *uaddr, int type, int share, struct umtx_key *key)
99 /* Check that futex address is a 32bit aligned. */
100 if (!__is_aligned(uaddr, sizeof(uint32_t)))
102 return (umtx_key_get(uaddr, type, share, key));
106 futex_wake(struct thread *td, uint32_t *uaddr, int val, bool shared)
108 struct linux_futex_args args;
110 bzero(&args, sizeof(args));
111 args.op = LINUX_FUTEX_WAKE;
113 args.flags = shared == true ? FUTEX_SHARED : 0;
115 args.val3 = FUTEX_BITSET_MATCH_ANY;
117 return (linux_futex_wake(td, &args));
121 futex_wake_pi(struct thread *td, uint32_t *uaddr, bool shared)
123 struct linux_futex_args args;
125 bzero(&args, sizeof(args));
126 args.op = LINUX_FUTEX_UNLOCK_PI;
128 args.flags = shared == true ? FUTEX_SHARED : 0;
130 return (linux_futex_unlock_pi(td, true, &args));
134 futex_atomic_op(struct thread *td, int encoded_op, uint32_t *uaddr,
137 int op = (encoded_op >> 28) & 7;
138 int cmp = (encoded_op >> 24) & 15;
139 int oparg = (encoded_op << 8) >> 20;
140 int cmparg = (encoded_op << 20) >> 20;
143 if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
148 ret = futex_xchgl(oparg, uaddr, &oldval);
151 ret = futex_addl(oparg, uaddr, &oldval);
154 ret = futex_orl(oparg, uaddr, &oldval);
157 ret = futex_andl(~oparg, uaddr, &oldval);
160 ret = futex_xorl(oparg, uaddr, &oldval);
171 case FUTEX_OP_CMP_EQ:
172 *res = (oldval == cmparg);
174 case FUTEX_OP_CMP_NE:
175 *res = (oldval != cmparg);
177 case FUTEX_OP_CMP_LT:
178 *res = (oldval < cmparg);
180 case FUTEX_OP_CMP_GE:
181 *res = (oldval >= cmparg);
183 case FUTEX_OP_CMP_LE:
184 *res = (oldval <= cmparg);
186 case FUTEX_OP_CMP_GT:
187 *res = (oldval > cmparg);
197 linux_futex(struct thread *td, struct linux_futex_args *args)
199 struct linux_pemuldata *pem;
202 if (args->op & LINUX_FUTEX_PRIVATE_FLAG) {
204 args->op &= ~LINUX_FUTEX_PRIVATE_FLAG;
206 args->flags = FUTEX_SHARED;
208 args->clockrt = args->op & LINUX_FUTEX_CLOCK_REALTIME;
209 args->op = args->op & ~LINUX_FUTEX_CLOCK_REALTIME;
212 args->op != LINUX_FUTEX_WAIT_BITSET &&
213 args->op != LINUX_FUTEX_WAIT_REQUEUE_PI &&
214 args->op != LINUX_FUTEX_LOCK_PI2)
218 case LINUX_FUTEX_WAIT:
219 args->val3 = FUTEX_BITSET_MATCH_ANY;
222 case LINUX_FUTEX_WAIT_BITSET:
223 LINUX_CTR3(sys_futex, "WAIT uaddr %p val 0x%x bitset 0x%x",
224 args->uaddr, args->val, args->val3);
226 return (linux_futex_wait(td, args));
228 case LINUX_FUTEX_WAKE:
229 args->val3 = FUTEX_BITSET_MATCH_ANY;
232 case LINUX_FUTEX_WAKE_BITSET:
233 LINUX_CTR3(sys_futex, "WAKE uaddr %p nrwake 0x%x bitset 0x%x",
234 args->uaddr, args->val, args->val3);
236 return (linux_futex_wake(td, args));
238 case LINUX_FUTEX_REQUEUE:
240 * Glibc does not use this operation since version 2.3.3,
241 * as it is racy and replaced by FUTEX_CMP_REQUEUE operation.
242 * Glibc versions prior to 2.3.3 fall back to FUTEX_WAKE when
243 * FUTEX_REQUEUE returned EINVAL.
