From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: Davidlohr Bueso <dave@stgolabs.net>
Cc: Thomas Gleixner <tglx@linutronix.de>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] kernel/futex: handle the case where we got a "late" waiter
Date: Wed, 20 Apr 2016 09:09:46 +0200 [thread overview]
Message-ID: <57172B3A.2000205@linutronix.de> (raw)
In-Reply-To: <20160419222737.GA27058@linux-uzut.site>
On 04/20/2016 12:27 AM, Davidlohr Bueso wrote:
> On Fri, 15 Apr 2016, Sebastian Andrzej Siewior wrote:
>
>> futex_unlock_pi() gets uval before taking the hb lock. Now imagine
>> someone in futex_lock_pi() took the lock. While futex_unlock_pi() waits
>> for the hb lock, the LOCK_PI sets FUTEX_WAITERS and drops the lock.
>> Now, futex_unlock_pi() figures out that there is waiter and invokes
>> wake_futex_pi() with the old uval which does not yet have FUTEX_WAITERS
>> set. This flaw lets cmpxchg_futex_value_locked() fail and return -EINVAL.
>
> Hmm but if we're calling futex_unlock_pi() in the first place, doesn't that
> indicate that the uval already has FUTEX_WAITERS and therefore failed the
> TID->0 transition in userland? That or the thread is bogusly unlocking a
> lock that it doesn't own.
I hacked a testing tool which always did the syscall for LOCK_PI /
UNLOCK_PI and this popped up.
>
> This is of course different than the requeue_pi case which can specify
> set_waiters but also gets the value via get_futex_value_locked().
>
> Is this a real issue or did you find it by code inspection?
real issue.
https://breakpoint.cc/mass-futex2-rl.c
> Thanks,
> Davidlohr
Sebastian
next prev parent reply other threads:[~2016-04-20 7:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-15 12:35 [PATCH] kernel/futex: handle the case where we got a "late" waiter Sebastian Andrzej Siewior
2016-04-19 22:27 ` Davidlohr Bueso
2016-04-20 7:09 ` Sebastian Andrzej Siewior [this message]
2016-04-20 7:36 ` Thomas Gleixner
2016-04-20 11:51 ` [tip:locking/urgent] futex: Handle unlock_pi race gracefully tip-bot for Sebastian Andrzej Siewior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57172B3A.2000205@linutronix.de \
--to=bigeasy@linutronix.de \
--cc=dave@stgolabs.net \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.