From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752672AbbCGRQW (ORCPT <rfc822;w@1wt.eu>);
	Sat, 7 Mar 2015 12:16:22 -0500
Received: from mx1.redhat.com ([209.132.183.28]:52860 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752592AbbCGRQU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sat, 7 Mar 2015 12:16:20 -0500
Date: Sat, 7 Mar 2015 18:13:47 +0100
From: Oleg Nesterov <oleg@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: linux-tip-commits@vger.kernel.org, dave@stgolabs.net, hpa@zytor.com,
        sasha.levin@oracle.com, tglx@linutronix.de,
        linux-kernel@vger.kernel.org, jason.low2@hp.com, walken@google.com,
        akpm@linux-foundation.org, mingo@kernel.org,
        paulmck@linux.vnet.ibm.com, davej@codemonkey.org.uk,
        ming.lei@canonical.com, peterz@infradead.org,
        torvalds@linux-foundation.org, tim.c.chen@linux.intel.com
Subject: Re: [tip:locking/core] locking/rwsem: Fix lock optimistic spinning
	when owner is not running
Message-ID: <20150307171347.GA30365@redhat.com>
References: <1425714331.2475.388.camel@j-VirtualBox> <tip-9198f6edfd9ced74fd90b238d5a354aeac89bdfa@git.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <tip-9198f6edfd9ced74fd90b238d5a354aeac89bdfa@git.kernel.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I think the patch is fine, but this reminds me...

On 03/07, tip-bot for Jason Low wrote:
>
>  bool rwsem_spin_on_owner(struct rw_semaphore *sem, struct task_struct *owner)
>  {
>  	long count;
>
>  	rcu_read_lock();
> -	while (owner_running(sem, owner)) {
> -		/* abort spinning when need_resched */
> -		if (need_resched()) {
> +	while (sem->owner == owner) {
> +		/*
> +		 * Ensure we emit the owner->on_cpu, dereference _after_
> +		 * checking sem->owner still matches owner, if that fails,
> +		 * owner might point to free()d memory, if it still matches,
> +		 * the rcu_read_lock() ensures the memory stays valid.
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Yes, this is another case when we wrongly assume this.

Peter, should I resend

	[PATCH 3/3] introduce task_rcu_dereference()
	http://marc.info/?l=linux-kernel&m=141443631413914

? or should we add another call_rcu() in finish_task_switch() (like -rt does)
to make this true?

Oleg.