/*
   *  Fast Userspace Mutexes (which I call "Futexes!").
   *  (C) Rusty Russell, IBM 2002
   *
   *  Generalized futexes, futex requeueing, misc fixes by Ingo Molnar
   *  (C) Copyright 2003 Red Hat Inc, All Rights Reserved
   *
   *  Removed page pinning, fix privately mapped COW pages and other cleanups
   *  (C) Copyright 2003, 2004 Jamie Lokier
   *

   *  Robust futex support started by Ingo Molnar
   *  (C) Copyright 2006 Red Hat Inc, All Rights Reserved
   *  Thanks to Thomas Gleixner for suggestions, analysis and fixes.
   *

   *  PI-futex support started by Ingo Molnar and Thomas Gleixner
   *  Copyright (C) 2006 Red Hat, Inc., Ingo Molnar <mingo@redhat.com>
   *  Copyright (C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
   *

   *  PRIVATE futexes by Eric Dumazet
   *  Copyright (C) 2007 Eric Dumazet <dada1@cosmosbay.com>
   *

   *  Requeue-PI support by Darren Hart <dvhltc@us.ibm.com>
   *  Copyright (C) IBM Corporation, 2009
   *  Thanks to Thomas Gleixner for conceptual design and careful reviews.
   *

   *  Thanks to Ben LaHaise for yelling "hashed waitqueues" loudly
   *  enough at me, Linus for the original (flawed) idea, Matthew
   *  Kirkwood for proof-of-concept implementation.
   *
   *  "The futexes are also cursed."
   *  "But they come in a choice of three flavours!"
   *
   *  This program is free software; you can redistribute it and/or modify
   *  it under the terms of the GNU General Public License as published by
   *  the Free Software Foundation; either version 2 of the License, or
   *  (at your option) any later version.
   *
   *  This program is distributed in the hope that it will be useful,
   *  but WITHOUT ANY WARRANTY; without even the implied warranty of
   *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   *  GNU General Public License for more details.
   *
   *  You should have received a copy of the GNU General Public License
   *  along with this program; if not, write to the Free Software
   *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   */
  #include <linux/slab.h>
  #include <linux/poll.h>
  #include <linux/fs.h>
  #include <linux/file.h>
  #include <linux/jhash.h>
  #include <linux/init.h>
  #include <linux/futex.h>
  #include <linux/mount.h>
  #include <linux/pagemap.h>
  #include <linux/syscalls.h>

  #include <linux/signal.h>

  #include <linux/module.h>

  #include <linux/magic.h>

  #include <linux/pid.h>
  #include <linux/nsproxy.h>

  #include <asm/futex.h>

  #include "rtmutex_common.h"

  int __read_mostly futex_cmpxchg_enabled;

  #define FUTEX_HASHBITS (CONFIG_BASE_SMALL ? 4 : 8)
  
  /*

   * Priority Inheritance state:
   */
  struct futex_pi_state {
  	/*
  	 * list of 'owned' pi_state instances - these have to be
  	 * cleaned up in do_exit() if the task exits prematurely:
  	 */
  	struct list_head list;
  
  	/*
  	 * The PI object:
  	 */
  	struct rt_mutex pi_mutex;
  
  	struct task_struct *owner;
  	atomic_t refcount;
  
  	union futex_key key;
  };

  /**
   * struct futex_q - The hashed futex queue entry, one per waiting task
   * @task:		the task waiting on the futex
   * @lock_ptr:		the hash bucket lock
   * @key:		the key the futex is hashed on
   * @pi_state:		optional priority inheritance state
   * @rt_waiter:		rt_waiter storage for use with requeue_pi
   * @requeue_pi_key:	the requeue_pi target futex key
   * @bitset:		bitset for the optional bitmasked wakeup
   *
   * We use this hashed waitqueue, instead of a normal wait_queue_t, so

   * we can wake only the relevant ones (hashed queues may be shared).
   *
   * A futex_q has a woken state, just like tasks have TASK_RUNNING.

   * It is considered woken when plist_node_empty(&q->list) || q->lock_ptr == 0.

   * The order of wakup is always to make the first condition true, then

   * the second.
   *
   * PI futexes are typically woken before they are removed from the hash list via
   * the rt_mutex code. See unqueue_me_pi().

   */
  struct futex_q {

  	struct plist_node list;

  	struct task_struct *task;

  	spinlock_t *lock_ptr;

  	union futex_key key;

  	struct futex_pi_state *pi_state;

  	struct rt_mutex_waiter *rt_waiter;

  	union futex_key *requeue_pi_key;

  	u32 bitset;

  };
  
  /*

   * Hash buckets are shared by all the futex_keys that hash to the same
   * location.  Each key may have multiple futex_q structures, one for each task
   * waiting on a futex.

   */
  struct futex_hash_bucket {

  	spinlock_t lock;
  	struct plist_head chain;

  };
  
  static struct futex_hash_bucket futex_queues[1<<FUTEX_HASHBITS];

  /*
   * We hash on the keys returned from get_futex_key (see below).
   */
  static struct futex_hash_bucket *hash_futex(union futex_key *key)
  {
  	u32 hash = jhash2((u32*)&key->both.word,
  			  (sizeof(key->both.word)+sizeof(key->both.ptr))/4,
  			  key->both.offset);
  	return &futex_queues[hash & ((1 << FUTEX_HASHBITS)-1)];
  }
  
  /*
   * Return 1 if two futex_keys are equal, 0 otherwise.
   */
  static inline int match_futex(union futex_key *key1, union futex_key *key2)
  {

  	return (key1 && key2
  		&& key1->both.word == key2->both.word

  		&& key1->both.ptr == key2->both.ptr
  		&& key1->both.offset == key2->both.offset);
  }

  /*
   * Take a reference to the resource addressed by a key.
   * Can be called while holding spinlocks.
   *
   */
  static void get_futex_key_refs(union futex_key *key)
  {
  	if (!key->both.ptr)
  		return;
  
  	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
  	case FUT_OFF_INODE:
  		atomic_inc(&key->shared.inode->i_count);
  		break;
  	case FUT_OFF_MMSHARED:
  		atomic_inc(&key->private.mm->mm_count);
  		break;
  	}
  }
  
  /*
   * Drop a reference to the resource addressed by a key.
   * The hash bucket spinlock must not be held.
   */
  static void drop_futex_key_refs(union futex_key *key)
  {

  	if (!key->both.ptr) {
  		/* If we're here then we tried to put a key we failed to get */
  		WARN_ON_ONCE(1);

  		return;

  	}

  
  	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
  	case FUT_OFF_INODE:
  		iput(key->shared.inode);
  		break;
  	case FUT_OFF_MMSHARED:
  		mmdrop(key->private.mm);
  		break;
  	}
  }

  /**

   * get_futex_key() - Get parameters which are the keys for a futex
   * @uaddr:	virtual address of the futex
   * @fshared:	0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
   * @key:	address where result is stored.

   *
   * Returns a negative error code or 0
   * The key words are stored in *key on success.

   *

   * For shared mappings, it's (page->index, vma->vm_file->f_path.dentry->d_inode,

   * offset_within_page).  For private mappings, it's (uaddr, current->mm).
   * We can usually work out the index without swapping in the page.
   *

   * lock_page() might sleep, the caller should not hold a spinlock.

   */

  static int

  get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)

  {

  	unsigned long address = (unsigned long)uaddr;

  	struct mm_struct *mm = current->mm;

  	struct page *page;
  	int err;
  
  	/*
  	 * The futex address must be "naturally" aligned.
  	 */

  	key->both.offset = address % PAGE_SIZE;

  	if (unlikely((address % sizeof(u32)) != 0))

  		return -EINVAL;

  	address -= key->both.offset;

  
  	/*

  	 * PROCESS_PRIVATE futexes are fast.
  	 * As the mm cannot disappear under us and the 'key' only needs
  	 * virtual address, we dont even have to find the underlying vma.
  	 * Note : We do have to check 'uaddr' is a valid user address,
  	 *        but access_ok() should be faster than find_vma()
  	 */
  	if (!fshared) {

  		if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))

  			return -EFAULT;
  		key->private.mm = mm;
  		key->private.address = address;

  		get_futex_key_refs(key);

  		return 0;
  	}

  again:

  	err = get_user_pages_fast(address, 1, 1, &page);

  	if (err < 0)
  		return err;

  	page = compound_head(page);

  	lock_page(page);
  	if (!page->mapping) {
  		unlock_page(page);
  		put_page(page);
  		goto again;
  	}

  
  	/*
  	 * Private mappings are handled in a simple way.
  	 *
  	 * NOTE: When userspace waits on a MAP_SHARED mapping, even if
  	 * it's a read-only handle, it's expected that futexes attach to

  	 * the object not the particular process.

  	 */

  	if (PageAnon(page)) {
  		key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */

  		key->private.mm = mm;

  		key->private.address = address;

  	} else {
  		key->both.offset |= FUT_OFF_INODE; /* inode-based key */
  		key->shared.inode = page->mapping->host;
  		key->shared.pgoff = page->index;

  	}

  	get_futex_key_refs(key);

  	unlock_page(page);
  	put_page(page);
  	return 0;

  }

  static inline

  void put_futex_key(int fshared, union futex_key *key)

  {

  	drop_futex_key_refs(key);

  }

  /**
   * fault_in_user_writeable() - Fault in user address and verify RW access

   * @uaddr:	pointer to faulting user space address
   *
   * Slow path to fixup the fault we just took in the atomic write
   * access to @uaddr.
   *
   * We have no generic implementation of a non destructive write to the
   * user address. We know that we faulted in the atomic pagefault
   * disabled section so we can as well avoid the #PF overhead by
   * calling get_user_pages() right away.
   */
  static int fault_in_user_writeable(u32 __user *uaddr)
  {

  	struct mm_struct *mm = current->mm;
  	int ret;
  
  	down_read(&mm->mmap_sem);
  	ret = get_user_pages(current, mm, (unsigned long)uaddr,
  			     1, 1, 0, NULL, NULL);
  	up_read(&mm->mmap_sem);

  	return ret < 0 ? ret : 0;
  }

  /**
   * futex_top_waiter() - Return the highest priority waiter on a futex

   * @hb:		the hash bucket the futex_q's reside in
   * @key:	the futex key (to distinguish it from other futex futex_q's)

   *
   * Must be called with the hb lock held.
   */
  static struct futex_q *futex_top_waiter(struct futex_hash_bucket *hb,
  					union futex_key *key)
  {
  	struct futex_q *this;
  
  	plist_for_each_entry(this, &hb->chain, list) {
  		if (match_futex(&this->key, key))
  			return this;
  	}
  	return NULL;
  }

  static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)
  {
  	u32 curval;
  
  	pagefault_disable();
  	curval = futex_atomic_cmpxchg_inatomic(uaddr, uval, newval);
  	pagefault_enable();
  
  	return curval;
  }
  
  static int get_futex_value_locked(u32 *dest, u32 __user *from)

  {
  	int ret;

  	pagefault_disable();

  	ret = __copy_from_user_inatomic(dest, from, sizeof(u32));

  	pagefault_enable();

  
  	return ret ? -EFAULT : 0;
  }

  
  /*
   * PI code:
   */
  static int refill_pi_state_cache(void)
  {
  	struct futex_pi_state *pi_state;
  
  	if (likely(current->pi_state_cache))
  		return 0;

  	pi_state = kzalloc(sizeof(*pi_state), GFP_KERNEL);

  
  	if (!pi_state)
  		return -ENOMEM;

  	INIT_LIST_HEAD(&pi_state->list);
  	/* pi_mutex gets initialized later */
  	pi_state->owner = NULL;
  	atomic_set(&pi_state->refcount, 1);

  	pi_state->key = FUTEX_KEY_INIT;

  
  	current->pi_state_cache = pi_state;
  
  	return 0;
  }
  
  static struct futex_pi_state * alloc_pi_state(void)
  {
  	struct futex_pi_state *pi_state = current->pi_state_cache;
  
  	WARN_ON(!pi_state);
  	current->pi_state_cache = NULL;
  
  	return pi_state;
  }
  
  static void free_pi_state(struct futex_pi_state *pi_state)
  {
  	if (!atomic_dec_and_test(&pi_state->refcount))
  		return;
  
  	/*
  	 * If pi_state->owner is NULL, the owner is most probably dying
  	 * and has cleaned up the pi_state already
  	 */
  	if (pi_state->owner) {

  		raw_spin_lock_irq(&pi_state->owner->pi_lock);

  		list_del_init(&pi_state->list);

  		raw_spin_unlock_irq(&pi_state->owner->pi_lock);

  
  		rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner);
  	}
  
  	if (current->pi_state_cache)
  		kfree(pi_state);
  	else {
  		/*
  		 * pi_state->list is already empty.
  		 * clear pi_state->owner.
  		 * refcount is at 0 - put it back to 1.
  		 */
  		pi_state->owner = NULL;
  		atomic_set(&pi_state->refcount, 1);
  		current->pi_state_cache = pi_state;
  	}
  }
  
  /*
   * Look up the task based on what TID userspace gave us.
   * We dont trust it.
   */
  static struct task_struct * futex_find_get_task(pid_t pid)
  {
  	struct task_struct *p;

  	rcu_read_lock();

  	p = find_task_by_vpid(pid);

  	if (p)
  		get_task_struct(p);

  	rcu_read_unlock();

  
  	return p;
  }
  
  /*
   * This task is holding PI mutexes at exit time => bad.
   * Kernel cleans up PI-state, but userspace is likely hosed.
   * (Robust-futex cleanup is separate and might save the day for userspace.)
   */
  void exit_pi_state_list(struct task_struct *curr)
  {

  	struct list_head *next, *head = &curr->pi_state_list;
  	struct futex_pi_state *pi_state;

  	struct futex_hash_bucket *hb;

  	union futex_key key = FUTEX_KEY_INIT;

  	if (!futex_cmpxchg_enabled)
  		return;

  	/*
  	 * We are a ZOMBIE and nobody can enqueue itself on
  	 * pi_state_list anymore, but we have to be careful

  	 * versus waiters unqueueing themselves:

  	 */

  	raw_spin_lock_irq(&curr->pi_lock);

  	while (!list_empty(head)) {
  
  		next = head->next;
  		pi_state = list_entry(next, struct futex_pi_state, list);
  		key = pi_state->key;

  		hb = hash_futex(&key);

  		raw_spin_unlock_irq(&curr->pi_lock);

  		spin_lock(&hb->lock);

  		raw_spin_lock_irq(&curr->pi_lock);

  		/*
  		 * We dropped the pi-lock, so re-check whether this
  		 * task still owns the PI-state:
  		 */

  		if (head->next != next) {
  			spin_unlock(&hb->lock);
  			continue;
  		}

  		WARN_ON(pi_state->owner != curr);

  		WARN_ON(list_empty(&pi_state->list));
  		list_del_init(&pi_state->list);

  		pi_state->owner = NULL;

  		raw_spin_unlock_irq(&curr->pi_lock);

  
  		rt_mutex_unlock(&pi_state->pi_mutex);
  
  		spin_unlock(&hb->lock);

  		raw_spin_lock_irq(&curr->pi_lock);

  	}

  	raw_spin_unlock_irq(&curr->pi_lock);

  }
  
  static int

  lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
  		union futex_key *key, struct futex_pi_state **ps)

  {
  	struct futex_pi_state *pi_state = NULL;
  	struct futex_q *this, *next;

  	struct plist_head *head;

  	struct task_struct *p;

  	pid_t pid = uval & FUTEX_TID_MASK;

  
  	head = &hb->chain;

  	plist_for_each_entry_safe(this, next, head, list) {

  		if (match_futex(&this->key, key)) {

  			/*
  			 * Another waiter already exists - bump up
  			 * the refcount and return its pi_state:
  			 */
  			pi_state = this->pi_state;

  			/*
  			 * Userspace might have messed up non PI and PI futexes
  			 */
  			if (unlikely(!pi_state))
  				return -EINVAL;

  			WARN_ON(!atomic_read(&pi_state->refcount));

  
  			/*
  			 * When pi_state->owner is NULL then the owner died
  			 * and another waiter is on the fly. pi_state->owner
  			 * is fixed up by the task which acquires
  			 * pi_state->rt_mutex.
  			 *
  			 * We do not check for pid == 0 which can happen when
  			 * the owner died and robust_list_exit() cleared the
  			 * TID.
  			 */
  			if (pid && pi_state->owner) {
  				/*
  				 * Bail out if user space manipulated the
  				 * futex value.
  				 */
  				if (pid != task_pid_vnr(pi_state->owner))
  					return -EINVAL;
  			}

  			atomic_inc(&pi_state->refcount);

  			*ps = pi_state;

  
  			return 0;
  		}
  	}
  
  	/*

  	 * We are the first waiter - try to look up the real owner and attach

  	 * the new pi_state to it, but bail out when TID = 0

  	 */

  	if (!pid)

  		return -ESRCH;

  	p = futex_find_get_task(pid);

  	if (!p)
  		return -ESRCH;

  
  	/*
  	 * We need to look at the task state flags to figure out,
  	 * whether the task is exiting. To protect against the do_exit
  	 * change of the task flags, we do this protected by
  	 * p->pi_lock:
  	 */

  	raw_spin_lock_irq(&p->pi_lock);

  	if (unlikely(p->flags & PF_EXITING)) {
  		/*
  		 * The task is on the way out. When PF_EXITPIDONE is
  		 * set, we know that the task has finished the
  		 * cleanup:
  		 */
  		int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;

  		raw_spin_unlock_irq(&p->pi_lock);

  		put_task_struct(p);
  		return ret;
  	}

  
  	pi_state = alloc_pi_state();
  
  	/*
  	 * Initialize the pi_mutex in locked state and make 'p'
  	 * the owner of it:
  	 */
  	rt_mutex_init_proxy_locked(&pi_state->pi_mutex, p);
  
  	/* Store the key for possible exit cleanups: */

  	pi_state->key = *key;

  	WARN_ON(!list_empty(&pi_state->list));

  	list_add(&pi_state->list, &p->pi_state_list);
  	pi_state->owner = p;

  	raw_spin_unlock_irq(&p->pi_lock);

  
  	put_task_struct(p);

  	*ps = pi_state;

  
  	return 0;
  }

  /**

   * futex_lock_pi_atomic() - Atomic work required to acquire a pi aware futex

   * @uaddr:		the pi futex user address
   * @hb:			the pi futex hash bucket
   * @key:		the futex key associated with uaddr and hb
   * @ps:			the pi_state pointer where we store the result of the
   *			lookup
   * @task:		the task to perform the atomic lock work for.  This will
   *			be "current" except in the case of requeue pi.
   * @set_waiters:	force setting the FUTEX_WAITERS bit (1) or not (0)

   *
   * Returns:
   *  0 - ready to wait
   *  1 - acquired the lock
   * <0 - error
   *
   * The hb->lock and futex_key refs shall be held by the caller.
   */
  static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
  				union futex_key *key,
  				struct futex_pi_state **ps,

  				struct task_struct *task, int set_waiters)

  {
  	int lock_taken, ret, ownerdied = 0;
  	u32 uval, newval, curval;
  
  retry:
  	ret = lock_taken = 0;
  
  	/*
  	 * To avoid races, we attempt to take the lock here again
  	 * (by doing a 0 -> TID atomic cmpxchg), while holding all
  	 * the locks. It will most likely not succeed.
  	 */
  	newval = task_pid_vnr(task);

  	if (set_waiters)
  		newval |= FUTEX_WAITERS;

  
  	curval = cmpxchg_futex_value_locked(uaddr, 0, newval);
  
  	if (unlikely(curval == -EFAULT))
  		return -EFAULT;
  
  	/*
  	 * Detect deadlocks.
  	 */
  	if ((unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(task))))
  		return -EDEADLK;
  
  	/*
  	 * Surprise - we got the lock. Just return to userspace:
  	 */
  	if (unlikely(!curval))
  		return 1;
  
  	uval = curval;
  
  	/*
  	 * Set the FUTEX_WAITERS flag, so the owner will know it has someone
  	 * to wake at the next unlock.
  	 */
  	newval = curval | FUTEX_WAITERS;
  
  	/*
  	 * There are two cases, where a futex might have no owner (the
  	 * owner TID is 0): OWNER_DIED. We take over the futex in this
  	 * case. We also do an unconditional take over, when the owner
  	 * of the futex died.
  	 *
  	 * This is safe as we are protected by the hash bucket lock !
  	 */
  	if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
  		/* Keep the OWNER_DIED bit */
  		newval = (curval & ~FUTEX_TID_MASK) | task_pid_vnr(task);
  		ownerdied = 0;
  		lock_taken = 1;
  	}
  
  	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
  
  	if (unlikely(curval == -EFAULT))
  		return -EFAULT;
  	if (unlikely(curval != uval))
  		goto retry;
  
  	/*
  	 * We took the lock due to owner died take over.
  	 */
  	if (unlikely(lock_taken))
  		return 1;
  
  	/*
  	 * We dont have the lock. Look up the PI state (or create it if
  	 * we are the first waiter):
  	 */
  	ret = lookup_pi_state(uval, hb, key, ps);
  
  	if (unlikely(ret)) {
  		switch (ret) {
  		case -ESRCH:
  			/*
  			 * No owner found for this futex. Check if the
  			 * OWNER_DIED bit is set to figure out whether
  			 * this is a robust futex or not.
  			 */
  			if (get_futex_value_locked(&curval, uaddr))
  				return -EFAULT;
  
  			/*
  			 * We simply start over in case of a robust
  			 * futex. The code above will take the futex
  			 * and return happy.
  			 */
  			if (curval & FUTEX_OWNER_DIED) {
  				ownerdied = 1;
  				goto retry;
  			}
  		default:
  			break;
  		}
  	}
  
  	return ret;
  }

  /*

   * The hash bucket lock must be held when this is called.
   * Afterwards, the futex_q must not be accessed.
   */
  static void wake_futex(struct futex_q *q)
  {

  	struct task_struct *p = q->task;

  	/*

  	 * We set q->lock_ptr = NULL _before_ we wake up the task. If
  	 * a non futex wake up happens on another CPU then the task
  	 * might exit and p would dereference a non existing task
  	 * struct. Prevent this by holding a reference on p across the
  	 * wake up.

  	 */

  	get_task_struct(p);
  
  	plist_del(&q->list, &q->list.plist);

  	/*

  	 * The waiting task can free the futex_q as soon as
  	 * q->lock_ptr = NULL is written, without taking any locks. A
  	 * memory barrier is required here to prevent the following
  	 * store to lock_ptr from getting ahead of the plist_del.

  	 */

  	smp_wmb();

  	q->lock_ptr = NULL;

  
  	wake_up_state(p, TASK_NORMAL);
  	put_task_struct(p);

  }

  static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
  {
  	struct task_struct *new_owner;
  	struct futex_pi_state *pi_state = this->pi_state;
  	u32 curval, newval;
  
  	if (!pi_state)
  		return -EINVAL;

  	/*
  	 * If current does not own the pi_state then the futex is
  	 * inconsistent and user space fiddled with the futex value.
  	 */
  	if (pi_state->owner != current)
  		return -EINVAL;

  	raw_spin_lock(&pi_state->pi_mutex.wait_lock);

  	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
  
  	/*
  	 * This happens when we have stolen the lock and the original
  	 * pending owner did not enqueue itself back on the rt_mutex.
  	 * Thats not a tragedy. We know that way, that a lock waiter
  	 * is on the fly. We make the futex_q waiter the pending owner.
  	 */
  	if (!new_owner)
  		new_owner = this->task;
  
  	/*
  	 * We pass it to the next owner. (The WAITERS bit is always
  	 * kept enabled while there is PI state around. We must also
  	 * preserve the owner died bit.)
  	 */

  	if (!(uval & FUTEX_OWNER_DIED)) {

  		int ret = 0;

  		newval = FUTEX_WAITERS | task_pid_vnr(new_owner);

  		curval = cmpxchg_futex_value_locked(uaddr, uval, newval);

  		if (curval == -EFAULT)

  			ret = -EFAULT;

  		else if (curval != uval)

  			ret = -EINVAL;
  		if (ret) {

  			raw_spin_unlock(&pi_state->pi_mutex.wait_lock);

  			return ret;
  		}

  	}

  	raw_spin_lock_irq(&pi_state->owner->pi_lock);

  	WARN_ON(list_empty(&pi_state->list));
  	list_del_init(&pi_state->list);

  	raw_spin_unlock_irq(&pi_state->owner->pi_lock);

  	raw_spin_lock_irq(&new_owner->pi_lock);

  	WARN_ON(!list_empty(&pi_state->list));

  	list_add(&pi_state->list, &new_owner->pi_state_list);
  	pi_state->owner = new_owner;

  	raw_spin_unlock_irq(&new_owner->pi_lock);

  	raw_spin_unlock(&pi_state->pi_mutex.wait_lock);

  	rt_mutex_unlock(&pi_state->pi_mutex);
  
  	return 0;
  }
  
  static int unlock_futex_pi(u32 __user *uaddr, u32 uval)
  {
  	u32 oldval;
  
  	/*
  	 * There is no waiter, so we unlock the futex. The owner died
  	 * bit has not to be preserved here. We are the owner:
  	 */

  	oldval = cmpxchg_futex_value_locked(uaddr, uval, 0);

  
  	if (oldval == -EFAULT)
  		return oldval;
  	if (oldval != uval)
  		return -EAGAIN;
  
  	return 0;
  }

  /*

   * Express the locking dependencies for lockdep:
   */
  static inline void
  double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
  {
  	if (hb1 <= hb2) {
  		spin_lock(&hb1->lock);
  		if (hb1 < hb2)
  			spin_lock_nested(&hb2->lock, SINGLE_DEPTH_NESTING);
  	} else { /* hb1 > hb2 */
  		spin_lock(&hb2->lock);
  		spin_lock_nested(&hb1->lock, SINGLE_DEPTH_NESTING);
  	}
  }

  static inline void
  double_unlock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
  {

  	spin_unlock(&hb1->lock);

  	if (hb1 != hb2)
  		spin_unlock(&hb2->lock);

  }

  /*

   * Wake up waiters matching bitset queued on this futex (uaddr).

   */

  static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)

  {

  	struct futex_hash_bucket *hb;

  	struct futex_q *this, *next;

  	struct plist_head *head;

  	union futex_key key = FUTEX_KEY_INIT;

  	int ret;

  	if (!bitset)
  		return -EINVAL;

  	ret = get_futex_key(uaddr, fshared, &key);

  	if (unlikely(ret != 0))
  		goto out;

  	hb = hash_futex(&key);
  	spin_lock(&hb->lock);
  	head = &hb->chain;

  	plist_for_each_entry_safe(this, next, head, list) {

  		if (match_futex (&this->key, &key)) {

  			if (this->pi_state || this->rt_waiter) {

  				ret = -EINVAL;
  				break;
  			}

  
  			/* Check if one of the bits is set in both bitsets */
  			if (!(this->bitset & bitset))
  				continue;

  			wake_futex(this);
  			if (++ret >= nr_wake)
  				break;
  		}
  	}

  	spin_unlock(&hb->lock);

  	put_futex_key(fshared, &key);

  out:

  	return ret;
  }
  
  /*

   * Wake up all waiters hashed on the physical page that is mapped
   * to this virtual address:
   */

  static int

  futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,

  	      int nr_wake, int nr_wake2, int op)

  {

  	union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;

  	struct futex_hash_bucket *hb1, *hb2;

  	struct plist_head *head;

  	struct futex_q *this, *next;

  	int ret, op_ret;

  retry:

  	ret = get_futex_key(uaddr1, fshared, &key1);

  	if (unlikely(ret != 0))
  		goto out;

  	ret = get_futex_key(uaddr2, fshared, &key2);

  	if (unlikely(ret != 0))

  		goto out_put_key1;

  	hb1 = hash_futex(&key1);
  	hb2 = hash_futex(&key2);

  retry_private:

  	double_lock_hb(hb1, hb2);

  	op_ret = futex_atomic_op_inuser(op, uaddr2);

  	if (unlikely(op_ret < 0)) {

  		double_unlock_hb(hb1, hb2);

  #ifndef CONFIG_MMU

  		/*
  		 * we don't get EFAULT from MMU faults if we don't have an MMU,
  		 * but we might get them from range checking
  		 */

  		ret = op_ret;

  		goto out_put_keys;

  #endif

  		if (unlikely(op_ret != -EFAULT)) {
  			ret = op_ret;

  			goto out_put_keys;

  		}

  		ret = fault_in_user_writeable(uaddr2);

  		if (ret)

  			goto out_put_keys;

  		if (!fshared)
  			goto retry_private;

  		put_futex_key(fshared, &key2);
  		put_futex_key(fshared, &key1);

  		goto retry;

  	}

  	head = &hb1->chain;

  	plist_for_each_entry_safe(this, next, head, list) {

  		if (match_futex (&this->key, &key1)) {
  			wake_futex(this);
  			if (++ret >= nr_wake)
  				break;
  		}
  	}
  
  	if (op_ret > 0) {

  		head = &hb2->chain;

  
  		op_ret = 0;

  		plist_for_each_entry_safe(this, next, head, list) {

  			if (match_futex (&this->key, &key2)) {
  				wake_futex(this);
  				if (++op_ret >= nr_wake2)
  					break;
  			}
  		}
  		ret += op_ret;
  	}

  	double_unlock_hb(hb1, hb2);

  out_put_keys:

  	put_futex_key(fshared, &key2);

  out_put_key1:

  	put_futex_key(fshared, &key1);

  out:

  	return ret;
  }

  /**
   * requeue_futex() - Requeue a futex_q from one hb to another
   * @q:		the futex_q to requeue
   * @hb1:	the source hash_bucket
   * @hb2:	the target hash_bucket
   * @key2:	the new key for the requeued futex_q
   */
  static inline
  void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,
  		   struct futex_hash_bucket *hb2, union futex_key *key2)
  {
  
  	/*
  	 * If key1 and key2 hash to the same bucket, no need to
  	 * requeue.
  	 */
  	if (likely(&hb1->chain != &hb2->chain)) {
  		plist_del(&q->list, &hb1->chain);
  		plist_add(&q->list, &hb2->chain);
  		q->lock_ptr = &hb2->lock;
  #ifdef CONFIG_DEBUG_PI_LIST

  		q->list.plist.spinlock = &hb2->lock;

  #endif
  	}
  	get_futex_key_refs(key2);
  	q->key = *key2;
  }

  /**
   * requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue

   * @q:		the futex_q
   * @key:	the key of the requeue target futex
   * @hb:		the hash_bucket of the requeue target futex

   *
   * During futex_requeue, with requeue_pi=1, it is possible to acquire the
   * target futex if it is uncontended or via a lock steal.  Set the futex_q key
   * to the requeue target futex so the waiter can detect the wakeup on the right
   * futex, but remove it from the hb and NULL the rt_waiter so it can detect

   * atomic lock acquisition.  Set the q->lock_ptr to the requeue target hb->lock
   * to protect access to the pi_state to fixup the owner later.  Must be called
   * with both q->lock_ptr and hb->lock held.