245 pem = pem_find(td->td_proc);
246 if ((pem->flags & LINUX_XDEPR_REQUEUEOP) == 0) {
247 linux_msg(td, "unsupported FUTEX_REQUEUE");
248 pem->flags |= LINUX_XDEPR_REQUEUEOP;
252 * The above is true, however musl libc does make use of the
253 * futex requeue operation, allow operation for brands which
254 * set LINUX_BI_FUTEX_REQUEUE bit of Brandinfo flags.
257 Elf_Brandinfo *bi = p->p_elf_brandinfo;
258 if (bi == NULL || ((bi->flags & LINUX_BI_FUTEX_REQUEUE)) == 0)
260 args->val3_compare = false;
263 case LINUX_FUTEX_CMP_REQUEUE:
264 LINUX_CTR5(sys_futex, "CMP_REQUEUE uaddr %p "
265 "nrwake 0x%x uval 0x%x uaddr2 %p nrequeue 0x%x",
266 args->uaddr, args->val, args->val3, args->uaddr2,
269 return (linux_futex_requeue(td, args));
271 case LINUX_FUTEX_WAKE_OP:
272 LINUX_CTR5(sys_futex, "WAKE_OP "
273 "uaddr %p nrwake 0x%x uaddr2 %p op 0x%x nrwake2 0x%x",
274 args->uaddr, args->val, args->uaddr2, args->val3,
277 return (linux_futex_wakeop(td, args));
279 case LINUX_FUTEX_LOCK_PI:
280 args->clockrt = true;
283 case LINUX_FUTEX_LOCK_PI2:
284 LINUX_CTR2(sys_futex, "LOCKPI uaddr %p val 0x%x",
285 args->uaddr, args->val);
287 return (linux_futex_lock_pi(td, false, args));
289 case LINUX_FUTEX_UNLOCK_PI:
290 LINUX_CTR1(sys_futex, "UNLOCKPI uaddr %p",
293 return (linux_futex_unlock_pi(td, false, args));
295 case LINUX_FUTEX_TRYLOCK_PI:
296 LINUX_CTR1(sys_futex, "TRYLOCKPI uaddr %p",
299 return (linux_futex_lock_pi(td, true, args));
302 * Current implementation of FUTEX_WAIT_REQUEUE_PI and FUTEX_CMP_REQUEUE_PI
303 * can't be used anymore to implement conditional variables.
304 * A detailed explanation can be found here:
306 * https://sourceware.org/bugzilla/show_bug.cgi?id=13165
307 * and here http://austingroupbugs.net/view.php?id=609
310 * https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ed19993b5b0d05d62cc883571519a67dae481a14
311 * glibc does not use them.
313 case LINUX_FUTEX_WAIT_REQUEUE_PI:
314 /* not yet implemented */
315 pem = pem_find(td->td_proc);
316 if ((pem->flags & LINUX_XUNSUP_FUTEXPIOP) == 0) {
317 linux_msg(td, "unsupported FUTEX_WAIT_REQUEUE_PI");
318 pem->flags |= LINUX_XUNSUP_FUTEXPIOP;
322 case LINUX_FUTEX_CMP_REQUEUE_PI:
323 /* not yet implemented */
324 pem = pem_find(td->td_proc);
325 if ((pem->flags & LINUX_XUNSUP_FUTEXPIOP) == 0) {
326 linux_msg(td, "unsupported FUTEX_CMP_REQUEUE_PI");
327 pem->flags |= LINUX_XUNSUP_FUTEXPIOP;
332 linux_msg(td, "unsupported futex op %d", args->op);
339 * - 0 futex word value means unlocked.
340 * - TID futex word value means locked.
341 * Userspace uses atomic ops to lock/unlock these futexes without entering the
342 * kernel. If the lock-acquire fastpath fails, (transition from 0 to TID fails),
343 * then FUTEX_LOCK_PI is called.
344 * The kernel atomically set FUTEX_WAITERS bit in the futex word value, if no
345 * other waiters exists looks up the thread that owns the futex (it has put its
346 * own TID into the futex value) and made this thread the owner of the internal
347 * pi-aware lock object (mutex). Then the kernel tries to lock the internal lock
348 * object, on which it blocks. Once it returns, it has the mutex acquired, and it
349 * sets the futex value to its own TID and returns (futex value contains
350 * FUTEX_WAITERS|TID).
