From: Ingo Molnar <mingo@elte.hu>
To: Christian Borntraeger <borntrae@de.ibm.com>
Cc: linux-kernel@vger.kernel.org,
Rusty Russell <rusty@rustcorp.com.au>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@timesys.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Andrew Morton <akpm@osdl.org>
Subject: Re: [PATCH] bug in futex unqueue_me
Date: Sun, 30 Jul 2006 08:38:21 +0200 [thread overview]
Message-ID: <20060730063821.GA8748@elte.hu> (raw)
In-Reply-To: <200607271841.56342.borntrae@de.ibm.com>
* Christian Borntraeger <borntrae@de.ibm.com> wrote:
> From: Christian Borntraeger <borntrae@de.ibm.com>
>
> This patch adds a barrier() in futex unqueue_me to avoid aliasing of
> two pointers.
>
> On my s390x system I saw the following oops:
> So the code becomes more or less:
> if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
> instead of
> if (lock_ptr != 0) spin_lock(lock_ptr)
>
> Which caused the oops from above.
interesting, how is this possible? We do a spin_lock(lock_ptr), and
taking a spinlock is an implicit barrier(). So gcc must not delay
evaluating lock_ptr to inside the critical section. And as far as i can
see the s390 spinlock implementation goes through an 'asm volatile'
piece of code, which is a barrier already. So how could this have
happened? I have nothing against adding a barrier(), but we should first
investigate why the spin_lock() didnt act as a barrier - there might be
other, similar bugs hiding. (we rely on spin_lock()s barrier-ness in a
fair number of places)
> As a general note, this code of unqueue_me seems a bit fishy. The
> retry logic of unqueue_me only works if we can guarantee, that the
> original value of q->lock_ptr is always a spinlock (Otherwise we
> overwrite kernel memory). We know that q->lock_ptr can change. I dont
> know what happens with the original spinlock, as I am not an expert
> with the futex code.
yes, it is always a pointer to a valid spinlock, or NULL.
futex_requeue() can change the spinlock from one to another, and
wake_futex() can change it to NULL. The futex unqueue_me() fastpath is
when a futex waiter was woken - in which case it's NULL. But it can
still be non-NULL if we timed out or a signal happened, in which case we
may race with a wakeup or a requeue. futex_requeue() changes the
spinlock pointer if it holds both the old and the new spinlock. So it's
race-free as far as i can see.
Ingo
next prev parent reply other threads:[~2006-07-30 6:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-27 16:41 [PATCH] bug in futex unqueue_me Christian Borntraeger
2006-07-30 6:38 ` Ingo Molnar [this message]
2006-07-30 23:53 ` Steven Rostedt
2006-07-31 8:04 ` Christian Borntraeger
2006-07-31 11:49 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060730063821.GA8748@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@osdl.org \
--cc=borntrae@de.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@timesys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.