add boot partition size

hc

2023-12-11 d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d

 kernel/kernel/futex.c
..
..
@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-or-later
1
2
 /*
2
3
  *  Fast Userspace Mutexes (which I call "Futexes!").
3
4
  *  (C) Rusty Russell, IBM 2002
..
..
@@ -29,49 +30,20 @@
29
30
  *
30
31
  *  "The futexes are also cursed."
31
32
  *  "But they come in a choice of three flavours!"
32
- *
33
- *  This program is free software; you can redistribute it and/or modify
34
- *  it under the terms of the GNU General Public License as published by
35
- *  the Free Software Foundation; either version 2 of the License, or
36
- *  (at your option) any later version.
37
- *
38
- *  This program is distributed in the hope that it will be useful,
39
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
40
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
41
- *  GNU General Public License for more details.
42
- *
43
- *  You should have received a copy of the GNU General Public License
44
- *  along with this program; if not, write to the Free Software
45
- *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
46
33
  */
47
34
 #include <linux/compat.h>
48
-#include <linux/slab.h>
49
-#include <linux/poll.h>
50
-#include <linux/fs.h>
51
-#include <linux/file.h>
52
35
 #include <linux/jhash.h>
53
-#include <linux/init.h>
54
-#include <linux/futex.h>
55
-#include <linux/mount.h>
56
36
 #include <linux/pagemap.h>
57
37
 #include <linux/syscalls.h>
58
-#include <linux/signal.h>
59
-#include <linux/export.h>
60
-#include <linux/magic.h>
61
-#include <linux/pid.h>
62
-#include <linux/nsproxy.h>
63
-#include <linux/ptrace.h>
64
-#include <linux/sched/rt.h>
65
-#include <linux/sched/wake_q.h>
66
-#include <linux/sched/mm.h>
67
-#include <linux/hugetlb.h>
68
38
 #include <linux/freezer.h>
69
-#include <linux/bootmem.h>
39
+#include <linux/memblock.h>
70
40
 #include <linux/fault-inject.h>
41
+#include <linux/time_namespace.h>
71
42
 
72
43
 #include <asm/futex.h>
73
44
 
74
45
 #include "locking/rtmutex_common.h"
46
+#include <trace/hooks/futex.h>
75
47
 
76
48
 /*
77
49
  * READ this before attempting to hack on futexes!
..
..
@@ -147,8 +119,7 @@
147
119
  *
148
120
  * Where (A) orders the waiters increment and the futex value read through
149
121
  * atomic operations (see hb_waiters_inc) and where (B) orders the write
150
- * to futex and the waiters read -- this is done by the barriers for both
151
- * shared and private futexes in get_futex_key_refs().
122
+ * to futex and the waiters read (see hb_waiters_pending()).
152
123
  *
153
124
  * This yields the following case (where X:=waiters, Y:=futex):
154
125
  *
..
..
@@ -212,7 +183,7 @@
212
183
 	struct rt_mutex pi_mutex;
213
184
 
214
185
 	struct task_struct *owner;
215
-	atomic_t refcount;
186
+	refcount_t refcount;
216
187
 
217
188
 	union futex_key key;
218
189
 } __randomize_layout;
..
..
@@ -321,12 +292,8 @@
321
292
 	if (IS_ERR(dir))
322
293
 		return PTR_ERR(dir);
323
294
 
324
-	if (!debugfs_create_bool("ignore-private", mode, dir,
325
-				 &fail_futex.ignore_private)) {
326
-		debugfs_remove_recursive(dir);
327
-		return -ENOMEM;
328
-	}
329
-
295
+	debugfs_create_bool("ignore-private", mode, dir,
296
+			    &fail_futex.ignore_private);
330
297
 	return 0;
331
298
 }
332
299
 
..
..
@@ -346,17 +313,6 @@
346
313
 #else
347
314
 static inline void compat_exit_robust_list(struct task_struct *curr) { }
348
315
 #endif
349
-
350
-static inline void futex_get_mm(union futex_key *key)
351
-{
352
-	mmgrab(key->private.mm);
353
-	/*
354
-	 * Ensure futex_get_mm() implies a full barrier such that
355
-	 * get_futex_key() implies a full barrier. This is relied upon
356
-	 * as smp_mb(); (B), see the ordering comment above.
357
-	 */
358
-	smp_mb__after_atomic();
359
-}
360
316
 
361
317
 /*
362
318
  * Reflects a new waiter being added to the waitqueue.
..
..
@@ -386,6 +342,10 @@
386
342
 static inline int hb_waiters_pending(struct futex_hash_bucket *hb)
387
343
 {
388
344
 #ifdef CONFIG_SMP
345
+	/*
346
+	 * Full barrier (B), see the ordering comment above.
347
+	 */
348
+	smp_mb();
389
349
 	return atomic_read(&hb->waiters);
390
350
 #else
391
351
 	return 1;
..
..
@@ -423,67 +383,38 @@
423
383
 		&& key1->both.offset == key2->both.offset);
424
384
 }
425
385
 
426
-/*
427
- * Take a reference to the resource addressed by a key.
428
- * Can be called while holding spinlocks.
386
+enum futex_access {
387
+	FUTEX_READ,
388
+	FUTEX_WRITE
389
+};
390
+
391
+/**
392
+ * futex_setup_timer - set up the sleeping hrtimer.
393
+ * @time:	ptr to the given timeout value
394
+ * @timeout:	the hrtimer_sleeper structure to be set up
395
+ * @flags:	futex flags
396
+ * @range_ns:	optional range in ns
429
397
  *
398
+ * Return: Initialized hrtimer_sleeper structure or NULL if no timeout
399
+ *	   value given
430
400
  */
431
-static void get_futex_key_refs(union futex_key *key)
401
+static inline struct hrtimer_sleeper *
402
+futex_setup_timer(ktime_t *time, struct hrtimer_sleeper *timeout,
403
+		  int flags, u64 range_ns)
432
404
 {
433
-	if (!key->both.ptr)
434
-		return;
405
+	if (!time)
406
+		return NULL;
435
407
 
408
+	hrtimer_init_sleeper_on_stack(timeout, (flags & FLAGS_CLOCKRT) ?
409
+				      CLOCK_REALTIME : CLOCK_MONOTONIC,
410
+				      HRTIMER_MODE_ABS);
436
411
 	/*
437
-	 * On MMU less systems futexes are always "private" as there is no per
438
-	 * process address space. We need the smp wmb nevertheless - yes,
439
-	 * arch/blackfin has MMU less SMP ...
412
+	 * If range_ns is 0, calling hrtimer_set_expires_range_ns() is
413
+	 * effectively the same as calling hrtimer_set_expires().
440
414
 	 */
441
-	if (!IS_ENABLED(CONFIG_MMU)) {
442
-		smp_mb(); /* explicit smp_mb(); (B) */
443
-		return;
444
-	}
415
+	hrtimer_set_expires_range_ns(&timeout->timer, *time, range_ns);
445
416
 
446
-	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
447
-	case FUT_OFF_INODE:
448
-		smp_mb();		/* explicit smp_mb(); (B) */
449
-		break;
450
-	case FUT_OFF_MMSHARED:
451
-		futex_get_mm(key); /* implies smp_mb(); (B) */
452
-		break;
453
-	default:
454
-		/*
455
-		 * Private futexes do not hold reference on an inode or
456
-		 * mm, therefore the only purpose of calling get_futex_key_refs
457
-		 * is because we need the barrier for the lockless waiter check.
458
-		 */
459
-		smp_mb(); /* explicit smp_mb(); (B) */
460
-	}
461
-}
462
-
463
-/*
464
- * Drop a reference to the resource addressed by a key.
465
- * The hash bucket spinlock must not be held. This is
466
- * a no-op for private futexes, see comment in the get
467
- * counterpart.
468
- */
469
-static void drop_futex_key_refs(union futex_key *key)
470
-{
471
-	if (!key->both.ptr) {
472
-		/* If we're here then we tried to put a key we failed to get */
473
-		WARN_ON_ONCE(1);
474
-		return;
475
-	}
476
-
477
-	if (!IS_ENABLED(CONFIG_MMU))
478
-		return;
479
-
480
-	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
481
-	case FUT_OFF_INODE:
482
-		break;
483
-	case FUT_OFF_MMSHARED:
484
-		mmdrop(key->private.mm);
485
-		break;
486
-	}
417
+	return timeout;
487
418
 }
488
419
 
489
420
 /*
..
..
@@ -529,20 +460,23 @@
529
460
 /**
530
461
  * get_futex_key() - Get parameters which are the keys for a futex
531
462
  * @uaddr:	virtual address of the futex
532
- * @fshared:	0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
463
+ * @fshared:	false for a PROCESS_PRIVATE futex, true for PROCESS_SHARED
533
464
  * @key:	address where result is stored.
534
- * @rw:		mapping needs to be read/write (values: VERIFY_READ,
535
- *              VERIFY_WRITE)
465
+ * @rw:		mapping needs to be read/write (values: FUTEX_READ,
466
+ *              FUTEX_WRITE)
536
467
  *
537
468
  * Return: a negative error code or 0
538
469
  *
539
470
  * The key words are stored in @key on success.
540
471
  *
541
472
  * For shared mappings (when @fshared), the key is:
473
+ *
542
474
  *   ( inode->i_sequence, page->index, offset_within_page )
475
+ *
543
476
  * [ also see get_inode_sequence_number() ]
544
477
  *
545
478
  * For private mappings (or when !@fshared), the key is:
479
+ *
546
480
  *   ( current->mm, address, 0 )
547
481
  *
548
482
  * This allows (cross process, where applicable) identification of the futex
..
..
@@ -550,8 +484,8 @@
550
484
  *
551
485
  * lock_page() might sleep, the caller should not hold a spinlock.
552
486
  */
553
-static int
554
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
487
+static int get_futex_key(u32 __user *uaddr, bool fshared, union futex_key *key,
488
+			 enum futex_access rw)
555
489
 {
556
490
 	unsigned long address = (unsigned long)uaddr;
557
491
 	struct mm_struct *mm = current->mm;
..
..
@@ -567,7 +501,7 @@
567
501
 		return -EINVAL;
568
502
 	address -= key->both.offset;
569
503
 
570
-	if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
504
+	if (unlikely(!access_ok(uaddr, sizeof(u32))))
571
505
 		return -EFAULT;
572
506
 
573
507
 	if (unlikely(should_fail_futex(fshared)))
..
..
@@ -583,21 +517,20 @@
583
517
 	if (!fshared) {
584
518
 		key->private.mm = mm;
585
519
 		key->private.address = address;
586
-		get_futex_key_refs(key);  /* implies smp_mb(); (B) */
587
520
 		return 0;
588
521
 	}
589
522
 
590
523
 again:
591
524
 	/* Ignore any VERIFY_READ mapping (futex common case) */
592
-	if (unlikely(should_fail_futex(fshared)))
525
+	if (unlikely(should_fail_futex(true)))
593
526
 		return -EFAULT;
594
527
 
595
-	err = get_user_pages_fast(address, 1, 1, &page);
528
+	err = get_user_pages_fast(address, 1, FOLL_WRITE, &page);
596
529
 	/*
597
530
 	 * If write access is not required (eg. FUTEX_WAIT), try
598
531
 	 * and get read-only access.
599
532
 	 */
600
-	if (err == -EFAULT && rw == VERIFY_READ) {
533
+	if (err == -EFAULT && rw == FUTEX_READ) {
601
534
 		err = get_user_pages_fast(address, 1, 0, &page);
602
535
 		ro = 1;
603
536
 	}
..
..
@@ -654,7 +587,7 @@
654
587
 		lock_page(page);
655
588
 		shmem_swizzled = PageSwapCache(page) || page->mapping;
656
589
 		unlock_page(page);
657
-		put_page(page);
590
+		put_user_page(page);
658
591
 
659
592
 		if (shmem_swizzled)
660
593
 			goto again;
..
..
@@ -677,7 +610,7 @@
677
610
 		 * A RO anonymous page will never change and thus doesn't make
678
611
 		 * sense for futex operations.
679
612
 		 */
680
-		if (unlikely(should_fail_futex(fshared)) || ro) {
613
+		if (unlikely(should_fail_futex(true)) || ro) {
681
614
 			err = -EFAULT;
682
615
 			goto out;
683
616
 		}
..
..
@@ -704,7 +637,7 @@
704
637
 
705
638
 		if (READ_ONCE(page->mapping) != mapping) {
706
639
 			rcu_read_unlock();
707
-			put_page(page);
640
+			put_user_page(page);
708
641
 
709
642
 			goto again;
710
643
 		}
..
..
@@ -712,7 +645,7 @@
712
645
 		inode = READ_ONCE(mapping->host);
713
646
 		if (!inode) {
714
647
 			rcu_read_unlock();
715
-			put_page(page);
648
+			put_user_page(page);
716
649
 
717
650
 			goto again;
718
651
 		}
..
..
@@ -723,16 +656,9 @@
723
656
 		rcu_read_unlock();
724
657
 	}
725
658
 
726
-	get_futex_key_refs(key); /* implies smp_mb(); (B) */
727
-
728
659
 out:
729
-	put_page(page);
660
+	put_user_page(page);
730
661
 	return err;
731
-}
732
-
733
-static inline void put_futex_key(union futex_key *key)
734
-{
735
-	drop_futex_key_refs(key);
736
662
 }
737
663
 
738
664
 /**
..
..
@@ -752,10 +678,10 @@
752
678
 	struct mm_struct *mm = current->mm;
753
679
 	int ret;
754
680
 
755
-	down_read(&mm->mmap_sem);
756
-	ret = fixup_user_fault(current, mm, (unsigned long)uaddr,
681
+	mmap_read_lock(mm);
682
+	ret = fixup_user_fault(mm, (unsigned long)uaddr,
757
683
 			       FAULT_FLAG_WRITE, NULL);
758
-	up_read(&mm->mmap_sem);
684
+	mmap_read_unlock(mm);
759
685
 
760
686
 	return ret < 0 ? ret : 0;
761
687
 }
..
..
@@ -821,7 +747,7 @@
821
747
 	INIT_LIST_HEAD(&pi_state->list);
822
748
 	/* pi_mutex gets initialized later */
823
749
 	pi_state->owner = NULL;
824
-	atomic_set(&pi_state->refcount, 1);
750
+	refcount_set(&pi_state->refcount, 1);
825
751
 	pi_state->key = FUTEX_KEY_INIT;
826
752
 
827
753
 	current->pi_state_cache = pi_state;
..
..
@@ -864,7 +790,7 @@
864
790
 
865
791
 static void get_pi_state(struct futex_pi_state *pi_state)
866
792
 {
867
-	WARN_ON_ONCE(!atomic_inc_not_zero(&pi_state->refcount));
793
+	WARN_ON_ONCE(!refcount_inc_not_zero(&pi_state->refcount));
868
794
 }
869
795
 
870
796
 /*
..
..
@@ -876,7 +802,7 @@
876
802
 	if (!pi_state)
877
803
 		return;
878
804
 
879
-	if (!atomic_dec_and_test(&pi_state->refcount))
805
+	if (!refcount_dec_and_test(&pi_state->refcount))
880
806
 		return;
881
807
 
882
808
 	/*
..
..
@@ -901,7 +827,7 @@
901
827
 		 * refcount is at 0 - put it back to 1.
902
828
 		 */
903
829
 		pi_state->owner = NULL;
904
-		atomic_set(&pi_state->refcount, 1);
830
+		refcount_set(&pi_state->refcount, 1);
905
831
 		current->pi_state_cache = pi_state;
906
832
 	}
907
833
 }
..
..
@@ -944,7 +870,7 @@
944
870
 		 * In that case; drop the locks to let put_pi_state() make
945
871
 		 * progress and retry the loop.
946
872
 		 */
947
-		if (!atomic_inc_not_zero(&pi_state->refcount)) {
873
+		if (!refcount_inc_not_zero(&pi_state->refcount)) {
948
874
 			raw_spin_unlock_irq(&curr->pi_lock);
949
875
 			cpu_relax();
950
876
 			raw_spin_lock_irq(&curr->pi_lock);
..
..
@@ -1009,7 +935,7 @@
1009
935
  * [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
1010
936
  *
1011
937
  * [1]	Indicates that the kernel can acquire the futex atomically. We
1012
- *	came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
938
+ *	came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
1013
939
  *
1014
940
  * [2]	Valid, if TID does not belong to a kernel thread. If no matching
1015
941
  *      thread is found then it indicates that the owner TID has died.
..
..
@@ -1102,7 +1028,7 @@
1102
1028
 	 * and futex_wait_requeue_pi() as it cannot go to 0 and consequently
1103
1029
 	 * free pi_state before we can take a reference ourselves.
1104
1030
 	 */
1105
-	WARN_ON(!atomic_read(&pi_state->refcount));
1031
+	WARN_ON(!refcount_read(&pi_state->refcount));
1106
1032
 
1107
1033
 	/*
1108
1034
 	 * Now that we have a pi_state, we can acquire wait_lock
..
..
@@ -1196,6 +1122,7 @@
1196
1122
 
1197
1123
 /**
1198
1124
  * wait_for_owner_exiting - Block until the owner has exited
1125
+ * @ret: owner's current futex lock status
1199
1126
  * @exiting:	Pointer to the exiting task
1200
1127
  *
1201
1128
  * Caller must hold a refcount on @exiting.
..
..
@@ -1398,7 +1325,7 @@
1398
1325
 static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
1399
1326
 {
1400
1327
 	int err;
1401
-	u32 uninitialized_var(curval);
1328
+	u32 curval;
1402
1329
 
1403
1330
 	if (unlikely(should_fail_futex(true)))
1404
1331
 		return -EFAULT;
..
..
@@ -1523,9 +1450,9 @@
1523
1450
 {
1524
1451
 	struct futex_hash_bucket *hb;
1525
1452
 
1526
-	if (WARN_ON_SMP(!q->lock_ptr || !spin_is_locked(q->lock_ptr))
1527
-	    || WARN_ON(plist_node_empty(&q->list)))
1453
+	if (WARN_ON_SMP(!q->lock_ptr) || WARN_ON(plist_node_empty(&q->list)))
1528
1454
 		return;
1455
+	lockdep_assert_held(q->lock_ptr);
1529
1456
 
1530
1457
 	hb = container_of(q->lock_ptr, struct futex_hash_bucket, lock);
1531
1458
 	plist_del(&q->list, &hb->chain);
..
..
@@ -1558,10 +1485,9 @@
1558
1485
 
1559
1486
 	/*
1560
1487
 	 * Queue the task for later wakeup for after we've released
1561
-	 * the hb->lock. wake_q_add() grabs reference to p.
1488
+	 * the hb->lock.
1562
1489
 	 */
1563
-	wake_q_add(wake_q, p);
1564
-	put_task_struct(p);
1490
+	wake_q_add_safe(wake_q, p);
1565
1491
 }
1566
1492
 
1567
1493
 /*
..
..
@@ -1569,10 +1495,11 @@
1569
1495
  */
1570
1496
 static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state)
1571
1497
 {
1572
-	u32 uninitialized_var(curval), newval;
1498
+	u32 curval, newval;
1573
1499
 	struct task_struct *new_owner;
1574
1500
 	bool postunlock = false;
1575
1501
 	DEFINE_WAKE_Q(wake_q);
1502
+	DEFINE_WAKE_Q(wake_sleeper_q);
1576
1503
 	int ret = 0;
1577
1504
 
1578
1505
 	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
..
..
@@ -1622,14 +1549,15 @@
1622
1549
 		 * not fail.
1623
1550
 		 */
1624
1551
 		pi_state_update_owner(pi_state, new_owner);
1625
-		postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q);
1552
+		postunlock = __rt_mutex_futex_unlock(&pi_state->pi_mutex, &wake_q,
1553
+						     &wake_sleeper_q);
1626
1554
 	}
1627
1555
 
1628
1556
 out_unlock:
1629
1557
 	raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1630
1558
 
1631
1559
 	if (postunlock)
1632
-		rt_mutex_postunlock(&wake_q);
1560
+		rt_mutex_postunlock(&wake_q, &wake_sleeper_q);
1633
1561
 
1634
1562
 	return ret;
1635
1563
 }
..
..
@@ -1668,23 +1596,25 @@
1668
1596
 	struct futex_q *this, *next;
1669
1597
 	union futex_key key = FUTEX_KEY_INIT;
1670
1598
 	int ret;
1599
+	int target_nr;
1671
1600
 	DEFINE_WAKE_Q(wake_q);
1672
1601
 
1673
1602
 	if (!bitset)
1674
1603
 		return -EINVAL;
1675
1604
 
1676
-	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_READ);
1605
+	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_READ);
1677
1606
 	if (unlikely(ret != 0))
1678
-		goto out;
1607
+		return ret;
1679
1608
 
1680
1609
 	hb = hash_futex(&key);
1681
1610
 
1682
1611
 	/* Make sure we really have tasks to wakeup */
1683
1612
 	if (!hb_waiters_pending(hb))
1684
-		goto out_put_key;
1613
+		return ret;
1685
1614
 
1686
1615
 	spin_lock(&hb->lock);
1687
1616
 
1617
+	trace_android_vh_futex_wake_traverse_plist(&hb->chain, &target_nr, key, bitset);
1688
1618
 	plist_for_each_entry_safe(this, next, &hb->chain, list) {
1689
1619
 		if (match_futex (&this->key, &key)) {
1690
1620
 			if (this->pi_state || this->rt_waiter) {
..
..
@@ -1696,6 +1626,7 @@
1696
1626
 			if (!(this->bitset & bitset))
1697
1627
 				continue;
1698
1628
 
1629
+			trace_android_vh_futex_wake_this(ret, nr_wake, target_nr, this->task);
1699
1630
 			mark_wake_futex(&wake_q, this);
1700
1631
 			if (++ret >= nr_wake)
1701
1632
 				break;
..
..
@@ -1704,9 +1635,7 @@
1704
1635
 
1705
1636
 	spin_unlock(&hb->lock);
1706
1637
 	wake_up_q(&wake_q);
1707
-out_put_key:
1708
-	put_futex_key(&key);
1709
-out:
1638
+	trace_android_vh_futex_wake_up_q_finish(nr_wake, target_nr);
1710
1639
 	return ret;
1711
1640
 }
1712
1641
 
..
..
@@ -1732,10 +1661,9 @@
1732
1661
 		oparg = 1 << oparg;
1733
1662
 	}
1734
1663
 
1735
-	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1736
-		return -EFAULT;
1737
-
1664
+	pagefault_disable();
1738
1665
 	ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
1666
+	pagefault_enable();
1739
1667
 	if (ret)
1740
1668
 		return ret;
1741
1669
 
..
..
@@ -1772,12 +1700,12 @@
1772
1700
 	DEFINE_WAKE_Q(wake_q);
1773
1701
 
1774
1702
 retry:
1775
-	ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
1703
+	ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
1776
1704
 	if (unlikely(ret != 0))
1777
-		goto out;
1778
-	ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
1705
+		return ret;
1706
+	ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
1779
1707
 	if (unlikely(ret != 0))
1780
-		goto out_put_key1;
1708
+		return ret;
1781
1709
 
1782
1710
 	hb1 = hash_futex(&key1);
1783
1711
 	hb2 = hash_futex(&key2);
..
..
@@ -1795,13 +1723,13 @@
1795
1723
 			 * an MMU, but we might get them from range checking
1796
1724
 			 */
1797
1725
 			ret = op_ret;
1798
-			goto out_put_keys;
1726
+			return ret;
1799
1727
 		}
1800
1728
 
1801
1729
 		if (op_ret == -EFAULT) {
1802
1730
 			ret = fault_in_user_writeable(uaddr2);
1803
1731
 			if (ret)
1804
-				goto out_put_keys;
1732
+				return ret;
1805
1733
 		}
1806
1734
 
1807
1735
 		if (!(flags & FLAGS_SHARED)) {
..
..
@@ -1809,8 +1737,6 @@
1809
1737
 			goto retry_private;
1810
1738
 		}
1811
1739
 
1812
-		put_futex_key(&key2);
1813
-		put_futex_key(&key1);
1814
1740
 		cond_resched();
1815
1741
 		goto retry;
1816
1742
 	}
..
..
@@ -1846,11 +1772,6 @@
1846
1772
 out_unlock:
1847
1773
 	double_unlock_hb(hb1, hb2);
1848
1774
 	wake_up_q(&wake_q);
1849
-out_put_keys:
1850
-	put_futex_key(&key2);
1851
-out_put_key1:
1852
-	put_futex_key(&key1);
1853
-out:
1854
1775
 	return ret;
1855
1776
 }
1856
1777
 
..
..
@@ -1877,7 +1798,6 @@
1877
1798
 		plist_add(&q->list, &hb2->chain);
1878
1799
 		q->lock_ptr = &hb2->lock;
1879
1800
 	}
1880
-	get_futex_key_refs(key2);
1881
1801
 	q->key = *key2;
1882
1802
 }
1883
1803
 
..
..
@@ -1899,7 +1819,6 @@
1899
1819
 void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
1900
1820
 			   struct futex_hash_bucket *hb)
1901
1821
 {
1902
-	get_futex_key_refs(key);
1903
1822
 	q->key = *key;
1904
1823
 
1905
1824
 	__unqueue_futex(q);
..
..
@@ -2010,7 +1929,7 @@
2010
1929
 			 u32 *cmpval, int requeue_pi)
2011
1930
 {
2012
1931
 	union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
2013
-	int drop_count = 0, task_count = 0, ret;
1932
+	int task_count = 0, ret;
2014
1933
 	struct futex_pi_state *pi_state = NULL;
2015
1934
 	struct futex_hash_bucket *hb1, *hb2;
2016
1935
 	struct futex_q *this, *next;
..
..
@@ -2057,22 +1976,20 @@
2057
1976
 	}
2058
1977
 
2059
1978
 retry:
2060
-	ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
1979
+	ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
2061
1980
 	if (unlikely(ret != 0))
2062
-		goto out;
1981
+		return ret;
2063
1982
 	ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
2064
-			    requeue_pi ? VERIFY_WRITE : VERIFY_READ);
1983
+			    requeue_pi ? FUTEX_WRITE : FUTEX_READ);
2065
1984
 	if (unlikely(ret != 0))
2066
-		goto out_put_key1;
1985
+		return ret;
2067
1986
 
2068
1987
 	/*
2069
1988
 	 * The check above which compares uaddrs is not sufficient for
2070
1989
 	 * shared futexes. We need to compare the keys:
2071
1990
 	 */
2072
-	if (requeue_pi && match_futex(&key1, &key2)) {
2073
-		ret = -EINVAL;
2074
-		goto out_put_keys;
2075
-	}
1991
+	if (requeue_pi && match_futex(&key1, &key2))
1992
+		return -EINVAL;
2076
1993
 
2077
1994
 	hb1 = hash_futex(&key1);
2078
1995
 	hb2 = hash_futex(&key2);
..
..
@@ -2092,13 +2009,11 @@
2092
2009
 
2093
2010
 			ret = get_user(curval, uaddr1);
2094
2011
 			if (ret)
2095
-				goto out_put_keys;
2012
+				return ret;
2096
2013
 
2097
2014
 			if (!(flags & FLAGS_SHARED))
2098
2015
 				goto retry_private;
2099
2016
 
2100
-			put_futex_key(&key2);
2101
-			put_futex_key(&key1);
2102
2017
 			goto retry;
2103
2018
 		}
2104
2019
 		if (curval != *cmpval) {
..
..
@@ -2131,7 +2046,6 @@
2131
2046
 		 */
2132
2047
 		if (ret > 0) {
2133
2048
 			WARN_ON(pi_state);
2134
-			drop_count++;
2135
2049
 			task_count++;
2136
2050
 			/*
2137
2051
 			 * If we acquired the lock, then the user space value
..
..
@@ -2158,12 +2072,10 @@
2158
2072
 		case -EFAULT:
2159
2073
 			double_unlock_hb(hb1, hb2);
2160
2074
 			hb_waiters_dec(hb2);
2161
-			put_futex_key(&key2);
2162
-			put_futex_key(&key1);
2163
2075
 			ret = fault_in_user_writeable(uaddr2);
2164
2076
 			if (!ret)
2165
2077
 				goto retry;
2166
-			goto out;
2078
+			return ret;
2167
2079
 		case -EBUSY:
2168
2080
 		case -EAGAIN:
2169
2081
 			/*
..
..
@@ -2174,8 +2086,6 @@
2174
2086
 			 */
2175
2087
 			double_unlock_hb(hb1, hb2);
2176
2088
 			hb_waiters_dec(hb2);
2177
-			put_futex_key(&key2);
2178
-			put_futex_key(&key1);
2179
2089
 			/*
2180
2090
 			 * Handle the case where the owner is in the middle of
2181
2091
 			 * exiting. Wait for the exit to complete otherwise
..
..
@@ -2251,7 +2161,6 @@
2251
2161
 				 * doing so.
2252
2162
 				 */
2253
2163
 				requeue_pi_wake_futex(this, &key2, hb2);
2254
-				drop_count++;
2255
2164
 				continue;
2256
2165
 			} else if (ret) {
2257
2166
 				/*
..
..
@@ -2272,7 +2181,6 @@
2272
2181
 			}
2273
2182
 		}
2274
2183
 		requeue_futex(this, hb1, hb2, &key2);
2275
-		drop_count++;
2276
2184
 	}
2277
2185
 
2278
2186
 	/*
..
..
@@ -2286,21 +2194,6 @@
2286
2194
 	double_unlock_hb(hb1, hb2);
2287
2195
 	wake_up_q(&wake_q);
2288
2196
 	hb_waiters_dec(hb2);
2289
-
2290
-	/*
2291
-	 * drop_futex_key_refs() must be called outside the spinlocks. During
2292
-	 * the requeue we moved futex_q's from the hash bucket at key1 to the
2293
-	 * one at key2 and updated their key pointer.  We no longer need to
2294
-	 * hold the references to key1.
2295
-	 */
2296
-	while (--drop_count >= 0)
2297
-		drop_futex_key_refs(&key1);
2298
-
2299
-out_put_keys:
2300
-	put_futex_key(&key2);
2301
-out_put_key1:
2302
-	put_futex_key(&key1);
2303
-out:
2304
2197
 	return ret ? ret : task_count;
2305
2198
 }
2306
2199
 
..
..
@@ -2320,11 +2213,11 @@
2320
2213
 	 * decrement the counter at queue_unlock() when some error has
2321
2214
 	 * occurred and we don't end up adding the task to the list.
2322
2215
 	 */
2323
-	hb_waiters_inc(hb);
2216
+	hb_waiters_inc(hb); /* implies smp_mb(); (A) */
2324
2217
 
2325
2218
 	q->lock_ptr = &hb->lock;
2326
2219
 
2327
-	spin_lock(&hb->lock); /* implies smp_mb(); (A) */
2220
+	spin_lock(&hb->lock);
2328
2221
 	return hb;
2329
2222
 }
2330
2223
 
..
..
@@ -2339,6 +2232,7 @@
2339
2232
 static inline void __queue_me(struct futex_q *q, struct futex_hash_bucket *hb)
2340
2233
 {
2341
2234
 	int prio;
2235
+	bool already_on_hb = false;
2342
2236
 
2343
2237
 	/*
2344
2238
 	 * The priority used to register this element is
..
..
@@ -2351,7 +2245,9 @@
2351
2245
 	prio = min(current->normal_prio, MAX_RT_PRIO);
2352
2246
 
2353
2247
 	plist_node_init(&q->list, prio);
2354
-	plist_add(&q->list, &hb->chain);
2248
+	trace_android_vh_alter_futex_plist_add(&q->list, &hb->chain, &already_on_hb);
2249
+	if (!already_on_hb)
2250
+		plist_add(&q->list, &hb->chain);
2355
2251
 	q->task = current;
2356
2252
 }
2357
2253
 
..
..
@@ -2425,7 +2321,6 @@
2425
2321
 		ret = 1;
2426
2322
 	}
2427
2323
 
2428
-	drop_futex_key_refs(&q->key);
2429
2324
 	return ret;
2430
2325
 }
2431
2326
 
..
..
@@ -2449,9 +2344,9 @@
2449
2344
 static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
2450
2345
 				  struct task_struct *argowner)
2451
2346
 {
2452
-	u32 uval, uninitialized_var(curval), newval, newtid;
2453
2347
 	struct futex_pi_state *pi_state = q->pi_state;
2454
2348
 	struct task_struct *oldowner, *newowner;
2349
+	u32 uval, curval, newval, newtid;
2455
2350
 	int err = 0;
2456
2351
 
2457
2352
 	oldowner = pi_state->owner;
..
..
@@ -2706,7 +2601,7 @@
2706
2601
 
2707
2602
 	/* Arm the timer */
2708
2603
 	if (timeout)
2709
-		hrtimer_start_expires(&timeout->timer, HRTIMER_MODE_ABS);
2604
+		hrtimer_sleeper_start_expires(timeout, HRTIMER_MODE_ABS);
2710
2605
 
2711
2606
 	/*
2712
2607
 	 * If we have been removed from the hash list, then another task
..
..
@@ -2718,8 +2613,10 @@
2718
2613
 		 * flagged for rescheduling. Only call schedule if there
2719
2614
 		 * is no timeout, or if it has yet to expire.
2720
2615
 		 */
2721
-		if (!timeout || timeout->task)
2616
+		if (!timeout || timeout->task) {
2617
+			trace_android_vh_futex_sleep_start(current);
2722
2618
 			freezable_schedule();
2619
+		}
2723
2620
 	}
2724
2621
 	__set_current_state(TASK_RUNNING);
2725
2622
 }
..
..
@@ -2766,7 +2663,7 @@
2766
2663
 	 * while the syscall executes.
2767
2664
 	 */
2768
2665
 retry:
2769
-	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, VERIFY_READ);
2666
+	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, FUTEX_READ);
2770
2667
 	if (unlikely(ret != 0))
2771
2668
 		return ret;
2772
2669
 
..
..
@@ -2780,12 +2677,11 @@
2780
2677
 
2781
2678
 		ret = get_user(uval, uaddr);
2782
2679
 		if (ret)
2783
-			goto out;
2680
+			return ret;
2784
2681
 
2785
2682
 		if (!(flags & FLAGS_SHARED))
2786
2683
 			goto retry_private;
2787
2684
 
2788
-		put_futex_key(&q->key);
2789
2685
 		goto retry;
2790
2686
 	}
2791
2687
 
..
..
@@ -2794,16 +2690,13 @@
2794
2690
 		ret = -EWOULDBLOCK;
2795
2691
 	}
2796
2692
 
2797
-out:
2798
-	if (ret)
2799
-		put_futex_key(&q->key);
2800
2693
 	return ret;
2801
2694
 }
2802
2695
 
2803
2696
 static int futex_wait(u32 __user *uaddr, unsigned int flags, u32 val,
2804
2697
 		      ktime_t *abs_time, u32 bitset)
2805
2698
 {
2806
-	struct hrtimer_sleeper timeout, *to = NULL;
2699
+	struct hrtimer_sleeper timeout, *to;
2807
2700
 	struct restart_block *restart;
2808
2701
 	struct futex_hash_bucket *hb;
2809
2702
 	struct futex_q q = futex_q_init;
..
..
@@ -2812,18 +2705,10 @@
2812
2705
 	if (!bitset)
2813
2706
 		return -EINVAL;
2814
2707
 	q.bitset = bitset;
2708
+	trace_android_vh_futex_wait_start(flags, bitset);
2815
2709
 
2816
-	if (abs_time) {
2817
-		to = &timeout;
2818
-
2819
-		hrtimer_init_on_stack(&to->timer, (flags & FLAGS_CLOCKRT) ?
2820
-				      CLOCK_REALTIME : CLOCK_MONOTONIC,
2821
-				      HRTIMER_MODE_ABS);
2822
-		hrtimer_init_sleeper(to, current);
2823
-		hrtimer_set_expires_range_ns(&to->timer, *abs_time,
2824
-					     current->timer_slack_ns);
2825
-	}
2826
-
2710
+	to = futex_setup_timer(abs_time, &timeout, flags,
2711
+			       current->timer_slack_ns);
2827
2712
 retry:
2828
2713
 	/*
2829
2714
 	 * Prepare to wait on uaddr. On success, holds hb lock and increments
..
..
@@ -2870,6 +2755,7 @@
2870
2755
 		hrtimer_cancel(&to->timer);
2871
2756
 		destroy_hrtimer_on_stack(&to->timer);
2872
2757
 	}
2758
+	trace_android_vh_futex_wait_end(flags, bitset);
2873
2759
 	return ret;
2874
2760
 }
2875
2761
 
..
..
@@ -2902,7 +2788,7 @@
2902
2788
 static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
2903
2789
 			 ktime_t *time, int trylock)
2904
2790
 {
2905
-	struct hrtimer_sleeper timeout, *to = NULL;
2791
+	struct hrtimer_sleeper timeout, *to;
2906
2792
 	struct task_struct *exiting = NULL;
2907
2793
 	struct rt_mutex_waiter rt_waiter;
2908
2794
 	struct futex_hash_bucket *hb;
..
..
@@ -2915,16 +2801,10 @@
2915
2801
 	if (refill_pi_state_cache())
2916
2802
 		return -ENOMEM;
2917
2803
 
2918
-	if (time) {
2919
-		to = &timeout;
2920
-		hrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,
2921
-				      HRTIMER_MODE_ABS);
2922
-		hrtimer_init_sleeper(to, current);
2923
-		hrtimer_set_expires(&to->timer, *time);
2924
-	}
2804
+	to = futex_setup_timer(time, &timeout, FLAGS_CLOCKRT, 0);
2925
2805
 
2926
2806
 retry:
2927
-	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE);
2807
+	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
2928
2808
 	if (unlikely(ret != 0))
2929
2809
 		goto out;
2930
2810
 
..
..
@@ -2954,7 +2834,6 @@
2954
2834
 			 * - EAGAIN: The user space value changed.
2955
2835
 			 */
2956
2836
 			queue_unlock(hb);
2957
-			put_futex_key(&q.key);
2958
2837
 			/*
2959
2838
 			 * Handle the case where the owner is in the middle of
2960
2839
 			 * exiting. Wait for the exit to complete otherwise
..
..
@@ -2982,7 +2861,7 @@
2982
2861
 		goto no_block;
2983
2862
 	}
2984
2863
 
2985
-	rt_mutex_init_waiter(&rt_waiter);
2864
+	rt_mutex_init_waiter(&rt_waiter, false);
2986
2865
 
2987
2866
 	/*
2988
2867
 	 * On PREEMPT_RT_FULL, when hb->lock becomes an rt_mutex, we must not
..
..
@@ -3014,7 +2893,7 @@
3014
2893
 	}
3015
2894
 
3016
2895
 	if (unlikely(to))
3017
-		hrtimer_start_expires(&to->timer, HRTIMER_MODE_ABS);
2896
+		hrtimer_sleeper_start_expires(to, HRTIMER_MODE_ABS);
3018
2897
 
3019
2898
 	ret = rt_mutex_wait_proxy_lock(&q.pi_state->pi_mutex, to, &rt_waiter);
3020
2899
 
..
..
@@ -3047,14 +2926,11 @@
3047
2926
 
3048
2927
 	/* Unqueue and drop the lock */
3049
2928
 	unqueue_me_pi(&q);
3050
-
3051
-	goto out_put_key;
2929
+	goto out;
3052
2930
 
3053
2931
 out_unlock_put_key:
3054
2932
 	queue_unlock(hb);
3055
2933
 
3056
-out_put_key:
3057
-	put_futex_key(&q.key);
3058
2934
 out:
3059
2935
 	if (to) {
3060
2936
 		hrtimer_cancel(&to->timer);
..
..
@@ -3067,12 +2943,11 @@
3067
2943
 
3068
2944
 	ret = fault_in_user_writeable(uaddr);
3069
2945
 	if (ret)
3070
-		goto out_put_key;
2946
+		goto out;
3071
2947
 
3072
2948
 	if (!(flags & FLAGS_SHARED))
3073
2949
 		goto retry_private;
3074
2950
 
3075
-	put_futex_key(&q.key);
3076
2951
 	goto retry;
3077
2952
 }
3078
2953
 
..
..
@@ -3083,7 +2958,7 @@
3083
2958
  */
3084
2959
 static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
3085
2960
 {
3086
-	u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
2961
+	u32 curval, uval, vpid = task_pid_vnr(current);
3087
2962
 	union futex_key key = FUTEX_KEY_INIT;
3088
2963
 	struct futex_hash_bucket *hb;
3089
2964
 	struct futex_q *top_waiter;
..
..
@@ -3101,7 +2976,7 @@
3101
2976
 	if ((uval & FUTEX_TID_MASK) != vpid)
3102
2977
 		return -EPERM;
3103
2978
 
3104
-	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
2979
+	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_WRITE);
3105
2980
 	if (ret)
3106
2981
 		return ret;
3107
2982
 
..
..
@@ -3201,16 +3076,13 @@
3201
3076
 out_unlock:
3202
3077
 	spin_unlock(&hb->lock);
3203
3078
 out_putkey:
3204
-	put_futex_key(&key);
3205
3079
 	return ret;
3206
3080
 
3207
3081
 pi_retry:
3208
-	put_futex_key(&key);
3209
3082
 	cond_resched();
3210
3083
 	goto retry;
3211
3084
 
3212
3085
 pi_faulted:
3213
-	put_futex_key(&key);
3214
3086
 
3215
3087
 	ret = fault_in_user_writeable(uaddr);
3216
3088
 	if (!ret)
..
..
@@ -3312,7 +3184,7 @@
3312
3184
 				 u32 val, ktime_t *abs_time, u32 bitset,
3313
3185
 				 u32 __user *uaddr2)
3314
3186
 {
3315
-	struct hrtimer_sleeper timeout, *to = NULL;
3187
+	struct hrtimer_sleeper timeout, *to;
3316
3188
 	struct rt_mutex_waiter rt_waiter;
3317
3189
 	struct futex_hash_bucket *hb;
3318
3190
 	union futex_key key2 = FUTEX_KEY_INIT;
..
..
@@ -3328,23 +3200,16 @@
3328
3200
 	if (!bitset)
3329
3201
 		return -EINVAL;
3330
3202
 
3331
-	if (abs_time) {
3332
-		to = &timeout;
3333
-		hrtimer_init_on_stack(&to->timer, (flags & FLAGS_CLOCKRT) ?
3334
-				      CLOCK_REALTIME : CLOCK_MONOTONIC,
3335
-				      HRTIMER_MODE_ABS);
3336
-		hrtimer_init_sleeper(to, current);
3337
-		hrtimer_set_expires_range_ns(&to->timer, *abs_time,
3338
-					     current->timer_slack_ns);
3339
-	}
3203
+	to = futex_setup_timer(abs_time, &timeout, flags,
3204
+			       current->timer_slack_ns);
3340
3205
 
3341
3206
 	/*
3342
3207
 	 * The waiter is allocated on our stack, manipulated by the requeue
3343
3208
 	 * code while we sleep on uaddr.
3344
3209
 	 */
3345
-	rt_mutex_init_waiter(&rt_waiter);
3210
+	rt_mutex_init_waiter(&rt_waiter, false);
3346
3211
 
3347
-	ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
3212
+	ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
3348
3213
 	if (unlikely(ret != 0))
3349
3214
 		goto out;
3350
3215
 
..
..
@@ -3358,7 +3223,7 @@
3358
3223
 	 */
3359
3224
 	ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
3360
3225
 	if (ret)
3361
-		goto out_key2;
3226
+		goto out;
3362
3227
 
3363
3228
 	/*
3364
3229
 	 * The check above which compares uaddrs is not sufficient for
..
..
@@ -3367,7 +3232,7 @@
3367
3232
 	if (match_futex(&q.key, &key2)) {
3368
3233
 		queue_unlock(hb);
3369
3234
 		ret = -EINVAL;
3370
-		goto out_put_keys;
3235
+		goto out;
3371
3236
 	}
3372
3237
 
3373
3238
 	/* Queue the futex_q, drop the hb lock, wait for wakeup. */
..
..
@@ -3377,7 +3242,7 @@
3377
3242
 	ret = handle_early_requeue_pi_wakeup(hb, &q, &key2, to);
3378
3243
 	spin_unlock(&hb->lock);
3379
3244
 	if (ret)
3380
-		goto out_put_keys;
3245
+		goto out;
3381
3246
 
3382
3247
 	/*
3383
3248
 	 * In order for us to be here, we know our q.key == key2, and since
..
..
@@ -3452,11 +3317,6 @@
3452
3317
 		 */
3453
3318
 		ret = -EWOULDBLOCK;
3454
3319
 	}
3455
-
3456
-out_put_keys:
3457
-	put_futex_key(&q.key);
3458
-out_key2:
3459
-	put_futex_key(&key2);
3460
3320
 
3461
3321
 out:
3462
3322
 	if (to) {
..
..
@@ -3558,7 +3418,7 @@
3558
3418
 static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
3559
3419
 			      bool pi, bool pending_op)
3560
3420
 {
3561
-	u32 uval, uninitialized_var(nval), mval;
3421
+	u32 uval, nval, mval;
3562
3422
 	int err;
3563
3423
 
3564
3424
 	/* Futex address must be 32bit aligned */
..
..
@@ -3688,7 +3548,7 @@
3688
3548
 	struct robust_list_head __user *head = curr->robust_list;
3689
3549
 	struct robust_list __user *entry, *next_entry, *pending;
3690
3550
 	unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
3691
-	unsigned int uninitialized_var(next_pi);
3551
+	unsigned int next_pi;
3692
3552
 	unsigned long futex_offset;
3693
3553
 	int rc;
3694
3554
 
..
..
@@ -3881,15 +3741,16 @@
3881
3741
 			return -ENOSYS;
3882
3742
 	}
3883
3743
 
3744
+	trace_android_vh_do_futex(cmd, &flags, uaddr2);
3884
3745
 	switch (cmd) {
3885
3746
 	case FUTEX_WAIT:
3886
3747
 		val3 = FUTEX_BITSET_MATCH_ANY;
3887
-		/* fall through */
3748
+		fallthrough;
3888
3749
 	case FUTEX_WAIT_BITSET:
3889
3750
 		return futex_wait(uaddr, flags, val, timeout, val3);
3890
3751
 	case FUTEX_WAKE:
3891
3752
 		val3 = FUTEX_BITSET_MATCH_ANY;
3892
-		/* fall through */
3753
+		fallthrough;
3893
3754
 	case FUTEX_WAKE_BITSET:
3894
3755
 		return futex_wake(uaddr, flags, val, val3);
3895
3756
 	case FUTEX_REQUEUE:
..
..
@@ -3916,10 +3777,10 @@
3916
3777
 
3917
3778
 
3918
3779
 SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
3919
-		struct timespec __user *, utime, u32 __user *, uaddr2,
3780
+		struct __kernel_timespec __user *, utime, u32 __user *, uaddr2,
3920
3781
 		u32, val3)
3921
3782
 {
3922
-	struct timespec ts;
3783
+	struct timespec64 ts;
3923
3784
 	ktime_t t, *tp = NULL;
3924
3785
 	u32 val2 = 0;
3925
3786
 	int cmd = op & FUTEX_CMD_MASK;
..
..
@@ -3929,14 +3790,16 @@
3929
3790
 		      cmd == FUTEX_WAIT_REQUEUE_PI)) {
3930
3791
 		if (unlikely(should_fail_futex(!(op & FUTEX_PRIVATE_FLAG))))
3931
3792
 			return -EFAULT;
3932
-		if (copy_from_user(&ts, utime, sizeof(ts)) != 0)
3793
+		if (get_timespec64(&ts, utime))
3933
3794
 			return -EFAULT;
3934
-		if (!timespec_valid(&ts))
3795
+		if (!timespec64_valid(&ts))
3935
3796
 			return -EINVAL;
3936
3797
 
3937
-		t = timespec_to_ktime(ts);
3798
+		t = timespec64_to_ktime(ts);
3938
3799
 		if (cmd == FUTEX_WAIT)
3939
3800
 			t = ktime_add_safe(ktime_get(), t);
3801
+		else if (cmd != FUTEX_LOCK_PI && !(op & FUTEX_CLOCK_REALTIME))
3802
+			t = timens_ktime_to_host(CLOCK_MONOTONIC, t);
3940
3803
 		tp = &t;
3941
3804
 	}
3942
3805
 	/*
..
..
@@ -3987,7 +3850,7 @@
3987
3850
 	struct compat_robust_list_head __user *head = curr->compat_robust_list;
3988
3851
 	struct robust_list __user *entry, *next_entry, *pending;
3989
3852
 	unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
3990
-	unsigned int uninitialized_var(next_pi);
3853
+	unsigned int next_pi;
3991
3854
 	compat_uptr_t uentry, next_uentry, upending;
3992
3855
 	compat_long_t futex_offset;
3993
3856
 	int rc;
..
..
@@ -4106,12 +3969,14 @@
4106
3969
 
4107
3970
 	return ret;
4108
3971
 }
3972
+#endif /* CONFIG_COMPAT */
4109
3973
 
4110
-COMPAT_SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
3974
+#ifdef CONFIG_COMPAT_32BIT_TIME
3975
+SYSCALL_DEFINE6(futex_time32, u32 __user *, uaddr, int, op, u32, val,
4111
3976
 		struct old_timespec32 __user *, utime, u32 __user *, uaddr2,
4112
3977
 		u32, val3)
4113
3978
 {
4114
-	struct timespec ts;
3979
+	struct timespec64 ts;
4115
3980
 	ktime_t t, *tp = NULL;
4116
3981
 	int val2 = 0;
4117
3982
 	int cmd = op & FUTEX_CMD_MASK;
..
..
@@ -4119,14 +3984,16 @@
4119
3984
 	if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
4120
3985
 		      cmd == FUTEX_WAIT_BITSET ||
4121
3986
 		      cmd == FUTEX_WAIT_REQUEUE_PI)) {
4122
-		if (compat_get_timespec(&ts, utime))
3987
+		if (get_old_timespec32(&ts, utime))
4123
3988
 			return -EFAULT;
4124
-		if (!timespec_valid(&ts))
3989
+		if (!timespec64_valid(&ts))
4125
3990
 			return -EINVAL;
4126
3991
 
4127
-		t = timespec_to_ktime(ts);
3992
+		t = timespec64_to_ktime(ts);
4128
3993
 		if (cmd == FUTEX_WAIT)
4129
3994
 			t = ktime_add_safe(ktime_get(), t);
3995
+		else if (cmd != FUTEX_LOCK_PI && !(op & FUTEX_CLOCK_REALTIME))
3996
+			t = timens_ktime_to_host(CLOCK_MONOTONIC, t);
4130
3997
 		tp = &t;
4131
3998
 	}
4132
3999
 	if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
..
..
@@ -4135,7 +4002,7 @@
4135
4002
 
4136
4003
 	return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
4137
4004
 }
4138
-#endif /* CONFIG_COMPAT */
4005
+#endif /* CONFIG_COMPAT_32BIT_TIME */
4139
4006
 
4140
4007
 static void __init futex_detect_cmpxchg(void)
4141
4008
 {