From nobody Fri Jun 17 19:37:38 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2E85685AA73;
	Fri, 17 Jun 2022 19:37:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LPq7k5MNkz3Pjr;
	Fri, 17 Jun 2022 19:37:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1655494658;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Rms6qi46pHFkhUrCJxUAYMkvEuO+Vv85jGcbuJbgX7E=;
	b=MNiL4VfCAmXiiGxjErsK4A98qSMm4E/qYfMCAJxZAoO7Evyj+NcC6dwDgKnpZgXm/XOr8r
	50I7fEP1/tLCm+NwII6JKoxxCetWaCw9MO83PhBAZGKqH+5B0cP7LPMuAOvFhKAhMwTnh8
	UCgvt0DZXcd4vhXUj8iY5is9jnx/bkMjMLvImH3W5LeHZqL7IpQpDSP0F6GI/I4xng4/aA
	9i7vlDGp1tmIyFU4pYBErSpvOce6qX+jCPIqpgxjfXC9Hy3bXCXKc7KzHekxTmO8XBsT2N
	8uXt4BAoIg9a5s3r2a+aO05tTfi8CGkF3NQ4e7b/hfBO6hH9QmpHB8g31YjZpA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4D329259BA;
	Fri, 17 Jun 2022 19:37:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25HJbcLa013615;
	Fri, 17 Jun 2022 19:37:38 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25HJbcGn013614;
	Fri, 17 Jun 2022 19:37:38 GMT
	(envelope-from git)
Date: Fri, 17 Jun 2022 19:37:38 GMT
Message-Id: <202206171937.25HJbcGn013614@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Dmitry Chagin <dchagin@FreeBSD.org>
Subject: git: 14f6f3bdcfe8 - stable/13 - linux(4): Handle special case for regular futex in handle_futex_death().
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: dchagin
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 14f6f3bdcfe8f44b04bad5043d3941fc19b2f004
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1655494658;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Rms6qi46pHFkhUrCJxUAYMkvEuO+Vv85jGcbuJbgX7E=;
	b=hM8lNUeZtAME2zlh42SGBQ8NN7cLgltKxMNQmVBWcqMaHuitY6o3IB3Mbc0UWmgGwU7Yh0
	W4aSuew1J89LRCQZ5gX/u2JXPI6OrLmHMJ7b6qdAGa3mhzRLV9Py6lDiJZsD6u9R660g89
	fTnZzQrExdyma+SDE9z52sptYaHsSIdRqlAPbl8U6fFWDhClmg/laulw6lkkS4nthY6XCZ
	Ig2xValm0X2vgvLX89yqWJAt75O81oYZl+De1Ge9yhK9tptzGk5RaeLP0xDphvuZ68CUfl
	3GZK4Nj5tzUT+GqSr+4o7ws1M71F+bfr7ugUE5o1OQWpF9TB9+vY9kvcd6miSQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655494658; a=rsa-sha256; cv=none;
	b=p6IvADJ9rklFaHXGycbfmyzdGq2ozYKiHvLbJNXUcgWPdta4xy+Gl37X8E8ntdpp04CSw6
	ISrNJIca7eoXKiDK4fjsixxjNdDG02M+NqMhdiTn5+6YfJdbB3Hxp2jBal1ORDiEYPKdHK
	gspugrk+l9WqFDlTFkxhek51wO62Vsct7iFXT8b72qCKfHVYs9zIIegve9WdnPiHpInw0A
	l4VJnwwbf7t7aKJkpp4LzvVWqsOuZD5i4eWuH4SiuopL2tgLEM5YBk16hORSxEnmkRAnYe
	E08Q8i9idItzCXkYTjfzHCyG4QXFpEEMrLADKDEhuiJ1Qfu91sYxAcMSh5BOnA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by dchagin:

URL: https://cgit.FreeBSD.org/src/commit/?id=14f6f3bdcfe8f44b04bad5043d3941fc19b2f004

commit 14f6f3bdcfe8f44b04bad5043d3941fc19b2f004
Author:     Dmitry Chagin <dchagin@FreeBSD.org>
AuthorDate: 2021-07-29 09:51:39 +0000
Commit:     Dmitry Chagin <dchagin@FreeBSD.org>
CommitDate: 2022-06-17 19:33:21 +0000

    linux(4): Handle special case for regular futex in handle_futex_death().
    
    Handle some races in handle_futex_death() which can prevents a wakeup of
    potential waiters which can cause these waiters to block forever.
    
