1 // SPDX-License-Identifier: GPL-2.0-or-later
2
3 #include <linux/plist.h>
4 #include <linux/sched/task.h>
5 #include <linux/sched/signal.h>
6 #include <linux/freezer.h>
7
8 #include "futex.h"
9 #include <trace/hooks/futex.h>
10
11 /*
12 * READ this before attempting to hack on futexes!
13 *
14 * Basic futex operation and ordering guarantees
15 * =============================================
16 *
17 * The waiter reads the futex value in user space and calls
18 * futex_wait(). This function computes the hash bucket and acquires
19 * the hash bucket lock. After that it reads the futex user space value
20 * again and verifies that the data has not changed. If it has not changed
21 * it enqueues itself into the hash bucket, releases the hash bucket lock
22 * and schedules.
23 *
24 * The waker side modifies the user space value of the futex and calls
25 * futex_wake(). This function computes the hash bucket and acquires the
26 * hash bucket lock. Then it looks for waiters on that futex in the hash
27 * bucket and wakes them.
28 *
29 * In futex wake up scenarios where no tasks are blocked on a futex, taking
30 * the hb spinlock can be avoided and simply return. In order for this
31 * optimization to work, ordering guarantees must exist so that the waiter
32 * being added to the list is acknowledged when the list is concurrently being
33 * checked by the waker, avoiding scenarios like the following:
34 *
35 * CPU 0 CPU 1
36 * val = *futex;
37 * sys_futex(WAIT, futex, val);
38 * futex_wait(futex, val);
39 * uval = *futex;
40 * *futex = newval;
41 * sys_futex(WAKE, futex);
42 * futex_wake(futex);
43 * if (queue_empty())
44 * return;
45 * if (uval == val)
46 * lock(hash_bucket(futex));
47 * queue();
48 * unlock(hash_bucket(futex));
49 * schedule();
50 *
51 * This would cause the waiter on CPU 0 to wait forever because it
52 * missed the transition of the user space value from val to newval
53 * and the waker did not find the waiter in the hash bucket queue.
54 *
55 * The correct serialization ensures that a waiter either observes
56 * the changed user space value before blocking or is woken by a
57 * concurrent waker:
58 *
59 * CPU 0 CPU 1
60 * val = *futex;
61 * sys_futex(WAIT, futex, val);
62 * futex_wait(futex, val);
63 *
64 * waiters++; (a)
65 * smp_mb(); (A) <-- paired with -.
66 * |
67 * lock(hash_bucket(futex)); |
68 * |
69 * uval = *futex; |
70 * | *futex = newval;
71 * | sys_futex(WAKE, futex);
72 * | futex_wake(futex);
73 * |
74 * `--------> smp_mb(); (B)
75 * if (uval == val)
76 * queue();
77 * unlock(hash_bucket(futex));
78 * schedule(); if (waiters)
79 * lock(hash_bucket(futex));
80 * else wake_waiters(futex);
81 * waiters--; (b) unlock(hash_bucket(futex));
82 *
83 * Where (A) orders the waiters increment and the futex value read through
84 * atomic operations (see futex_hb_waiters_inc) and where (B) orders the write
85 * to futex and the waiters read (see futex_hb_waiters_pending()).
86 *
87 * This yields the following case (where X:=waiters, Y:=futex):
88 *
89 * X = Y = 0
90 *
91 * w[X]=1 w[Y]=1
92 * MB MB
93 * r[Y]=y r[X]=x
94 *
95 * Which guarantees that x==0 && y==0 is impossible; which translates back into
96 * the guarantee that we cannot both miss the futex variable change and the
97 * enqueue.
98 *
99 * Note that a new waiter is accounted for in (a) even when it is possible that
100 * the wait call can return error, in which case we backtrack from it in (b).
101 * Refer to the comment in futex_q_lock().
102 *
103 * Similarly, in order to account for waiters being requeued on another
104 * address we always increment the waiters for the destination bucket before
105 * acquiring the lock. It then decrements them again after releasing it -
106 * the code that actually moves the futex(es) between hash buckets (requeue_futex)
107 * will do the additional required waiter count housekeeping. This is done for
108 * double_lock_hb() and double_unlock_hb(), respectively.