   */
  static inline

  void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
  			   struct futex_hash_bucket *hb)

  {

  	get_futex_key_refs(key);
  	q->key = *key;
  
  	WARN_ON(plist_node_empty(&q->list));
  	plist_del(&q->list, &q->list.plist);
  
  	WARN_ON(!q->rt_waiter);
  	q->rt_waiter = NULL;

  	q->lock_ptr = &hb->lock;
  #ifdef CONFIG_DEBUG_PI_LIST

  	q->list.plist.spinlock = &hb->lock;

  #endif

  	wake_up_state(q->task, TASK_NORMAL);

  }
  
  /**
   * futex_proxy_trylock_atomic() - Attempt an atomic lock for the top waiter

   * @pifutex:		the user address of the to futex
   * @hb1:		the from futex hash bucket, must be locked by the caller
   * @hb2:		the to futex hash bucket, must be locked by the caller
   * @key1:		the from futex key
   * @key2:		the to futex key
   * @ps:			address to store the pi_state pointer
   * @set_waiters:	force setting the FUTEX_WAITERS bit (1) or not (0)

   *
   * Try and get the lock on behalf of the top waiter if we can do it atomically.

   * Wake the top waiter if we succeed.  If the caller specified set_waiters,
   * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit.
   * hb1 and hb2 must be held by the caller.

   *
   * Returns:
   *  0 - failed to acquire the lock atomicly
   *  1 - acquired the lock
   * <0 - error
   */
  static int futex_proxy_trylock_atomic(u32 __user *pifutex,
  				 struct futex_hash_bucket *hb1,
  				 struct futex_hash_bucket *hb2,
  				 union futex_key *key1, union futex_key *key2,

  				 struct futex_pi_state **ps, int set_waiters)

  {

  	struct futex_q *top_waiter = NULL;

  	u32 curval;
  	int ret;
  
  	if (get_futex_value_locked(&curval, pifutex))
  		return -EFAULT;

  	/*
  	 * Find the top_waiter and determine if there are additional waiters.
  	 * If the caller intends to requeue more than 1 waiter to pifutex,
  	 * force futex_lock_pi_atomic() to set the FUTEX_WAITERS bit now,
  	 * as we have means to handle the possible fault.  If not, don't set
  	 * the bit unecessarily as it will force the subsequent unlock to enter
  	 * the kernel.
  	 */

  	top_waiter = futex_top_waiter(hb1, key1);
  
  	/* There are no waiters, nothing for us to do. */
  	if (!top_waiter)
  		return 0;

  	/* Ensure we requeue to the expected futex. */
  	if (!match_futex(top_waiter->requeue_pi_key, key2))
  		return -EINVAL;

  	/*

  	 * Try to take the lock for top_waiter.  Set the FUTEX_WAITERS bit in
  	 * the contended case or if set_waiters is 1.  The pi_state is returned
  	 * in ps in contended cases.

  	 */

  	ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
  				   set_waiters);

  	if (ret == 1)

  		requeue_pi_wake_futex(top_waiter, key2, hb2);

  
  	return ret;
  }
  
  /**
   * futex_requeue() - Requeue waiters from uaddr1 to uaddr2
   * uaddr1:	source futex user address
   * uaddr2:	target futex user address
   * nr_wake:	number of waiters to wake (must be 1 for requeue_pi)
   * nr_requeue:	number of waiters to requeue (0-INT_MAX)
   * requeue_pi:	if we are attempting to requeue from a non-pi futex to a
   * 		pi futex (pi to pi requeue is not supported)
   *
   * Requeue waiters on uaddr1 to uaddr2. In the requeue_pi case, try to acquire
   * uaddr2 atomically on behalf of the top waiter.
   *
   * Returns:
   * >=0 - on success, the number of tasks requeued or woken
   *  <0 - on error

   */

  static int futex_requeue(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,

  			 int nr_wake, int nr_requeue, u32 *cmpval,
  			 int requeue_pi)

  {

  	union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;

  	int drop_count = 0, task_count = 0, ret;
  	struct futex_pi_state *pi_state = NULL;

  	struct futex_hash_bucket *hb1, *hb2;

  	struct plist_head *head1;

  	struct futex_q *this, *next;

  	u32 curval2;
  
  	if (requeue_pi) {
  		/*
  		 * requeue_pi requires a pi_state, try to allocate it now
  		 * without any locks in case it fails.
  		 */
  		if (refill_pi_state_cache())
  			return -ENOMEM;
  		/*
  		 * requeue_pi must wake as many tasks as it can, up to nr_wake
  		 * + nr_requeue, since it acquires the rt_mutex prior to
  		 * returning to userspace, so as to not leave the rt_mutex with
  		 * waiters and no owner.  However, second and third wake-ups
  		 * cannot be predicted as they involve race conditions with the
  		 * first wake and a fault while looking up the pi_state.  Both
  		 * pthread_cond_signal() and pthread_cond_broadcast() should
  		 * use nr_wake=1.
  		 */
  		if (nr_wake != 1)
  			return -EINVAL;
  	}

  retry:

  	if (pi_state != NULL) {
  		/*
  		 * We will have to lookup the pi_state again, so free this one
  		 * to keep the accounting correct.
  		 */
  		free_pi_state(pi_state);
  		pi_state = NULL;
  	}

  	ret = get_futex_key(uaddr1, fshared, &key1);

  	if (unlikely(ret != 0))
  		goto out;

  	ret = get_futex_key(uaddr2, fshared, &key2);

  	if (unlikely(ret != 0))

  		goto out_put_key1;

  	hb1 = hash_futex(&key1);
  	hb2 = hash_futex(&key2);

  retry_private:

  	double_lock_hb(hb1, hb2);

  	if (likely(cmpval != NULL)) {
  		u32 curval;

  		ret = get_futex_value_locked(&curval, uaddr1);

  
  		if (unlikely(ret)) {

  			double_unlock_hb(hb1, hb2);

  			ret = get_user(curval, uaddr1);

  			if (ret)
  				goto out_put_keys;

  			if (!fshared)
  				goto retry_private;

  			put_futex_key(fshared, &key2);
  			put_futex_key(fshared, &key1);
  			goto retry;

  		}

  		if (curval != *cmpval) {

  			ret = -EAGAIN;
  			goto out_unlock;
  		}
  	}

  	if (requeue_pi && (task_count - nr_wake < nr_requeue)) {

  		/*
  		 * Attempt to acquire uaddr2 and wake the top waiter. If we
  		 * intend to requeue waiters, force setting the FUTEX_WAITERS
  		 * bit.  We force this here where we are able to easily handle
  		 * faults rather in the requeue loop below.
  		 */

  		ret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1,

  						 &key2, &pi_state, nr_requeue);

  
  		/*
  		 * At this point the top_waiter has either taken uaddr2 or is
  		 * waiting on it.  If the former, then the pi_state will not
  		 * exist yet, look it up one more time to ensure we have a
  		 * reference to it.
  		 */
  		if (ret == 1) {
  			WARN_ON(pi_state);

  			drop_count++;

  			task_count++;
  			ret = get_futex_value_locked(&curval2, uaddr2);
  			if (!ret)
  				ret = lookup_pi_state(curval2, hb2, &key2,
  						      &pi_state);
  		}
  
  		switch (ret) {
  		case 0:
  			break;
  		case -EFAULT:
  			double_unlock_hb(hb1, hb2);
  			put_futex_key(fshared, &key2);
  			put_futex_key(fshared, &key1);

  			ret = fault_in_user_writeable(uaddr2);

  			if (!ret)
  				goto retry;
  			goto out;
  		case -EAGAIN:
  			/* The owner was exiting, try again. */
  			double_unlock_hb(hb1, hb2);
  			put_futex_key(fshared, &key2);
  			put_futex_key(fshared, &key1);
  			cond_resched();
  			goto retry;
  		default:
  			goto out_unlock;
  		}
  	}

  	head1 = &hb1->chain;

  	plist_for_each_entry_safe(this, next, head1, list) {

  		if (task_count - nr_wake >= nr_requeue)
  			break;
  
  		if (!match_futex(&this->key, &key1))

  			continue;

  		/*
  		 * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
  		 * be paired with each other and no other futex ops.
  		 */
  		if ((requeue_pi && !this->rt_waiter) ||
  		    (!requeue_pi && this->rt_waiter)) {
  			ret = -EINVAL;
  			break;
  		}

  
  		/*
  		 * Wake nr_wake waiters.  For requeue_pi, if we acquired the
  		 * lock, we already woke the top_waiter.  If not, it will be
  		 * woken by futex_unlock_pi().
  		 */
  		if (++task_count <= nr_wake && !requeue_pi) {

  			wake_futex(this);

  			continue;
  		}

  		/* Ensure we requeue to the expected futex for requeue_pi. */
  		if (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) {
  			ret = -EINVAL;
  			break;
  		}

  		/*
  		 * Requeue nr_requeue waiters and possibly one more in the case
  		 * of requeue_pi if we couldn't acquire the lock atomically.
  		 */
  		if (requeue_pi) {
  			/* Prepare the waiter to take the rt_mutex. */
  			atomic_inc(&pi_state->refcount);
  			this->pi_state = pi_state;
  			ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
  							this->rt_waiter,
  							this->task, 1);
  			if (ret == 1) {
  				/* We got the lock. */

  				requeue_pi_wake_futex(this, &key2, hb2);

  				drop_count++;

  				continue;
  			} else if (ret) {
  				/* -EDEADLK */
  				this->pi_state = NULL;
  				free_pi_state(pi_state);
  				goto out_unlock;
  			}

  		}

  		requeue_futex(this, hb1, hb2, &key2);
  		drop_count++;

  	}
  
  out_unlock:

  	double_unlock_hb(hb1, hb2);

  	/*
  	 * drop_futex_key_refs() must be called outside the spinlocks. During
  	 * the requeue we moved futex_q's from the hash bucket at key1 to the
  	 * one at key2 and updated their key pointer.  We no longer need to
  	 * hold the references to key1.
  	 */

  	while (--drop_count >= 0)

  		drop_futex_key_refs(&key1);

  out_put_keys:

  	put_futex_key(fshared, &key2);

  out_put_key1:

  	put_futex_key(fshared, &key1);

  out:

  	if (pi_state != NULL)
  		free_pi_state(pi_state);
  	return ret ? ret : task_count;

  }
  
  /* The key must be already stored in q->key. */

  static inline struct futex_hash_bucket *queue_lock(struct futex_q *q)

  {

  	struct futex_hash_bucket *hb;

  	get_futex_key_refs(&q->key);

  	hb = hash_futex(&q->key);
  	q->lock_ptr = &hb->lock;

  	spin_lock(&hb->lock);
  	return hb;

  }

  static inline void
  queue_unlock(struct futex_q *q, struct futex_hash_bucket *hb)
  {
  	spin_unlock(&hb->lock);
  	drop_futex_key_refs(&q->key);
  }
  
  /**
   * queue_me() - Enqueue the futex_q on the futex_hash_bucket
   * @q:	The futex_q to enqueue
   * @hb:	The destination hash bucket
   *
   * The hb->lock must be held by the caller, and is released here. A call to
   * queue_me() is typically paired with exactly one call to unqueue_me().  The
   * exceptions involve the PI related operations, which may use unqueue_me_pi()
   * or nothing if the unqueue is done as part of the wake process and the unqueue
   * state is implicit in the state of woken task (see futex_wait_requeue_pi() for
   * an example).
   */

  static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)

  {

  	int prio;
  
  	/*
  	 * The priority used to register this element is
  	 * - either the real thread-priority for the real-time threads
  	 * (i.e. threads with a priority lower than MAX_RT_PRIO)
  	 * - or MAX_RT_PRIO for non-RT threads.
  	 * Thus, all RT-threads are woken first in priority order, and
  	 * the others are woken last, in FIFO order.
  	 */
  	prio = min(current->normal_prio, MAX_RT_PRIO);
  
  	plist_node_init(&q->list, prio);
  #ifdef CONFIG_DEBUG_PI_LIST

  	q->list.plist.spinlock = &hb->lock;

  #endif
  	plist_add(&q->list, &hb->chain);

  	q->task = current;

  	spin_unlock(&hb->lock);

  }

  /**
   * unqueue_me() - Remove the futex_q from its futex_hash_bucket
   * @q:	The futex_q to unqueue
   *
   * The q->lock_ptr must not be held by the caller. A call to unqueue_me() must
   * be paired with exactly one earlier call to queue_me().
   *
   * Returns:
   *   1 - if the futex_q was still queued (and we removed unqueued it)
   *   0 - if the futex_q was already removed by the waking thread

   */

  static int unqueue_me(struct futex_q *q)
  {

  	spinlock_t *lock_ptr;

  	int ret = 0;

  
  	/* In the common case we don't take the spinlock, which is nice. */

  retry:

  	lock_ptr = q->lock_ptr;

  	barrier();

  	if (lock_ptr != NULL) {

  		spin_lock(lock_ptr);
  		/*
  		 * q->lock_ptr can change between reading it and
  		 * spin_lock(), causing us to take the wrong lock.  This
  		 * corrects the race condition.
  		 *
  		 * Reasoning goes like this: if we have the wrong lock,
  		 * q->lock_ptr must have changed (maybe several times)
  		 * between reading it and the spin_lock().  It can
  		 * change again after the spin_lock() but only if it was
  		 * already changed before the spin_lock().  It cannot,
  		 * however, change back to the original value.  Therefore
  		 * we can detect whether we acquired the correct lock.
  		 */
  		if (unlikely(lock_ptr != q->lock_ptr)) {
  			spin_unlock(lock_ptr);
  			goto retry;
  		}

  		WARN_ON(plist_node_empty(&q->list));
  		plist_del(&q->list, &q->list.plist);

  
  		BUG_ON(q->pi_state);

  		spin_unlock(lock_ptr);
  		ret = 1;
  	}

  	drop_futex_key_refs(&q->key);

  	return ret;
  }

  /*
   * PI futexes can not be requeued and must remove themself from the

   * hash bucket. The hash bucket lock (i.e. lock_ptr) is held on entry
   * and dropped here.

   */

  static void unqueue_me_pi(struct futex_q *q)

  {

  	WARN_ON(plist_node_empty(&q->list));
  	plist_del(&q->list, &q->list.plist);

  
  	BUG_ON(!q->pi_state);
  	free_pi_state(q->pi_state);
  	q->pi_state = NULL;

  	spin_unlock(q->lock_ptr);

  	drop_futex_key_refs(&q->key);

  }

  /*

   * Fixup the pi_state owner with the new owner.

   *

   * Must be called with hash bucket lock held and mm->sem held for non
   * private futexes.

   */

  static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,

  				struct task_struct *newowner, int fshared)

  {

  	u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;

  	struct futex_pi_state *pi_state = q->pi_state;

  	struct task_struct *oldowner = pi_state->owner;

  	u32 uval, curval, newval;

  	int ret;

  
  	/* Owner died? */

  	if (!pi_state->owner)
  		newtid |= FUTEX_OWNER_DIED;
  
  	/*
  	 * We are here either because we stole the rtmutex from the
  	 * pending owner or we are the pending owner which failed to
  	 * get the rtmutex. We have to replace the pending owner TID
  	 * in the user space variable. This must be atomic as we have
  	 * to preserve the owner died bit here.
  	 *

  	 * Note: We write the user space value _before_ changing the pi_state
  	 * because we can fault here. Imagine swapped out pages or a fork
  	 * that marked all the anonymous memory readonly for cow.

  	 *
  	 * Modifying pi_state _before_ the user space value would
  	 * leave the pi_state in an inconsistent state when we fault
  	 * here, because we need to drop the hash bucket lock to
  	 * handle the fault. This might be observed in the PID check
  	 * in lookup_pi_state.
  	 */
  retry:
  	if (get_futex_value_locked(&uval, uaddr))
  		goto handle_fault;
  
  	while (1) {
  		newval = (uval & FUTEX_OWNER_DIED) | newtid;
  
  		curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
  
  		if (curval == -EFAULT)
  			goto handle_fault;
  		if (curval == uval)
  			break;
  		uval = curval;
  	}
  
  	/*
  	 * We fixed up user space. Now we need to fix the pi_state
  	 * itself.
  	 */

  	if (pi_state->owner != NULL) {

  		raw_spin_lock_irq(&pi_state->owner->pi_lock);

  		WARN_ON(list_empty(&pi_state->list));
  		list_del_init(&pi_state->list);

  		raw_spin_unlock_irq(&pi_state->owner->pi_lock);

  	}

  	pi_state->owner = newowner;

  	raw_spin_lock_irq(&newowner->pi_lock);

  	WARN_ON(!list_empty(&pi_state->list));

  	list_add(&pi_state->list, &newowner->pi_state_list);

  	raw_spin_unlock_irq(&newowner->pi_lock);

  	return 0;

  	/*

  	 * To handle the page fault we need to drop the hash bucket
  	 * lock here. That gives the other task (either the pending
  	 * owner itself or the task which stole the rtmutex) the
  	 * chance to try the fixup of the pi_state. So once we are
  	 * back from handling the fault we need to check the pi_state
  	 * after reacquiring the hash bucket lock and before trying to
  	 * do another fixup. When the fixup has been done already we
  	 * simply return.

  	 */

  handle_fault:
  	spin_unlock(q->lock_ptr);

  	ret = fault_in_user_writeable(uaddr);

  	spin_lock(q->lock_ptr);

  	/*
  	 * Check if someone else fixed it for us:
  	 */
  	if (pi_state->owner != oldowner)
  		return 0;
  
  	if (ret)
  		return ret;
  
  	goto retry;

  }

  /*
   * In case we must use restart_block to restart a futex_wait,

   * we encode in the 'flags' shared capability

   */

  #define FLAGS_SHARED		0x01
  #define FLAGS_CLOCKRT		0x02

  #define FLAGS_HAS_TIMEOUT	0x04

  static long futex_wait_restart(struct restart_block *restart);

  /**

   * fixup_owner() - Post lock pi_state and corner case management
   * @uaddr:	user address of the futex
   * @fshared:	whether the futex is shared (1) or not (0)
   * @q:		futex_q (contains pi_state and access to the rt_mutex)
   * @locked:	if the attempt to take the rt_mutex succeeded (1) or not (0)
   *
   * After attempting to lock an rt_mutex, this function is called to cleanup
   * the pi_state owner as well as handle race conditions that may allow us to
   * acquire the lock. Must be called with the hb lock held.
   *
   * Returns:
   *  1 - success, lock taken
   *  0 - success, lock not taken
   * <0 - on error (-EFAULT)
   */
  static int fixup_owner(u32 __user *uaddr, int fshared, struct futex_q *q,
  		       int locked)
  {
  	struct task_struct *owner;
  	int ret = 0;
  
  	if (locked) {
  		/*
  		 * Got the lock. We might not be the anticipated owner if we
  		 * did a lock-steal - fix up the PI-state in that case:
  		 */
  		if (q->pi_state->owner != current)
  			ret = fixup_pi_state_owner(uaddr, q, current, fshared);
  		goto out;
  	}
  
  	/*
  	 * Catch the rare case, where the lock was released when we were on the
  	 * way back before we locked the hash bucket.
  	 */
  	if (q->pi_state->owner == current) {
  		/*
  		 * Try to get the rt_mutex now. This might fail as some other
  		 * task acquired the rt_mutex after we removed ourself from the
  		 * rt_mutex waiters list.
  		 */
  		if (rt_mutex_trylock(&q->pi_state->pi_mutex)) {
  			locked = 1;
  			goto out;
  		}
  
  		/*
  		 * pi_state is incorrect, some other task did a lock steal and
  		 * we returned due to timeout or signal without taking the
  		 * rt_mutex. Too late. We can access the rt_mutex_owner without
  		 * locking, as the other task is now blocked on the hash bucket
  		 * lock. Fix the state up.
  		 */
  		owner = rt_mutex_owner(&q->pi_state->pi_mutex);
  		ret = fixup_pi_state_owner(uaddr, q, owner, fshared);
  		goto out;
  	}
  
  	/*
  	 * Paranoia check. If we did not take the lock, then we should not be
  	 * the owner, nor the pending owner, of the rt_mutex.
  	 */
  	if (rt_mutex_owner(&q->pi_state->pi_mutex) == current)
  		printk(KERN_ERR "fixup_owner: ret = %d pi-mutex: %p "
  				"pi-state %p
  ", ret,
  				q->pi_state->pi_mutex.owner,
  				q->pi_state->owner);
  
  out:
  	return ret ? ret : locked;
  }
  
  /**

   * futex_wait_queue_me() - queue_me() and wait for wakeup, timeout, or signal
   * @hb:		the futex hash bucket, must be locked by the caller
   * @q:		the futex_q to queue up on
   * @timeout:	the prepared hrtimer_sleeper, or null for no timeout

   */
  static void futex_wait_queue_me(struct futex_hash_bucket *hb, struct futex_q *q,

  				struct hrtimer_sleeper *timeout)

  {

  	/*
  	 * The task state is guaranteed to be set before another task can
  	 * wake it. set_current_state() is implemented using set_mb() and
  	 * queue_me() calls spin_unlock() upon completion, both serializing
  	 * access to the hash list and forcing another memory barrier.
  	 */

  	set_current_state(TASK_INTERRUPTIBLE);

  	queue_me(q, hb);

  
  	/* Arm the timer */
  	if (timeout) {
  		hrtimer_start_expires(&timeout->timer, HRTIMER_MODE_ABS);
  		if (!hrtimer_active(&timeout->timer))
  			timeout->task = NULL;
  	}
  
  	/*

  	 * If we have been removed from the hash list, then another task
  	 * has tried to wake us, and we can skip the call to schedule().

  	 */
  	if (likely(!plist_node_empty(&q->list))) {
  		/*
  		 * If the timer has already expired, current will already be
  		 * flagged for rescheduling. Only call schedule if there
  		 * is no timeout, or if it has yet to expire.
  		 */
  		if (!timeout || timeout->task)
  			schedule();
  	}
  	__set_current_state(TASK_RUNNING);
  }

  /**
   * futex_wait_setup() - Prepare to wait on a futex
   * @uaddr:	the futex userspace address
   * @val:	the expected value
   * @fshared:	whether the futex is shared (1) or not (0)
   * @q:		the associated futex_q
   * @hb:		storage for hash_bucket pointer to be returned to caller
   *
   * Setup the futex_q and locate the hash_bucket.  Get the futex value and
   * compare it with the expected value.  Handle atomic faults internally.
   * Return with the hb lock held and a q.key reference on success, and unlocked
   * with no q.key reference on failure.
   *
   * Returns:
   *  0 - uaddr contains val and hb has been locked
   * <1 - -EFAULT or -EWOULDBLOCK (uaddr does not contain val) and hb is unlcoked
   */
  static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,
  			   struct futex_q *q, struct futex_hash_bucket **hb)

  {

  	u32 uval;
  	int ret;

  	/*

  	 * Access the page AFTER the hash-bucket is locked.

  	 * Order is important:
  	 *
  	 *   Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);
  	 *   Userspace waker:  if (cond(var)) { var = new; futex_wake(&var); }
  	 *
  	 * The basic logical guarantee of a futex is that it blocks ONLY
  	 * if cond(var) is known to be true at the time of blocking, for
  	 * any cond.  If we queued after testing *uaddr, that would open
  	 * a race condition where we could block indefinitely with
  	 * cond(var) false, which would violate the guarantee.
  	 *
  	 * A consequence is that futex_wait() can return zero and absorb
  	 * a wakeup when *uaddr != val on entry to the syscall.  This is
  	 * rare, but normal.

  	 */

  retry:
  	q->key = FUTEX_KEY_INIT;

  	ret = get_futex_key(uaddr, fshared, &q->key);

  	if (unlikely(ret != 0))

  		return ret;

  
  retry_private:
  	*hb = queue_lock(q);

  	ret = get_futex_value_locked(&uval, uaddr);

  	if (ret) {
  		queue_unlock(q, *hb);

  		ret = get_user(uval, uaddr);

  		if (ret)

  			goto out;

  		if (!fshared)
  			goto retry_private;

  		put_futex_key(fshared, &q->key);

  		goto retry;

  	}

  	if (uval != val) {
  		queue_unlock(q, *hb);
  		ret = -EWOULDBLOCK;

  	}

  out:
  	if (ret)
  		put_futex_key(fshared, &q->key);
  	return ret;
  }
  
  static int futex_wait(u32 __user *uaddr, int fshared,
  		      u32 val, ktime_t *abs_time, u32 bitset, int clockrt)
  {
  	struct hrtimer_sleeper timeout, *to = NULL;

  	struct restart_block *restart;
  	struct futex_hash_bucket *hb;
  	struct futex_q q;
  	int ret;
  
  	if (!bitset)
  		return -EINVAL;
  
  	q.pi_state = NULL;
  	q.bitset = bitset;

  	q.rt_waiter = NULL;

  	q.requeue_pi_key = NULL;

  
  	if (abs_time) {
  		to = &timeout;
  
  		hrtimer_init_on_stack(&to->timer, clockrt ? CLOCK_REALTIME :
  				      CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
  		hrtimer_init_sleeper(to, current);
  		hrtimer_set_expires_range_ns(&to->timer, *abs_time,
  					     current->timer_slack_ns);
  	}

  retry:

  	/* Prepare to wait on uaddr. */
  	ret = futex_wait_setup(uaddr, val, fshared, &q, &hb);
  	if (ret)
  		goto out;

  	/* queue_me and wait for wakeup, timeout, or a signal. */

  	futex_wait_queue_me(hb, &q, to);

  
  	/* If we were woken (and unqueued), we succeeded, whatever. */

  	ret = 0;

  	if (!unqueue_me(&q))

  		goto out_put_key;
  	ret = -ETIMEDOUT;

  	if (to && !to->task)

  		goto out_put_key;

  	/*

  	 * We expect signal_pending(current), but we might be the
  	 * victim of a spurious wakeup as well.

  	 */

  	if (!signal_pending(current)) {
  		put_futex_key(fshared, &q.key);
  		goto retry;
  	}

  	ret = -ERESTARTSYS;

  	if (!abs_time)

  		goto out_put_key;

  	restart = &current_thread_info()->restart_block;
  	restart->fn = futex_wait_restart;
  	restart->futex.uaddr = (u32 *)uaddr;
  	restart->futex.val = val;
  	restart->futex.time = abs_time->tv64;
  	restart->futex.bitset = bitset;

  	restart->futex.flags = FLAGS_HAS_TIMEOUT;

  
  	if (fshared)
  		restart->futex.flags |= FLAGS_SHARED;
  	if (clockrt)
  		restart->futex.flags |= FLAGS_CLOCKRT;

  	ret = -ERESTART_RESTARTBLOCK;
  
  out_put_key:
  	put_futex_key(fshared, &q.key);

  out:

  	if (to) {
  		hrtimer_cancel(&to->timer);
  		destroy_hrtimer_on_stack(&to->timer);
  	}

  	return ret;
  }

  
  static long futex_wait_restart(struct restart_block *restart)
  {

  	u32 __user *uaddr = (u32 __user *)restart->futex.uaddr;

  	int fshared = 0;

  	ktime_t t, *tp = NULL;

  	if (restart->futex.flags & FLAGS_HAS_TIMEOUT) {
  		t.tv64 = restart->futex.time;
  		tp = &t;
  	}

  	restart->fn = do_no_restart_syscall;

  	if (restart->futex.flags & FLAGS_SHARED)

  		fshared = 1;

  	return (long)futex_wait(uaddr, fshared, restart->futex.val, tp,

  				restart->futex.bitset,
  				restart->futex.flags & FLAGS_CLOCKRT);

  }

  /*
   * Userspace tried a 0 -> TID atomic transition of the futex value
   * and failed. The kernel side here does the whole locking operation:
   * if there are waiters then it will block, it does PI, etc. (Due to
   * races the kernel might see a 0 value of the futex too.)
   */

  static int futex_lock_pi(u32 __user *uaddr, int fshared,

  			 int detect, ktime_t *time, int trylock)

  {

  	struct hrtimer_sleeper timeout, *to = NULL;

  	struct futex_hash_bucket *hb;

  	struct futex_q q;

  	int res, ret;

  
  	if (refill_pi_state_cache())
  		return -ENOMEM;

  	if (time) {

  		to = &timeout;

  		hrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,
  				      HRTIMER_MODE_ABS);

  		hrtimer_init_sleeper(to, current);

  		hrtimer_set_expires(&to->timer, *time);

  	}

  	q.pi_state = NULL;

  	q.rt_waiter = NULL;

  	q.requeue_pi_key = NULL;

  retry:

  	q.key = FUTEX_KEY_INIT;

  	ret = get_futex_key(uaddr, fshared, &q.key);

  	if (unlikely(ret != 0))

  		goto out;

  retry_private:

  	hb = queue_lock(&q);

  	ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);

  	if (unlikely(ret)) {

  		switch (ret) {

  		case 1:
  			/* We got the lock. */
  			ret = 0;
  			goto out_unlock_put_key;
  		case -EFAULT:
  			goto uaddr_faulted;

  		case -EAGAIN:
  			/*
  			 * Task is exiting and we just wait for the
  			 * exit to complete.
  			 */
  			queue_unlock(&q, hb);

  			put_futex_key(fshared, &q.key);

  			cond_resched();
  			goto retry;

  		default:

  			goto out_unlock_put_key;

  		}

  	}
  
  	/*
  	 * Only actually queue now that the atomic ops are done:
  	 */

  	queue_me(&q, hb);

  	WARN_ON(!q.pi_state);
  	/*
  	 * Block on the PI mutex:
  	 */
  	if (!trylock)
  		ret = rt_mutex_timed_lock(&q.pi_state->pi_mutex, to, 1);
  	else {
  		ret = rt_mutex_trylock(&q.pi_state->pi_mutex);
  		/* Fixup the trylock return value: */
  		ret = ret ? 0 : -EWOULDBLOCK;
  	}

  	spin_lock(q.lock_ptr);

  	/*
  	 * Fixup the pi_state owner and possibly acquire the lock if we
  	 * haven't already.
  	 */
  	res = fixup_owner(uaddr, fshared, &q, !ret);
  	/*
  	 * If fixup_owner() returned an error, proprogate that.  If it acquired
  	 * the lock, clear our -ETIMEDOUT or -EINTR.
  	 */
  	if (res)
  		ret = (res < 0) ? res : 0;

  	/*