351 * The unlock fastpath would fail (because the FUTEX_WAITERS bit is set) and
352 * FUTEX_UNLOCK_PI will be called.
353 * If a futex is found to be held at exit time, the kernel sets the OWNER_DIED
354 * bit of the futex word and wakes up the next futex waiter (if any), WAITERS
355 * bit is preserved (if any).
356 * If OWNER_DIED bit is set the kernel sanity checks the futex word value against
357 * the internal futex state and if correct, acquire futex.
360 linux_futex_lock_pi(struct thread *td, bool try, struct linux_futex_args *args)
362 struct umtx_abs_timeout timo;
363 struct linux_emuldata *em;
364 struct umtx_pi *pi, *new_pi;
368 uint32_t owner, old_owner;
372 error = futex_key_get(args->uaddr, TYPE_PI_FUTEX, GET_SHARED(args),
376 if (args->ts != NULL)
377 linux_umtx_abs_timeout_init(&timo, args);
379 umtxq_lock(&uq->uq_key);
380 pi = umtx_pi_lookup(&uq->uq_key);
382 new_pi = umtx_pi_alloc(M_NOWAIT);
383 if (new_pi == NULL) {
384 umtxq_unlock(&uq->uq_key);
385 new_pi = umtx_pi_alloc(M_WAITOK);
386 umtxq_lock(&uq->uq_key);
387 pi = umtx_pi_lookup(&uq->uq_key);
389 umtx_pi_free(new_pi);
393 if (new_pi != NULL) {
394 new_pi->pi_key = uq->uq_key;
395 umtx_pi_insert(new_pi);
400 umtxq_unlock(&uq->uq_key);
402 /* Try uncontested case first. */
403 rv = casueword32(args->uaddr, FUTEX_UNOWNED, &owner, em->em_tid);
404 /* The acquire succeeded. */
415 * Nobody owns it, but the acquire failed. This can happen
418 if (owner == FUTEX_UNOWNED) {
419 error = thread_check_susp(td, true);
426 * Avoid overwriting a possible error from sleep due
427 * to the pending signal with suspension check result.
430 error = thread_check_susp(td, true);
435 /* The futex word at *uaddr is already locked by the caller. */
436 if ((owner & FUTEX_TID_MASK) == em->em_tid) {
442 * Futex owner died, handle_futex_death() set the OWNER_DIED bit
443 * and clear tid. Try to acquire it.
445 if ((owner & FUTEX_TID_MASK) == FUTEX_UNOWNED) {
447 owner = owner & (FUTEX_WAITERS | FUTEX_OWNER_DIED);
449 rv = casueword32(args->uaddr, old_owner, &owner, owner);
456 error = thread_check_susp(td, true);
462 * If this failed the lock could
468 umtxq_lock(&uq->uq_key);
469 umtxq_busy(&uq->uq_key);
470 error = umtx_pi_claim(pi, td);
471 umtxq_unbusy(&uq->uq_key);
472 umtxq_unlock(&uq->uq_key);
475 * Since we're going to return an
476 * error, restore the futex to its
477 * previous, unowned state to avoid
478 * compounding the problem.
480 (void)casuword32(args->uaddr, owner, old_owner);
486 * Inconsistent state: OWNER_DIED is set and tid is not 0.
487 * Linux does some checks of futex state, we return EINVAL,
488 * as the user space can take care of this.
490 if ((owner & FUTEX_OWNER_DIED) != FUTEX_UNOWNED) {
501 * If we caught a signal, we have retried and now
507 umtxq_lock(&uq->uq_key);
508 umtxq_busy(&uq->uq_key);
509 umtxq_unlock(&uq->uq_key);
512 * Set the contested bit so that a release in user space knows
513 * to use the system call for unlock. If this fails either some
514 * one else has acquired the lock or it has been released.
516 rv = casueword32(args->uaddr, owner, &owner,
517 owner | FUTEX_WAITERS);
519 umtxq_unbusy_unlocked(&uq->uq_key);
524 umtxq_unbusy_unlocked(&uq->uq_key);
525 error = thread_check_susp(td, true);
530 * The lock changed and we need to retry or we
531 * lost a race to the thread unlocking the umtx.