109 */
110
__futex_wake_mark(struct futex_q * q)111 bool __futex_wake_mark(struct futex_q *q)
112 {
113 if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
114 return false;
115
116 __futex_unqueue(q);
117 /*
118 * The waiting task can free the futex_q as soon as q->lock_ptr = NULL
119 * is written, without taking any locks. This is possible in the event
120 * of a spurious wakeup, for example. A memory barrier is required here
121 * to prevent the following store to lock_ptr from getting ahead of the
122 * plist_del in __futex_unqueue().
123 */
124 smp_store_release(&q->lock_ptr, NULL);
125
126 return true;
127 }
128
129 /*
130 * The hash bucket lock must be held when this is called.
131 * Afterwards, the futex_q must not be accessed. Callers
132 * must ensure to later call wake_up_q() for the actual
133 * wakeups to occur.
134 */
futex_wake_mark(struct wake_q_head * wake_q,struct futex_q * q)135 void futex_wake_mark(struct wake_q_head *wake_q, struct futex_q *q)
136 {
137 struct task_struct *p = q->task;
138
139 get_task_struct(p);
140
141 if (!__futex_wake_mark(q)) {
142 put_task_struct(p);
143 return;
144 }
145
146 /*
147 * Queue the task for later wakeup for after we've released
148 * the hb->lock.
149 */
150 wake_q_add_safe(wake_q, p);
151 }
152
153 /*
154 * Wake up waiters matching bitset queued on this futex (uaddr).
155 */
futex_wake(u32 __user * uaddr,unsigned int flags,int nr_wake,u32 bitset)156 int futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
157 {
158 struct futex_hash_bucket *hb;
159 struct futex_q *this, *next;
160 union futex_key key = FUTEX_KEY_INIT;
161 DEFINE_WAKE_Q(wake_q);
162 int ret;
163 int target_nr;
164
165 if (!bitset)
166 return -EINVAL;
167
168 ret = get_futex_key(uaddr, flags, &key, FUTEX_READ);
169 if (unlikely(ret != 0))
170 return ret;
171
172 if ((flags & FLAGS_STRICT) && !nr_wake)
173 return 0;
174
175 hb = futex_hash(&key);
176
177 /* Make sure we really have tasks to wakeup */
178 if (!futex_hb_waiters_pending(hb))
179 return ret;
180
181 spin_lock(&hb->lock);
182
183 trace_android_vh_futex_wake_traverse_plist(&hb->chain, &target_nr, key, bitset);
184 plist_for_each_entry_safe(this, next, &hb->chain, list) {
185 if (futex_match (&this->key, &key)) {
186 if (this->pi_state || this->rt_waiter) {
187 ret = -EINVAL;
188 break;
189 }
190
191 /* Check if one of the bits is set in both bitsets */
192 if (!(this->bitset & bitset))
193 continue;
194
195 trace_android_vh_futex_wake_this(ret, nr_wake, target_nr, this->task);
196 this->wake(&wake_q, this);
197 if (++ret >= nr_wake)
198 break;
199 }
200 }
201
202 spin_unlock(&hb->lock);
203 wake_up_q(&wake_q);
204 trace_android_vh_futex_wake_up_q_finish(nr_wake, target_nr);
205 return ret;
206 }
207
futex_atomic_op_inuser(unsigned int encoded_op,u32 __user * uaddr)208 static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
209 {
210 unsigned int op = (encoded_op & 0x70000000) >> 28;
211 unsigned int cmp = (encoded_op & 0x0f000000) >> 24;
212 int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 11);
213 int cmparg = sign_extend32(encoded_op & 0x00000fff, 11);
214 int oldval, ret;
215
216 if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
217 if (oparg < 0 || oparg > 31) {
218 char comm[sizeof(current->comm)];
219 /*
220 * kill this print and return -EINVAL when userspace
221 * is sane again
222 */
223 pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d; fix this program\n",
224 get_task_comm(comm, current), oparg);
225 oparg &= 31;
226 }
227 oparg = 1 << oparg;
228 }
229
230 pagefault_disable();
231 ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
232 pagefault_enable();
233 if (ret)
234 return ret;
235
236 switch (cmp) {
237 case FUTEX_OP_CMP_EQ:
238 return oldval == cmparg;
239 case FUTEX_OP_CMP_NE:
240 return oldval != cmparg;
241 case FUTEX_OP_CMP_LT:
242 return oldval < cmparg;
243 case FUTEX_OP_CMP_GE:
244 return oldval >= cmparg;
245 case FUTEX_OP_CMP_LE:
246 return oldval <= cmparg;
247 case FUTEX_OP_CMP_GT:
248 return oldval > cmparg;
249 default:
250 return -ENOSYS;
251 }
252 }
253
254 /*
255 * Wake up all waiters hashed on the physical page that is mapped
256 * to this virtual address:
257 */
futex_wake_op(u32 __user * uaddr1,unsigned int flags,u32 __user * uaddr2,int nr_wake,int nr_wake2,int op)258 int futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
259 int nr_wake, int nr_wake2, int op)
260 {
261 union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;
262 struct futex_hash_bucket *hb1, *hb2;
263 struct futex_q *this, *next;
264 int ret, op_ret;
265 DEFINE_WAKE_Q(wake_q);
266
267 retry:
268 ret = get_futex_key(uaddr1, flags, &key1, FUTEX_READ);
269 if (unlikely(ret != 0))
270 return ret;
271 ret = get_futex_key(uaddr2, flags, &key2, FUTEX_WRITE);
272 if (unlikely(ret != 0))
273 return ret;
274
275 hb1 = futex_hash(&key1);
276 hb2 = futex_hash(&key2);
277
278 retry_private:
279 double_lock_hb(hb1, hb2);
280 op_ret = futex_atomic_op_inuser(op, uaddr2);
281 if (unlikely(op_ret < 0)) {
282 double_unlock_hb(hb1, hb2);
283
284 if (!IS_ENABLED(CONFIG_MMU) ||
285 unlikely(op_ret != -EFAULT && op_ret != -EAGAIN)) {
286 /*
287 * we don't get EFAULT from MMU faults if we don't have
288 * an MMU, but we might get them from range checking
289 */
290 ret = op_ret;
291 return ret;
292 }
293
294 if (op_ret == -EFAULT) {
295 ret = fault_in_user_writeable(uaddr2);
296 if (ret)
297 return ret;
298 }
299
300 cond_resched();
301 if (!(flags & FLAGS_SHARED))
302 goto retry_private;
303 goto retry;
304 }
305
306 plist_for_each_entry_safe(this, next, &hb1->chain, list) {
307 if (futex_match (&this->key, &key1)) {
308 if (this->pi_state || this->rt_waiter) {
309 ret = -EINVAL;
310 goto out_unlock;
311 }
312 this->wake(&wake_q, this);
313 if (++ret >= nr_wake)
314 break;
315 }
316 }
317
318 if (op_ret > 0) {
319 op_ret = 0;
320 plist_for_each_entry_safe(this, next, &hb2->chain, list) {
321 if (futex_match (&this->key, &key2)) {
322 if (this->pi_state || this->rt_waiter) {
323 ret = -EINVAL;
324 goto out_unlock;
325 }
326 this->wake(&wake_q, this);
327 if (++op_ret >= nr_wake2)
328 break;
329 }
330 }
331 ret += op_ret;
332 }
333
334 out_unlock:
335 double_unlock_hb(hb1, hb2);
336 wake_up_q(&wake_q);
337 return ret;
338 }
339
340 static long futex_wait_restart(struct restart_block *restart);
341
342 /**
343 * futex_wait_queue() - futex_queue() and wait for wakeup, timeout, or signal
344 * @hb: the futex hash bucket, must be locked by the caller
345 * @q: the futex_q to queue up on
346 * @timeout: the prepared hrtimer_sleeper, or null for no timeout
347 */
futex_wait_queue(struct futex_hash_bucket * hb,struct futex_q * q,struct hrtimer_sleeper * timeout)348 void futex_wait_queue(struct futex_hash_bucket *hb, struct futex_q *q,
349 struct hrtimer_sleeper *timeout)
350 {
351 /*
352 * The task state is guaranteed to be set before another task can
353 * wake it. set_current_state() is implemented using smp_store_mb() and
354 * futex_queue() calls spin_unlock() upon completion, both serializing
355 * access to the hash list and forcing another memory barrier.
356 */
357 set_current_state(TASK_INTERRUPTIBLE|TASK_FREEZABLE);
358 futex_queue(q, hb, current);
359
360 /* Arm the timer */
361 if (timeout)
362 hrtimer_sleeper_start_expires(timeout, HRTIMER_MODE_ABS);
363
364 /*
365 * If we have been removed from the hash list, then another task
366 * has tried to wake us, and we can skip the call to schedule().
367 */
368 if (likely(!plist_node_empty(&q->list))) {
369 /*
370 * If the timer has already expired, current will already be
371 * flagged for rescheduling. Only call schedule if there
372 * is no timeout, or if it has yet to expire.
373 */
374 if (!timeout || timeout->task) {
375 trace_android_vh_futex_sleep_start(current);
376 schedule();
377 }
378 }
379 __set_current_state(TASK_RUNNING);
380 }
381
382 /**
383 * futex_unqueue_multiple - Remove various futexes from their hash bucket
384 * @v: The list of futexes to unqueue
385 * @count: Number of futexes in the list
386 *
387 * Helper to unqueue a list of futexes. This can't fail.
388 *
389 * Return:
390 * - >=0 - Index of the last futex that was awoken;
391 * - -1 - No futex was awoken
392 */
futex_unqueue_multiple(struct futex_vector * v,int count)393 int futex_unqueue_multiple(struct futex_vector *v, int count)
394 {
395 int ret = -1, i;
396
397 for (i = 0; i < count; i++) {
398 if (!futex_unqueue(&v[i].q))
399 ret = i;
400 }
401
402 return ret;
403 }
404
405 /**
406 * futex_wait_multiple_setup - Prepare to wait and enqueue multiple futexes
407 * @vs: The futex list to wait on
408 * @count: The size of the list
409 * @woken: Index of the last woken futex, if any. Used to notify the
410 * caller that it can return this index to userspace (return parameter)
411 *
412 * Prepare multiple futexes in a single step and enqueue them. This may fail if
413 * the futex list is invalid or if any futex was already awoken. On success the
414 * task is ready to interruptible sleep.
415 *
416 * Return:
417 * - 1 - One of the futexes was woken by another thread
418 * - 0 - Success
419 * - <0 - -EFAULT, -EWOULDBLOCK or -EINVAL
420 */
futex_wait_multiple_setup(struct futex_vector * vs,int count,int * woken)421 int futex_wait_multiple_setup(struct futex_vector *vs, int count, int *woken)
422 {
423 struct futex_hash_bucket *hb;
424 bool retry = false;
425 int ret, i;
426 u32 uval;
427
428 /*
429 * Enqueuing multiple futexes is tricky, because we need to enqueue
430 * each futex on the list before dealing with the next one to avoid
431 * deadlocking on the hash bucket. But, before enqueuing, we need to
432 * make sure that current->state is TASK_INTERRUPTIBLE, so we don't
433 * lose any wake events, which cannot be done before the get_futex_key
434 * of the next key, because it calls get_user_pages, which can sleep.
435 * Thus, we fetch the list of futexes keys in two steps, by first
436 * pinning all the memory keys in the futex key, and only then we read
437 * each key and queue the corresponding futex.
438 *
439 * Private futexes doesn't need to recalculate hash in retry, so skip
440 * get_futex_key() when retrying.
441 */
442 retry:
443 for (i = 0; i < count; i++) {
444 if (!(vs[i].w.flags & FLAGS_SHARED) && retry)
445 continue;
446
447 ret = get_futex_key(u64_to_user_ptr(vs[i].w.uaddr),
448 vs[i].w.flags,
449 &vs[i].q.key, FUTEX_READ);
450
451 if (unlikely(ret))
452 return ret;
453 }
454
455 set_current_state(TASK_INTERRUPTIBLE|TASK_FREEZABLE);
456
457 for (i = 0; i < count; i++) {
458 u32 __user *uaddr = (u32 __user *)(unsigned long)vs[i].w.uaddr;
459 struct futex_q *q = &vs[i].q;
460 u32 val = vs[i].w.val;
461
462 hb = futex_q_lock(q);
463 ret = futex_get_value_locked(&uval, uaddr);
464
465 if (!ret && uval == val) {
466 /*
467 * The bucket lock can't be held while dealing with the
468 * next futex. Queue each futex at this moment so hb can
469 * be unlocked.
470 */
471 futex_queue(q, hb, current);
472 continue;
473 }
474
475 futex_q_unlock(hb);
476 __set_current_state(TASK_RUNNING);
477
478 /*
479 * Even if something went wrong, if we find out that a futex
480 * was woken, we don't return error and return this index to
481 * userspace
482 */
483 *woken = futex_unqueue_multiple(vs, i);
484 if (*woken >= 0)
485 return 1;
486
487 if (ret) {
488 /*
489 * If we need to handle a page fault, we need to do so
490 * without any lock and any enqueued futex (otherwise
491 * we could lose some wakeup). So we do it here, after
492 * undoing all the work done so far. In success, we
493 * retry all the work.
494 */
495 if (get_user(uval, uaddr))
496 return -EFAULT;
497
498 retry = true;
499 goto retry;
500 }
501
502 if (uval != val)
503 return -EWOULDBLOCK;
504 }
505
506 return 0;
507 }
508
509 /**
510 * futex_sleep_multiple - Check sleeping conditions and sleep
511 * @vs: List of futexes to wait for
512 * @count: Length of vs
513 * @to: Timeout
514 *
515 * Sleep if and only if the timeout hasn't expired and no futex on the list has
516 * been woken up.
517 */
futex_sleep_multiple(struct futex_vector * vs,unsigned int count,struct hrtimer_sleeper * to)518 static void futex_sleep_multiple(struct futex_vector *vs, unsigned int count,
519 struct hrtimer_sleeper *to)
520 {
521 if (to && !to->task)
522 return;
523
524 for (; count; count--, vs++) {
525 if (!READ_ONCE(vs->q.lock_ptr))
526 return;
527 }
528
529 schedule();
530 }
531
532 /**
533 * futex_wait_multiple - Prepare to wait on and enqueue several futexes
534 * @vs: The list of futexes to wait on
535 * @count: The number of objects
536 * @to: Timeout before giving up and returning to userspace
537 *
538 * Entry point for the FUTEX_WAIT_MULTIPLE futex operation, this function
539 * sleeps on a group of futexes and returns on the first futex that is
540 * wake, or after the timeout has elapsed.
541 *
542 * Return:
543 * - >=0 - Hint to the futex that was awoken
544 * - <0 - On error
545 */
futex_wait_multiple(struct futex_vector * vs,unsigned int count,struct hrtimer_sleeper * to)546 int futex_wait_multiple(struct futex_vector *vs, unsigned int count,
547 struct hrtimer_sleeper *to)
548 {
549 int ret, hint = 0;
550
551 if (to)
552 hrtimer_sleeper_start_expires(to, HRTIMER_MODE_ABS);
553
554 while (1) {
555 ret = futex_wait_multiple_setup(vs, count, &hint);
556 if (ret) {
557 if (ret > 0) {
558 /* A futex was woken during setup */
559 ret = hint;
560 }
561 return ret;
562 }
563
564 futex_sleep_multiple(vs, count, to);
565
566 __set_current_state(TASK_RUNNING);
567
568 ret = futex_unqueue_multiple(vs, count);
569 if (ret >= 0)
570 return ret;
571
572 if (to && !to->task)
573 return -ETIMEDOUT;
574 else if (signal_pending(current))
575 return -ERESTARTSYS;
576 /*
577 * The final case is a spurious wakeup, for
578 * which just retry.
579 */
580 }
581 }
582
583 /**
584 * futex_wait_setup() - Prepare to wait on a futex
585 * @uaddr: the futex userspace address
586 * @val: the expected value
587 * @flags: futex flags (FLAGS_SHARED, etc.)
588 * @q: the associated futex_q
589 * @hb: storage for hash_bucket pointer to be returned to caller
590 *
591 * Setup the futex_q and locate the hash_bucket. Get the futex value and
592 * compare it with the expected value. Handle atomic faults internally.
593 * Return with the hb lock held on success, and unlocked on failure.
594 *
595 * Return:
596 * - 0 - uaddr contains val and hb has been locked;
597 * - <1 - -EFAULT or -EWOULDBLOCK (uaddr does not contain val) and hb is unlocked
598 */
futex_wait_setup(u32 __user * uaddr,u32 val,unsigned int flags,struct futex_q * q,struct futex_hash_bucket ** hb)599 int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
600 struct futex_q *q, struct futex_hash_bucket **hb)
601 {
602 u32 uval;
603 int ret;
604
605 /*
606 * Access the page AFTER the hash-bucket is locked.
607 * Order is important:
608 *
609 * Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
610 * Userspace waker: if (cond(var)) { var = new; futex_wake(&var); }
611 *
612 * The basic logical guarantee of a futex is that it blocks ONLY
613 * if cond(var) is known to be true at the time of blocking, for
614 * any cond. If we locked the hash-bucket after testing *uaddr, that
615 * would open a race condition where we could block indefinitely with
616 * cond(var) false, which would violate the guarantee.
