From: Jamie Lokier <jamie@shareable.org>
To: Hugh Dickins <hugh@veritas.com>
Cc: Klaus Dittrich <kladit@t-online.de>,
linux mailing-list <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@zip.com.au>, "Hu, Boris" <boris.hu@intel.com>,
Ulrich Drepper <drepper@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: 2.6.0-test6 oops futex"
Date: Wed, 1 Oct 2003 02:01:25 +0100 [thread overview]
Message-ID: <20031001010125.GB32209@mail.shareable.org> (raw)
In-Reply-To: <Pine.LNX.4.44.0309302141220.4388-100000@localhost.localdomain>
Hugh Dickins wrote:
> I can't quite make the flaw I do see, fit the facts Klaus sees.
>
> Consider unqueue_me on one cpu racing against this->key = key2 in
> futex_requeue on another. unqueue_me finds the right bh to lock
> from q->key, but futex_requeue is shifting q->key beneath it.
> Although futex_requeue holds both the relevant spinlocks, during
> reassignment of key an irrelevant hashqueue may get calculated
> and locked instead.
>
> Whether or not this is relevant to Klaus' oops, it does need to be
> fixed, doesn't it? And your new key_refs version even more exposed?
> I'm giving up on it, but expect you or Rusty will be ingenious enough
> to rescue the split locks somehow.
Superb analysis!
It does indeed explain Klaus' oops. unqueue_me() and futex_poll()
hash using &q->key outside any spinlocks, so if there's a concurrent
futex_requeue() the hash can be corrupt. Result: wrong lock taken;
list manipulation races in test6, not in test5. (Provided Klaus has
SMP or pre-empt).
Solutions are to call hash_futex() inside the lock, or store the
hash result inside futex_q, and read it inside the lock.
You're right, the key_refs version is more exposed, but because of the
change to futux_requeue logic rather than anything to do with key_refs.
> (Oh, while you're there, be nice to fix nr_requeue 0.)
Logically, zero num in FUTEX_QUEUE shouldn't wake anything either, but
it's understood that at least one is always woken. It's a bit of a
wart I agree, but I'll go along with Ulrich's view.
Thanks,
-- Jamie
next prev parent reply other threads:[~2003-10-01 1:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-29 9:23 2.6.0-test6 oops futex" Klaus Dittrich
2003-09-30 8:48 ` Jamie Lokier
2003-09-30 20:53 ` Hugh Dickins
2003-09-30 21:48 ` Ulrich Drepper
2003-09-30 23:44 ` Rusty Russell
2003-10-01 6:35 ` Jamie Lokier
2003-10-01 1:01 ` Jamie Lokier [this message]
2003-10-01 2:41 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031001010125.GB32209@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@zip.com.au \
--cc=boris.hu@intel.com \
--cc=drepper@redhat.com \
--cc=hugh@veritas.com \
--cc=kladit@t-online.de \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox