Re: [RFC][PATCH] muptiple bugs in PI futexes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: linux-kernel@vger.kernel.org,
	Thomas Gleixner <tglx@linutronix.de>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [RFC][PATCH] muptiple bugs in PI futexes
Date: Wed, 23 May 2007 09:26:09 +0200	[thread overview]
Message-ID: <20070523072609.GC6859@elte.hu> (raw)
In-Reply-To: <20070507144351.GA12302@ms2.inr.ac.ru>


* Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> wrote:

> Hello!
> 
> 1. New entries can be added to tsk->pi_state_list after task completed
>    exit_pi_state_list(). The result is memory leakage and deadlocks.
> 
> 2. handle_mm_fault() is called under spinlock. The result is obvious.
> 
> 3. State machine is broken. Kernel thinks it owns futex after
>    it released all the locks. Ergo, it corrupts futex. The result is that
>    two processes think they took a futex.
> 
> All the bugs are trivially reproduced when running glibc's tst-robustpi7
> test long enough.
> 
> The patch is not quite good (RFC!), because:
> 
> 1. There is one case, when I did not figure out how to handle
>    page fault correctly. I would do it releasing taken rtmutex
>    and hb->lock and retrying futex from the very beginning.
>    It is quite ugly. Probably, state machine can be fixed somehow.
> 
> 2. Before this patch I had one unexplained oops inside rtmutex
>    in plist_del. I did _not_ fix this, but it does not want to reproduce.
>    Probably, more strong locking did some race window too narrow.

thanks for the fixes - they look all good and we'll check it in -rt. 
We'll try to find a solution for the remaining problem too. Could your
#2 crash be explained via any of the bugs you fixed? (i.e. memory
corruption?) I'd exclude genuine rtmutex.c breakage for now because 
that's the basis of all locking in -rt - but maybe the futex interfacing 
upsets something ...

	Ingo

next prev parent reply	other threads:[~2007-05-23  7:27 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-07 14:43 [RFC][PATCH] muptiple bugs in PI futexes Alexey Kuznetsov
2007-05-23  7:26 ` Ingo Molnar [this message]
2007-05-23 11:51   ` Alexey Kuznetsov
2007-06-05 16:25     ` Thomas Gleixner
2007-06-05 17:39       ` Alexey Kuznetsov
2007-06-05 18:48         ` Thomas Gleixner
2007-06-05 19:15           ` Thomas Gleixner
2007-06-05 21:00             ` Alexey Kuznetsov
2007-06-05 21:13               ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070523072609.GC6859@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@linux-foundation.org \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.