[PATCH] mutex: Always clear owner field upon mutex_unlock()

[PATCH] mutex: Always clear owner field upon mutex_unlock()

[Chris Wilson]

Currently if DEBUG_MUTEXES is enabled, the mutex->owner field is only
cleared iff debug_locks is active. This exposes a race to other users of
the field where the mutex->owner may be still set to a stale value,
potentially upsetting mutex_spin_on_owner() among others.

References: https://bugs.freedesktop.org/show_bug.cgi?id=87955
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
---
 kernel/locking/mutex-debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
index 5cf6731b98e9..3ef3736002d8 100644
--- a/kernel/locking/mutex-debug.c
+++ b/kernel/locking/mutex-debug.c
@@ -80,13 +80,13 @@ void debug_mutex_unlock(struct mutex *lock)
 			DEBUG_LOCKS_WARN_ON(lock->owner != current);
 
 		DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
-		mutex_clear_owner(lock);
 	}
 
 	/*
 	 * __mutex_slowpath_needs_to_unlock() is explicitly 0 for debug
 	 * mutexes so that we can do it here after we've verified state.
 	 */
+	mutex_clear_owner(lock);
 	atomic_set(&lock->count, 1);
 }
 
-- 
2.1.4

Re: [PATCH] mutex: Always clear owner field upon mutex_unlock()

[Peter Zijlstra]

On Tue, Jan 06, 2015 at 10:29:35AM +0000, Chris Wilson wrote:
> Currently if DEBUG_MUTEXES is enabled, the mutex->owner field is only
> cleared iff debug_locks is active. This exposes a race to other users of
> the field where the mutex->owner may be still set to a stale value,
> potentially upsetting mutex_spin_on_owner() among others.


Thanks

Re: [PATCH] mutex: Always clear owner field upon mutex_unlock()

[Davidlohr Bueso]

On Tue, 2015-01-06 at 10:29 +0000, Chris Wilson wrote:
> Currently if DEBUG_MUTEXES is enabled, the mutex->owner field is only
> cleared iff debug_locks is active. This exposes a race to other users of
> the field where the mutex->owner may be still set to a stale value,
> potentially upsetting mutex_spin_on_owner() among others.
> 
> References: https://bugs.freedesktop.org/show_bug.cgi?id=87955
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>

Acked-by: Davidlohr Bueso <dave@stgolabs.net>

[tip:locking/urgent] mutex: Always clear owner field upon mutex_unlock()

[tip-bot for Chris Wilson]

Commit-ID:  a63b03e2d2477586440741677ecac45bcf28d7b1
Gitweb:     http://git.kernel.org/tip/a63b03e2d2477586440741677ecac45bcf28d7b1
Author:     Chris Wilson <chris@chris-wilson.co.uk>
AuthorDate: Tue, 6 Jan 2015 10:29:35 +0000
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Fri, 9 Jan 2015 11:20:39 +0100

mutex: Always clear owner field upon mutex_unlock()

Currently if DEBUG_MUTEXES is enabled, the mutex->owner field is only
cleared iff debug_locks is active. This exposes a race to other users of
the field where the mutex->owner may be still set to a stale value,
potentially upsetting mutex_spin_on_owner() among others.

References: https://bugs.freedesktop.org/show_bug.cgi?id=87955
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/1420540175-30204-1-git-send-email-chris@chris-wilson.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 kernel/locking/mutex-debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
index 5cf6731..3ef3736 100644
--- a/kernel/locking/mutex-debug.c
+++ b/kernel/locking/mutex-debug.c
@@ -80,13 +80,13 @@ void debug_mutex_unlock(struct mutex *lock)
 			DEBUG_LOCKS_WARN_ON(lock->owner != current);
 
 		DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
-		mutex_clear_owner(lock);
 	}
 
 	/*
 	 * __mutex_slowpath_needs_to_unlock() is explicitly 0 for debug
 	 * mutexes so that we can do it here after we've verified state.
 	 */
+	mutex_clear_owner(lock);
 	atomic_set(&lock->count, 1);
 }