617 *
618 * On the other hand, we insert q and release the hash-bucket only
619 * after testing *uaddr. This guarantees that futex_wait() will NOT
620 * absorb a wakeup if *uaddr does not match the desired values
621 * while the syscall executes.
622 */
623 retry:
624 ret = get_futex_key(uaddr, flags, &q->key, FUTEX_READ);
625 if (unlikely(ret != 0))
626 return ret;
627
628 retry_private:
629 *hb = futex_q_lock(q);
630
631 ret = futex_get_value_locked(&uval, uaddr);
632
633 if (ret) {
634 futex_q_unlock(*hb);
635
636 ret = get_user(uval, uaddr);
637 if (ret)
638 return ret;
639
640 if (!(flags & FLAGS_SHARED))
641 goto retry_private;
642
643 goto retry;
644 }
645
646 if (uval != val) {
647 futex_q_unlock(*hb);
648 ret = -EWOULDBLOCK;
649 }
650
651 return ret;
652 }
653
__futex_wait(u32 __user * uaddr,unsigned int flags,u32 val,struct hrtimer_sleeper * to,u32 bitset)654 int __futex_wait(u32 __user *uaddr, unsigned int flags, u32 val,
655 struct hrtimer_sleeper *to, u32 bitset)
656 {
657 struct futex_q q = futex_q_init;
658 struct futex_hash_bucket *hb;
659 int ret;
660
661 if (!bitset)
662 return -EINVAL;
663
664 q.bitset = bitset;
665
666 retry:
667 /*
668 * Prepare to wait on uaddr. On success, it holds hb->lock and q
669 * is initialized.
670 */
671 ret = futex_wait_setup(uaddr, val, flags, &q, &hb);
672 if (ret)
673 return ret;
674
675 /* futex_queue and wait for wakeup, timeout, or a signal. */
676 futex_wait_queue(hb, &q, to);
677
678 /* If we were woken (and unqueued), we succeeded, whatever. */
679 if (!futex_unqueue(&q))
680 return 0;
681
682 if (to && !to->task)
683 return -ETIMEDOUT;
684
685 /*
686 * We expect signal_pending(current), but we might be the
687 * victim of a spurious wakeup as well.
688 */
689 if (!signal_pending(current))
690 goto retry;
691
692 return -ERESTARTSYS;
693 }
694
futex_wait(u32 __user * uaddr,unsigned int flags,u32 val,ktime_t * abs_time,u32 bitset)695 int futex_wait(u32 __user *uaddr, unsigned int flags, u32 val, ktime_t *abs_time, u32 bitset)
696 {
697 struct hrtimer_sleeper timeout, *to;
698 struct restart_block *restart;
699 int ret;
700
701 trace_android_vh_futex_wait_start(flags, bitset);
702 to = futex_setup_timer(abs_time, &timeout, flags,
703 current->timer_slack_ns);
704
705 ret = __futex_wait(uaddr, flags, val, to, bitset);
706
707 /* No timeout, nothing to clean up. */
708 if (!to) {
709 trace_android_vh_futex_wait_end(flags, bitset);
710 return ret;
711 }
712
713 hrtimer_cancel(&to->timer);
714 destroy_hrtimer_on_stack(&to->timer);
715
716 if (ret == -ERESTARTSYS) {
717 restart = ¤t->restart_block;
718 restart->futex.uaddr = uaddr;
719 restart->futex.val = val;
720 restart->futex.time = *abs_time;
721 restart->futex.bitset = bitset;
722 restart->futex.flags = flags | FLAGS_HAS_TIMEOUT;
723
724 trace_android_vh_futex_wait_end(flags, bitset);
725 return set_restart_fn(restart, futex_wait_restart);
726 }
727
728 trace_android_vh_futex_wait_end(flags, bitset);
729 return ret;
730 }
731
futex_wait_restart(struct restart_block * restart)732 static long futex_wait_restart(struct restart_block *restart)
733 {
734 u32 __user *uaddr = restart->futex.uaddr;
735 ktime_t t, *tp = NULL;
736
737 if (restart->futex.flags & FLAGS_HAS_TIMEOUT) {
738 t = restart->futex.time;
739 tp = &t;
740 }
741 restart->fn = do_no_restart_syscall;
742
743 return (long)futex_wait(uaddr, restart->futex.flags,
744 restart->futex.val, tp, restart->futex.bitset);
745 }
746
747