From: Peter Zijlstra <peterz@infradead.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: mingo@kernel.org, juri.lelli@arm.com, rostedt@goodmis.org,
xlpang@redhat.com, bigeasy@linutronix.de,
linux-kernel@vger.kernel.org, mathieu.desnoyers@efficios.com,
jdesfossez@efficios.com, bristot@redhat.com
Subject: Re: [RFC][PATCH 4/4] futex: Rewrite FUTEX_UNLOCK_PI
Date: Mon, 10 Oct 2016 16:06:06 +0200 [thread overview]
Message-ID: <20161010140606.GR3568@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <alpine.DEB.2.20.1610091309360.5222@nanos>
On Sun, Oct 09, 2016 at 01:17:50PM +0200, Thomas Gleixner wrote:
> On Fri, 7 Oct 2016, Peter Zijlstra wrote:
> > top_waiter = futex_top_waiter(hb, &key);
> > if (top_waiter) {
> > - ret = wake_futex_pi(uaddr, uval, top_waiter, hb);
> > + struct futex_pi_state *pi_state = top_waiter->pi_state;
> > +
> > + ret = -EINVAL;
> > + if (!pi_state)
> > + goto out_unlock;
> > +
> > + /*
> > + * If current does not own the pi_state then the futex is
> > + * inconsistent and user space fiddled with the futex value.
> > + */
> > + if (pi_state->owner != current)
> > + goto out_unlock;
> > +
> > + /*
> > + * Grab a reference on the pi_state and drop hb->lock.
> > + *
> > + * The reference ensures pi_state lives, dropping the hb->lock
> > + * is tricky.. wake_futex_pi() will take rt_mutex::wait_lock to
> > + * close the races against futex_lock_pi(), but in case of
> > + * _any_ fail we'll abort and retry the whole deal.
> > + */
> > + WARN_ON_ONCE(!atomic_inc_not_zero(&pi_state->refcount));
> > + spin_unlock(&hb->lock);
> > +
> > + ret = wake_futex_pi(uaddr, uval, pi_state);
> > +
> > + put_pi_state(pi_state);
>
> put_pi_state() requires hb->lock protection AFAICT.
>
> CPU0 CPU1
>
> wake_futex_pi() attach_to_pi_state()
> put_pi_state()
> refcount--;
> if (!refcount)
> free_state();
> WARN_ON(!pi_state->refcount);
>
> we might not see the warning, but in any case the following access to
> pi_state on cpu1 is borked.
Not sure this can happen, we do all attach_to_pi_state() with hb->lock
held, and the only way to get there is through futex_q->pi_state. And as
long as that link is stable, pi_state is too.
That is, the only way for wake_futex_pi() to drop the last reference is
if there are no futex_q's referencing it anymore, but that also means
attach_to_pi_state() cannot happen (!top_waiter).
next prev parent reply other threads:[~2016-10-10 14:06 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-03 9:12 [RFC][PATCH 0/4] FUTEX_UNLOCK_PI wobbles Peter Zijlstra
2016-10-03 9:12 ` [RFC][PATCH 1/4] futex: Cleanup variable names for futex_top_waiter() Peter Zijlstra
2016-10-03 14:15 ` Steven Rostedt
2016-10-05 3:58 ` Davidlohr Bueso
2016-10-03 9:12 ` [RFC][PATCH 2/4] futex: Use smp_store_release() in mark_wake_futex() Peter Zijlstra
2016-10-03 14:19 ` Steven Rostedt
2016-10-05 3:57 ` Davidlohr Bueso
2016-10-05 6:20 ` Peter Zijlstra
2016-10-03 9:12 ` [RFC][PATCH 3/4] futex: Remove rt_mutex_deadlock_account_*() Peter Zijlstra
2016-10-03 9:34 ` Peter Zijlstra
2016-10-03 14:25 ` Steven Rostedt
2016-10-05 1:08 ` Davidlohr Bueso
2016-10-05 7:29 ` Sebastian Andrzej Siewior
2016-10-03 9:12 ` [RFC][PATCH 4/4] futex: Rewrite FUTEX_UNLOCK_PI Peter Zijlstra
2016-10-03 15:36 ` Steven Rostedt
2016-10-03 15:44 ` Peter Zijlstra
2016-10-03 15:45 ` Peter Zijlstra
2016-10-03 16:23 ` Steven Rostedt
2016-10-05 7:41 ` Sebastian Andrzej Siewior
2016-10-05 8:09 ` Peter Zijlstra
2016-10-05 8:21 ` Sebastian Andrzej Siewior
2016-10-05 8:32 ` Peter Zijlstra
2016-10-06 10:29 ` Peter Zijlstra
2016-10-07 11:21 ` Peter Zijlstra
2016-10-08 15:53 ` Thomas Gleixner
2016-10-08 16:55 ` Peter Zijlstra
2016-10-08 17:06 ` Thomas Gleixner
2016-10-10 10:17 ` Thomas Gleixner
2016-10-10 11:40 ` Peter Zijlstra
2016-10-21 12:27 ` Peter Zijlstra
2016-10-27 20:36 ` Thomas Gleixner
2016-11-23 19:20 ` Peter Zijlstra
2016-11-24 16:52 ` Peter Zijlstra
2016-11-24 17:56 ` Thomas Gleixner
2016-11-24 18:58 ` Peter Zijlstra
2016-11-25 9:23 ` Peter Zijlstra
2016-11-25 10:03 ` Peter Zijlstra
2016-11-25 19:13 ` Thomas Gleixner
2016-11-25 14:09 ` Peter Zijlstra
2016-10-08 18:22 ` Thomas Gleixner
2016-10-09 11:17 ` Thomas Gleixner
2016-10-10 14:06 ` Peter Zijlstra [this message]
2016-10-05 1:02 ` [RFC][PATCH 0/4] FUTEX_UNLOCK_PI wobbles Davidlohr Bueso
2016-10-05 6:20 ` Peter Zijlstra
2016-10-05 7:26 ` Sebastian Andrzej Siewior
2016-10-05 16:04 ` Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161010140606.GR3568@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=bigeasy@linutronix.de \
--cc=bristot@redhat.com \
--cc=jdesfossez@efficios.com \
--cc=juri.lelli@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=xlpang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).