537 * Substitute Linux thread id by native thread id to
538 * avoid refactoring code of umtxq_sleep_pi().
540 td1 = linux_tdfind(td, owner & FUTEX_TID_MASK, -1);
543 PROC_UNLOCK(td1->td_proc);
545 umtxq_unbusy_unlocked(&uq->uq_key);
550 umtxq_lock(&uq->uq_key);
552 /* We set the contested bit, sleep. */
553 error = umtxq_sleep_pi(uq, pi, owner, "futexp",
554 args->ts == NULL ? NULL : &timo,
555 (args->flags & FUTEX_SHARED) != 0);
559 error = thread_check_susp(td, false);
564 umtxq_lock(&uq->uq_key);
566 umtxq_unlock(&uq->uq_key);
567 umtx_key_release(&uq->uq_key);
572 linux_futex_unlock_pi(struct thread *td, bool rb, struct linux_futex_args *args)
574 struct linux_emuldata *em;
576 uint32_t old, owner, new_owner;
582 * Make sure we own this mtx.
584 error = fueword32(args->uaddr, &owner);
587 if (!rb && (owner & FUTEX_TID_MASK) != em->em_tid)
590 error = futex_key_get(args->uaddr, TYPE_PI_FUTEX, GET_SHARED(args), &key);
595 error = umtx_pi_drop(td, &key, rb, &count);
596 if (error != 0 || rb) {
599 umtx_key_release(&key);
605 * When unlocking the futex, it must be marked as unowned if
606 * there is zero or one thread only waiting for it.
607 * Otherwise, it must be marked as contested.
610 new_owner = FUTEX_WAITERS;
612 new_owner = FUTEX_UNOWNED;
615 error = casueword32(args->uaddr, owner, &old, new_owner);
617 error = thread_check_susp(td, false);
621 umtxq_unbusy_unlocked(&key);
622 umtx_key_release(&key);
625 if (error == 0 && old != owner)
631 linux_futex_wakeop(struct thread *td, struct linux_futex_args *args)
633 struct umtx_key key, key2;
634 int nrwake, op_ret, ret;
637 if (args->uaddr == args->uaddr2)
640 error = futex_key_get(args->uaddr, TYPE_FUTEX, GET_SHARED(args), &key);
643 error = futex_key_get(args->uaddr2, TYPE_FUTEX, GET_SHARED(args), &key2);
645 umtx_key_release(&key);
651 error = futex_atomic_op(td, args->val3, args->uaddr2, &op_ret);
656 ret = umtxq_signal_mask(&key, args->val, args->val3);
658 nrwake = (int)(unsigned long)args->ts;
660 count = umtxq_count(&key2);
662 ret += umtxq_signal_mask(&key2, nrwake, args->val3);
664 ret += umtxq_signal_mask(&key, nrwake, args->val3);
667 td->td_retval[0] = ret;
670 umtx_key_release(&key2);
671 umtx_key_release(&key);
676 linux_futex_requeue(struct thread *td, struct linux_futex_args *args)
678 int nrwake, nrrequeue;
679 struct umtx_key key, key2;
684 * Linux allows this, we would not, it is an incorrect
685 * usage of declared ABI, so return EINVAL.
