From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org,
linux-rt-users <linux-rt-users@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Carsten Emde <C.Emde@osadl.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
John Kacur <jkacur@redhat.com>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
<stable-rt@vger.kernel.org>
Subject: [PATCH RT 20/27] arm/futex: disable preemption during futex_atomic_cmpxchg_inatomic()
Date: Fri, 13 Mar 2015 11:18:01 -0400 [thread overview]
Message-ID: <20150313151758.366853155@goodmis.org> (raw)
In-Reply-To: 20150313151741.132137234@goodmis.org
[-- Attachment #1: 0020-arm-futex-disable-preemption-during-futex_atomic_cmp.patch --]
[-- Type: text/plain, Size: 1878 bytes --]
3.4.106-rt132-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
The ARM UP implementation of futex_atomic_cmpxchg_inatomic() assumes that
pagefault_disable() inherits a preempt disabled section. This assumtion
is true for mainline but -RT reverts this and allows preemption in
pagefault disabled regions.
The code sequence of futex_atomic_cmpxchg_inatomic():
| x = *futex;
| if (x == oldval)
| *futex = newval;
The problem occurs if the code is preempted after reading the futex value or
after comparing it with x. While preempted, the futex owner has to be
scheduled which then releases the lock (in userland because it has no waiter
yet). Once the code is back on the CPU, it overwrites the futex value
with with the old PID and the waiter bit set.
The workaround is to explicit disable code preemption to avoid the
described race window.
Debugged-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable-rt@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/include/asm/futex.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
index 7be54690aeec..3d1ae210c4b5 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
@@ -94,6 +94,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
return -EFAULT;
+ preempt_disable_rt();
+
__asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
"1: " TUSER(ldr) " %1, [%4]\n"
" teq %1, %2\n"
@@ -105,6 +107,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
: "cc", "memory");
*uval = val;
+
+ preempt_enable_rt();
return ret;
}
--
2.1.4
next prev parent reply other threads:[~2015-03-13 15:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 15:17 [PATCH RT 00/27] Linux 3.4.106-rt132-rc1 Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 01/27] gpio: omap: use raw locks for locking Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 02/27] create-rt-enqueue Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 03/27] rtmutex: Simplify rtmutex_slowtrylock() Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 04/27] rtmutex: Simplify and document try_to_take_rtmutex() Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 05/27] rtmutex: No need to keep task ref for lock owner check Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 06/27] rtmutex: Clarify the boost/deboost part Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 07/27] rtmutex: Document pi chain walk Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 08/27] rtmutex: Simplify remove_waiter() Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 09/27] rtmutex: Confine deadlock logic to futex Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 10/27] rtmutex: Cleanup deadlock detector debug logic Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 11/27] rtmutex: Avoid pointless requeueing in the deadlock detection chain walk Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 12/27] futex: Make unlock_pi more robust Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 13/27] futex: Use futex_top_waiter() in lookup_pi_state() Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 14/27] futex: Split out the waiter check from lookup_pi_state() Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 15/27] futex: Split out the first waiter attachment " Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 16/27] futex: Simplify futex_lock_pi_atomic() and make it more robust Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 17/27] rt-mutex: avoid a NULL pointer dereference on deadlock Steven Rostedt
2015-03-13 15:17 ` [PATCH RT 18/27] x86: UV: raw_spinlock conversion Steven Rostedt
2015-03-13 15:18 ` Steven Rostedt [this message]
2015-03-13 15:18 ` [PATCH RT 21/27] ARM: cmpxchg: define __HAVE_ARCH_CMPXCHG for armv6 and later Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 22/27] sas-ata/isci: dontt disable interrupts in qc_issue handler Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 23/27] scheduling while atomic in cgroup code Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 24/27] work-simple: Simple work queue implemenation Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 25/27] sunrpc: make svc_xprt_do_enqueue() use get_cpu_light() Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 26/27] lockdep: selftest: fix warnings due to missing PREEMPT_RT conditionals Steven Rostedt
2015-03-13 15:18 ` [PATCH RT 27/27] Linux 3.4.106-rt132-rc1 Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150313151758.366853155@goodmis.org \
--to=rostedt@goodmis.org \
--cc=C.Emde@osadl.org \
--cc=bigeasy@linutronix.de \
--cc=jkacur@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-users@vger.kernel.org \
--cc=paul.gortmaker@windriver.com \
--cc=stable-rt@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).