From: Davidlohr Bueso <dave@stgolabs.net>
To: pjw@kernel.org, palmer@dabbelt.com
Cc: aou@eecs.berkeley.edu, alex@ghiti.fr, tglx@kernel.org,
mingo@redhat.com, peterz@infradead.org, dvhart@infradead.org,
andrealmeid@igalia.com, dave@stgolabs.net,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] riscv/futex: Bound number of LL/SC retries in cmpxchg
Date: Tue, 5 May 2026 05:52:04 -0700 [thread overview]
Message-ID: <20260505125204.999119-1-dave@stgolabs.net> (raw)
futex_atomic_cmpxchg_inatomic() does an unbounded LR/SC retry loop while
(minimally) holding the hb lock + pf disabled. This can lead to pathological
cases from unpriviledged userspace pi operations.
Bound the retry loop to (arbitrarily) 128 iterations and bail: drop locks,
rechedule and retry the operation, similar to the arm64 variant, as of
03110a5cb216 ("arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP").
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
---
v2: patch now applies (and removed a whitespace change).
Compile tested only.
arch/riscv/include/asm/futex.h | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch/riscv/include/asm/futex.h b/arch/riscv/include/asm/futex.h
index 90c86b115e00..be69d4211248 100644
--- a/arch/riscv/include/asm/futex.h
+++ b/arch/riscv/include/asm/futex.h
@@ -13,6 +13,8 @@
#include <asm/asm.h>
#include <asm/asm-extable.h>
+#define FUTEX_MAX_LOOPS 128
+
/* We don't even really need the extable code, but for now keep it simple */
#ifndef CONFIG_MMU
#define __enable_user_access() do { } while (0)
@@ -79,6 +81,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
int ret = 0;
u32 val;
uintptr_t tmp;
+ unsigned int loops = FUTEX_MAX_LOOPS;
if (!access_ok(uaddr, sizeof(u32)))
return -EFAULT;
@@ -88,12 +91,17 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
"1: lr.w %[v],%[u] \n"
" bne %[v],%z[ov],3f \n"
"2: sc.w.aqrl %[t],%z[nv],%[u] \n"
- " bnez %[t],1b \n"
+ " beqz %[t],3f \n"
+ " addi %[lp],%[lp],-1 \n"
+ " bnez %[lp],1b \n"
+ " li %[r],%[eagain] \n"
"3: \n"
_ASM_EXTABLE_UACCESS_ERR(1b, 3b, %[r]) \
_ASM_EXTABLE_UACCESS_ERR(2b, 3b, %[r]) \
- : [r] "+r" (ret), [v] "=&r" (val), [u] "+m" (*uaddr), [t] "=&r" (tmp)
- : [ov] "Jr" ((long)(int)oldval), [nv] "Jr" (newval)
+ : [r] "+r" (ret), [v] "=&r" (val), [u] "+m" (*uaddr),
+ [t] "=&r" (tmp), [lp] "+r" (loops)
+ : [ov] "Jr" ((long)(int)oldval), [nv] "Jr" (newval),
+ [eagain] "i" (-EAGAIN)
: "memory");
__disable_user_access();
--
2.39.5
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
reply other threads:[~2026-05-05 12:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505125204.999119-1-dave@stgolabs.net \
--to=dave@stgolabs.net \
--cc=alex@ghiti.fr \
--cc=andrealmeid@igalia.com \
--cc=aou@eecs.berkeley.edu \
--cc=dvhart@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=mingo@redhat.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=tglx@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox