commit 1de47f3cb705e8c19fdd432eb704f5a588ccec48

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull locking fixes from Thomas Gleixner:
"Two fixes for locking:

- Plug a hole the pi_stat->owner serialization which was changed
recently and failed to fixup two usage sites.

- Prevent reordering of the rwsem_has_spinner() check vs the
decrement of rwsem count in up_write() which causes a missed
wakeup"

* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
futex: Fix pi_state->owner serialization

Linus Torvalds 8 years ago 1de47f3c 3d9d62b9

+49 -11

2 changed files

expand all

unified split

kernel

futex.c

locking

rwsem-xadd.c

+22 -11

kernel/futex.c

··· 821 821 /* 822 822 * Drops a reference to the pi_state object and frees or caches it 823 823 * when the last reference is gone. 824 - * 825 - * Must be called with the hb lock held. 826 824 */ 827 825 static void put_pi_state(struct futex_pi_state *pi_state) 828 826 { ··· 835 837 * and has cleaned up the pi_state already 836 838 */ 837 839 if (pi_state->owner) { 838 - raw_spin_lock_irq(&pi_state->owner->pi_lock); 839 - list_del_init(&pi_state->list); 840 - raw_spin_unlock_irq(&pi_state->owner->pi_lock); 840 + struct task_struct *owner; 841 841 842 - rt_mutex_proxy_unlock(&pi_state->pi_mutex, pi_state->owner); 842 + raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); 843 + owner = pi_state->owner; 844 + if (owner) { 845 + raw_spin_lock(&owner->pi_lock); 846 + list_del_init(&pi_state->list); 847 + raw_spin_unlock(&owner->pi_lock); 848 + } 849 + rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner); 850 + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); 843 851 } 844 852 845 - if (current->pi_state_cache) 853 + if (current->pi_state_cache) { 846 854 kfree(pi_state); 847 - else { 855 + } else { 848 856 /* 849 857 * pi_state->list is already empty. 850 858 * clear pi_state->owner. ··· 911 907 raw_spin_unlock_irq(&curr->pi_lock); 912 908 913 909 spin_lock(&hb->lock); 914 - 915 - raw_spin_lock_irq(&curr->pi_lock); 910 + raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); 911 + raw_spin_lock(&curr->pi_lock); 916 912 /* 917 913 * We dropped the pi-lock, so re-check whether this 918 914 * task still owns the PI-state: 919 915 */ 920 916 if (head->next != next) { 917 + raw_spin_unlock(&pi_state->pi_mutex.wait_lock); 921 918 spin_unlock(&hb->lock); 922 919 continue; 923 920 } ··· 927 922 WARN_ON(list_empty(&pi_state->list)); 928 923 list_del_init(&pi_state->list); 929 924 pi_state->owner = NULL; 930 - raw_spin_unlock_irq(&curr->pi_lock); 925 + raw_spin_unlock(&curr->pi_lock); 931 926 932 927 get_pi_state(pi_state); 928 + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); 933 929 spin_unlock(&hb->lock); 934 930 935 931 rt_mutex_futex_unlock(&pi_state->pi_mutex); ··· 1214 1208 1215 1209 WARN_ON(!list_empty(&pi_state->list)); 1216 1210 list_add(&pi_state->list, &p->pi_state_list); 1211 + /* 1212 + * Assignment without holding pi_state->pi_mutex.wait_lock is safe 1213 + * because there is no concurrency as the object is not published yet. 1214 + */ 1217 1215 pi_state->owner = p; 1218 1216 raw_spin_unlock_irq(&p->pi_lock); 1219 1217 ··· 2888 2878 raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); 2889 2879 spin_unlock(&hb->lock); 2890 2880 2881 + /* drops pi_state->pi_mutex.wait_lock */ 2891 2882 ret = wake_futex_pi(uaddr, uval, pi_state); 2892 2883 2893 2884 put_pi_state(pi_state);

+27

kernel/locking/rwsem-xadd.c

··· 613 613 DEFINE_WAKE_Q(wake_q); 614 614 615 615 /* 616 + * __rwsem_down_write_failed_common(sem) 617 + * rwsem_optimistic_spin(sem) 618 + * osq_unlock(sem->osq) 619 + * ... 620 + * atomic_long_add_return(&sem->count) 621 + * 622 + * - VS - 623 + * 624 + * __up_write() 625 + * if (atomic_long_sub_return_release(&sem->count) < 0) 626 + * rwsem_wake(sem) 627 + * osq_is_locked(&sem->osq) 628 + * 629 + * And __up_write() must observe !osq_is_locked() when it observes the 630 + * atomic_long_add_return() in order to not miss a wakeup. 631 + * 632 + * This boils down to: 633 + * 634 + * [S.rel] X = 1 [RmW] r0 = (Y += 0) 635 + * MB RMB 636 + * [RmW] Y += 1 [L] r1 = X 637 + * 638 + * exists (r0=1 /\ r1=0) 639 + */ 640 + smp_rmb(); 641 + 642 + /* 616 643 * If a spinner is present, it is not necessary to do the wakeup. 617 644 * Try to do wakeup only if the trylock succeeds to minimize 618 645 * spinlock contention which may introduce too much delay in the