    Differential Revision:  https://reviews.freebsd.org/D31280
    MFC after:              2 weeks
    
    (cherry picked from commit b59cf25eac06c1feb2d35a5a3d8a089ae62fd0df)
---
 sys/compat/linux/linux_futex.c | 54 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 45 insertions(+), 9 deletions(-)

diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c
index c81fe20212a2..8bc8879c92c6 100644
--- a/sys/compat/linux/linux_futex.c
+++ b/sys/compat/linux/linux_futex.c
@@ -108,7 +108,7 @@ LIN_SDT_PROBE_DEFINE1(futex, release_futexes, copyin_error, "int");
 
 static int futex_atomic_op(struct thread *, int, uint32_t *);
 static int handle_futex_death(struct thread *td, struct linux_emuldata *,
-    uint32_t *, unsigned int);
+    uint32_t *, unsigned int, bool);
 static int fetch_robust_entry(struct linux_robust_list **,
     struct linux_robust_list **, unsigned int *);
 
@@ -995,7 +995,7 @@ linux_get_robust_list(struct thread *td, struct linux_get_robust_list_args *args
 
 static int
 handle_futex_death(struct thread *td, struct linux_emuldata *em, uint32_t *uaddr,
-    unsigned int pi)
+    unsigned int pi, bool pending_op)
 {
 	uint32_t uval, nval, mval;
 	int error;
@@ -1004,6 +1004,31 @@ retry:
 	error = fueword32(uaddr, &uval);
 	if (error != 0)
 		return (EFAULT);
+
+	/*
+	 * Special case for regular (non PI) futexes. The unlock path in
+	 * user space has two race scenarios:
+	 *
+	 * 1. The unlock path releases the user space futex value and
+	 *    before it can execute the futex() syscall to wake up
+	 *    waiters it is killed.
+	 *
+	 * 2. A woken up waiter is killed before it can acquire the
+	 *    futex in user space.
+	 *
+	 * In both cases the TID validation below prevents a wakeup of
+	 * potential waiters which can cause these waiters to block
+	 * forever.
+	 *
+	 * In both cases it is safe to attempt waking up a potential
+	 * waiter without touching the user space futex value and trying
+	 * to set the OWNER_DIED bit.
+	 */
+	if (pending_op && !pi && !uval) {
+		(void)futex_wake(td, uaddr, 1, true);
+		return (0);
+	}
+
 	if ((uval & FUTEX_TID_MASK) == em->em_tid) {
 		mval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;
 		error = casueword32(uaddr, uval, &nval, mval);
@@ -1049,6 +1074,9 @@ fetch_robust_entry(struct linux_robust_list **entry,
 	return (0);
 }
 
+#define	LINUX_HANDLE_DEATH_PENDING	true
+#define	LINUX_HANDLE_DEATH_LIST		false
+
 /* This walks the list of robust futexes releasing them. */
 void
 release_futexes(struct thread *td, struct linux_emuldata *em)
@@ -1056,6 +1084,7 @@ release_futexes(struct thread *td, struct linux_emuldata *em)
 	struct linux_robust_list_head *head = NULL;
 	struct linux_robust_list *entry, *next_entry, *pending;
 	unsigned int limit = 2048, pi, next_pi, pip;
+	uint32_t *uaddr;
 	l_long futex_offset;
 	int rc, error;
 
@@ -1080,11 +1109,16 @@ release_futexes(struct thread *td, struct linux_emuldata *em)
 	while (entry != &head->list) {
 		rc = fetch_robust_entry(&next_entry, PTRIN(&entry->next), &next_pi);
 
-		if (entry != pending)
-			if (handle_futex_death(td, em,
-			    (uint32_t *)((caddr_t)entry + futex_offset), pi)) {
+		/*
+		 * A pending lock might already be on the list, so
+		 * don't process it twice.
+		 */
+		if (entry != pending) {
+			uaddr = (uint32_t *)((caddr_t)entry + futex_offset);
+			if (handle_futex_death(td, em, uaddr, pi,
+			    LINUX_HANDLE_DEATH_LIST))
 				return;
-			}
+		}
 		if (rc)
 			return;
 
@@ -1097,7 +1131,9 @@ release_futexes(struct thread *td, struct linux_emuldata *em)
 		sched_relinquish(curthread);
 	}
 
-	if (pending)
-		handle_futex_death(td, em,
-		    (uint32_t *)((caddr_t)pending + futex_offset), pip);
+	if (pending) {
+		uaddr = (uint32_t *)((caddr_t)pending + futex_offset);
+		(void)handle_futex_death(td, em, uaddr, pip,
+		    LINUX_HANDLE_DEATH_PENDING);
+	}
 }