687 if (args->uaddr == args->uaddr2)
690 nrrequeue = (int)(unsigned long)args->ts;
693 * Sanity check to prevent signed integer overflow,
694 * see Linux CVE-2018-6927
696 if (nrwake < 0 || nrrequeue < 0)
699 error = futex_key_get(args->uaddr, TYPE_FUTEX, GET_SHARED(args), &key);
702 error = futex_key_get(args->uaddr2, TYPE_FUTEX, GET_SHARED(args), &key2);
704 umtx_key_release(&key);
710 error = fueword32(args->uaddr, &uval);
713 else if (args->val3_compare == true && uval != args->val3)
719 td->td_retval[0] = umtxq_requeue(&key, nrwake, &key2, nrrequeue);
723 umtx_key_release(&key2);
724 umtx_key_release(&key);
729 linux_futex_wake(struct thread *td, struct linux_futex_args *args)
737 error = futex_key_get(args->uaddr, TYPE_FUTEX, GET_SHARED(args), &key);
741 td->td_retval[0] = umtxq_signal_mask(&key, args->val, args->val3);
743 umtx_key_release(&key);
748 linux_futex_wait(struct thread *td, struct linux_futex_args *args)
750 struct umtx_abs_timeout timo;
759 error = futex_key_get(args->uaddr, TYPE_FUTEX, GET_SHARED(args),
763 if (args->ts != NULL)
764 linux_umtx_abs_timeout_init(&timo, args);
765 umtxq_lock(&uq->uq_key);
766 umtxq_busy(&uq->uq_key);
767 uq->uq_bitset = args->val3;
769 umtxq_unlock(&uq->uq_key);
770 error = fueword32(args->uaddr, &uval);
773 else if (uval != args->val)
775 umtxq_lock(&uq->uq_key);
776 umtxq_unbusy(&uq->uq_key);
778 error = umtxq_sleep(uq, "futex",
779 args->ts == NULL ? NULL : &timo);
780 if ((uq->uq_flags & UQF_UMTXQ) == 0)
784 } else if ((uq->uq_flags & UQF_UMTXQ) != 0) {
787 umtxq_unlock(&uq->uq_key);
788 umtx_key_release(&uq->uq_key);
793 linux_umtx_abs_timeout_init(struct umtx_abs_timeout *timo,
794 struct linux_futex_args *args)
796 int clockid, absolute;
799 * The FUTEX_CLOCK_REALTIME option bit can be employed only with the
800 * FUTEX_WAIT_BITSET, FUTEX_WAIT_REQUEUE_PI, FUTEX_LOCK_PI2.
801 * For FUTEX_WAIT, timeout is interpreted as a relative value, for other
802 * futex operations timeout is interpreted as an absolute value.
803 * If FUTEX_CLOCK_REALTIME option bit is set, the Linux kernel measures
804 * the timeout against the CLOCK_REALTIME clock, otherwise the kernel
805 * measures the timeout against the CLOCK_MONOTONIC clock.
807 clockid = args->clockrt ? CLOCK_REALTIME : CLOCK_MONOTONIC;
808 absolute = args->op == LINUX_FUTEX_WAIT ? false : true;
809 umtx_abs_timeout_init(timo, clockid, absolute, args->ts);
813 linux_sys_futex(struct thread *td, struct linux_sys_futex_args *args)
815 struct linux_futex_args fargs = {
816 .uaddr = args->uaddr,
820 .uaddr2 = args->uaddr2,
822 .val3_compare = true,
826 switch (args->op & LINUX_FUTEX_CMD_MASK) {
827 case LINUX_FUTEX_WAIT:
828 case LINUX_FUTEX_WAIT_BITSET:
829 case LINUX_FUTEX_LOCK_PI:
830 case LINUX_FUTEX_LOCK_PI2:
831 if (args->timeout != NULL) {
832 error = linux_get_timespec(&fargs.kts, args->timeout);
835 fargs.ts = &fargs.kts;
839 fargs.ts = PTRIN(args->timeout);
841 return (linux_futex(td, &fargs));
844 #if defined(__i386__) || (defined(__amd64__) && defined(COMPAT_LINUX32))
846 linux_sys_futex_time64(struct thread *td,
847 struct linux_sys_futex_time64_args *args)
849 struct linux_futex_args fargs = {
850 .uaddr = args->uaddr,
854 .uaddr2 = args->uaddr2,
856 .val3_compare = true,
860 switch (args->op & LINUX_FUTEX_CMD_MASK) {
861 case LINUX_FUTEX_WAIT:
862 case LINUX_FUTEX_WAIT_BITSET:
863 case LINUX_FUTEX_LOCK_PI:
864 case LINUX_FUTEX_LOCK_PI2:
865 if (args->timeout != NULL) {
866 error = linux_get_timespec64(&fargs.kts, args->timeout);
869 fargs.ts = &fargs.kts;
873 fargs.ts = PTRIN(args->timeout);
875 return (linux_futex(td, &fargs));
880 linux_set_robust_list(struct thread *td, struct linux_set_robust_list_args *args)
882 struct linux_emuldata *em;
884 if (args->len != sizeof(struct linux_robust_list_head))
888 em->robust_futexes = args->head;
894 linux_get_robust_list(struct thread *td, struct linux_get_robust_list_args *args)
896 struct linux_emuldata *em;
897 struct linux_robust_list_head *head;
904 KASSERT(em != NULL, ("get_robust_list: emuldata notfound.\n"));
905 head = em->robust_futexes;
907 td2 = linux_tdfind(td, args->pid, -1);
910 if (SV_PROC_ABI(td2->td_proc) != SV_ABI_LINUX) {
911 PROC_UNLOCK(td2->td_proc);
916 KASSERT(em != NULL, ("get_robust_list: emuldata notfound.\n"));
918 if (priv_check(td, PRIV_CRED_SETUID) ||
919 priv_check(td, PRIV_CRED_SETEUID) ||
920 p_candebug(td, td2->td_proc)) {
921 PROC_UNLOCK(td2->td_proc);
924 head = em->robust_futexes;
926 PROC_UNLOCK(td2->td_proc);
929 len = sizeof(struct linux_robust_list_head);
930 error = copyout(&len, args->len, sizeof(l_size_t));
934 return (copyout(&head, args->head, sizeof(l_uintptr_t)));
938 handle_futex_death(struct thread *td, struct linux_emuldata *em, uint32_t *uaddr,
939 unsigned int pi, bool pending_op)
941 uint32_t uval, nval, mval;
945 error = fueword32(uaddr, &uval);
950 * Special case for regular (non PI) futexes. The unlock path in
951 * user space has two race scenarios:
953 * 1. The unlock path releases the user space futex value and
954 * before it can execute the futex() syscall to wake up
955 * waiters it is killed.
957 * 2. A woken up waiter is killed before it can acquire the
958 * futex in user space.
960 * In both cases the TID validation below prevents a wakeup of
961 * potential waiters which can cause these waiters to block
964 * In both cases it is safe to attempt waking up a potential
965 * waiter without touching the user space futex value and trying
966 * to set the OWNER_DIED bit.
968 if (pending_op && !pi && !uval) {
969 (void)futex_wake(td, uaddr, 1, true);
973 if ((uval & FUTEX_TID_MASK) == em->em_tid) {
974 mval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;
975 error = casueword32(uaddr, uval, &nval, mval);
979 error = thread_check_susp(td, false);
985 if (!pi && (uval & FUTEX_WAITERS)) {
986 error = futex_wake(td, uaddr, 1, true);
989 } else if (pi && (uval & FUTEX_WAITERS)) {
990 error = futex_wake_pi(td, uaddr, true);
1000 fetch_robust_entry(struct linux_robust_list **entry,
1001 struct linux_robust_list **head, unsigned int *pi)
1006 error = copyin((const void *)head, &uentry, sizeof(uentry));
1010 *entry = (void *)(uentry & ~1UL);
1016 #define LINUX_HANDLE_DEATH_PENDING true
1017 #define LINUX_HANDLE_DEATH_LIST false
1019 /* This walks the list of robust futexes releasing them. */
1021 release_futexes(struct thread *td, struct linux_emuldata *em)
1023 struct linux_robust_list_head *head;
1024 struct linux_robust_list *entry, *next_entry, *pending;
1025 unsigned int limit = 2048, pi, next_pi, pip;
1027 l_long futex_offset;
1030 head = em->robust_futexes;
1034 if (fetch_robust_entry(&entry, PTRIN(&head->list.next), &pi))
1037 error = copyin(&head->futex_offset, &futex_offset,
1038 sizeof(futex_offset));
1042 if (fetch_robust_entry(&pending, PTRIN(&head->pending_list), &pip))
1045 while (entry != &head->list) {
1046 error = fetch_robust_entry(&next_entry, PTRIN(&entry->next),
1050 * A pending lock might already be on the list, so
1051 * don't process it twice.
1053 if (entry != pending) {
1054 uaddr = (uint32_t *)((caddr_t)entry + futex_offset);
1055 if (handle_futex_death(td, em, uaddr, pi,
1056 LINUX_HANDLE_DEATH_LIST))
1068 sched_relinquish(curthread);
1072 uaddr = (uint32_t *)((caddr_t)pending + futex_offset);
1073 (void)handle_futex_death(td, em, uaddr, pip,
1074 LINUX_HANDLE_DEATH_PENDING);