From: Darren Hart <dvhltc@us.ibm.com>
To: Mike Galbraith <efault@gmx.de>
Cc: Thomas Gleixner <tglx@linutronix.de>,
linux-rt-users <linux-rt-users@vger.kernel.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Steven Rostedt <rostedt@goodmis.org>,
gowrishankar <gowrishankar.m@linux.vnet.ibm.com>
Subject: Re: 2.6.33.[56]-rt23: howto create repeatable explosion in wakeup_next_waiter()
Date: Fri, 09 Jul 2010 09:35:46 -0700 [thread overview]
Message-ID: <4C374FE2.2090309@us.ibm.com> (raw)
In-Reply-To: <1278683900.10161.8.camel@marge.simson.net>
On 07/09/2010 06:58 AM, Mike Galbraith wrote:
> On Fri, 2010-07-09 at 00:19 -0700, Darren Hart wrote:
>
>> Walking through it:
>>
>> First the dumps:
>> ------------[ cut here ]------------
>> WARNING: at kernel/rtmutex.c:583 wakeup_next_waiter+0x1ad/0x220()
>>
>>
>> WARN_ON(pendowner->pi_blocked_on != waiter);
>> The pi_blocked_on is not NULL, but it isn't the expected waiter either.
>> This means that the top waiter selected at the beginning of
>> wakeup_next_waiter() is now blocked on a lock with a different waiter
>> structure, possibly on a different lock.
>
> pendowner->pi_blocked_on changes while we're in wakeup_next_waiter().
> The below fi^Wmade it not do that any more. We hold the wait_lock for
> this lock, but if the wakee blocks on another, what's protecting us?
If pendowner is blocked on "lock" to begin with (he should be as his
waiter struct in in the rtmutex waiters list) then he can't block on
someone else until he either acquires this one or removes himself as a
waiter (due to a timeout for instance) - both of these operations
require holding lock->wait_lock, which is held by the caller of
wakeup_next_waiter().
Seems more likely that the below forces a missing memory barrier... not
sure yet though. Good data point.
--
Darren
>
> bandaid-by: /me
>
> diff --git a/kernel/rtmutex.c b/kernel/rtmutex.c
> index 23dd443..dd91ede 100644
> --- a/kernel/rtmutex.c
> +++ b/kernel/rtmutex.c
> @@ -525,6 +525,8 @@ static void wakeup_next_waiter(struct rt_mutex *lock, int savestate)
> pendowner = waiter->task;
> waiter->task = NULL;
>
> + raw_spin_lock(&pendowner->pi_lock);
> +
> /*
> * Do the wakeup before the ownership change to give any spinning
> * waiter grantees a headstart over the other threads that will
> @@ -577,8 +579,6 @@ static void wakeup_next_waiter(struct rt_mutex *lock, int savestate)
> else
> next = NULL;
>
> - raw_spin_lock(&pendowner->pi_lock);
> -
> WARN_ON(!pendowner->pi_blocked_on);
> WARN_ON(pendowner->pi_blocked_on != waiter);
> WARN_ON(pendowner->pi_blocked_on->lock != lock);
>
>
--
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team
next prev parent reply other threads:[~2010-07-09 16:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-07 4:46 2.6.33.[56]-rt23: howto create repeatable explosion in wakeup_next_waiter() Mike Galbraith
2010-07-07 8:03 ` Mike Galbraith
2010-07-07 11:57 ` Thomas Gleixner
2010-07-07 12:50 ` Mike Galbraith
2010-07-07 11:57 ` Thomas Gleixner
2010-07-07 14:03 ` Darren Hart
2010-07-07 14:17 ` Mike Galbraith
2010-07-08 12:05 ` Mike Galbraith
2010-07-08 14:12 ` Darren Hart
2010-07-09 2:11 ` Darren Hart
2010-07-09 4:32 ` Mike Galbraith
[not found] ` <4C36CD83.6070809@us.ibm.com>
2010-07-09 8:13 ` Mike Galbraith
2010-07-09 13:58 ` Mike Galbraith
2010-07-09 14:51 ` Mike Galbraith
2010-07-09 16:35 ` Darren Hart [this message]
2010-07-09 19:34 ` Mike Galbraith
2010-07-09 20:05 ` Darren Hart
2010-07-13 8:03 ` [PATCH][RT] futex: protect against pi_blocked_on corruption during requeue PI Darren Hart
2010-07-13 9:25 ` Thomas Gleixner
2010-07-13 10:28 ` Thomas Gleixner
2010-07-13 11:52 ` [PATCH][RT] futex: protect against pi_blocked_on corruption during requeue PI -V2 Thomas Gleixner
2010-07-13 15:57 ` Mike Galbraith
2010-07-13 18:59 ` Darren Hart
2010-07-18 8:32 ` Mike Galbraith
2010-07-13 9:58 ` [PATCH][RT] futex: protect against pi_blocked_on corruption during requeue PI Thomas Gleixner
2010-07-07 14:11 ` 2.6.33.[56]-rt23: howto create repeatable explosion in wakeup_next_waiter() gowrishankar
2010-07-07 14:31 ` Mike Galbraith
2010-07-07 15:05 ` Darren Hart
2010-07-07 17:45 ` Mike Galbraith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C374FE2.2090309@us.ibm.com \
--to=dvhltc@us.ibm.com \
--cc=a.p.zijlstra@chello.nl \
--cc=efault@gmx.de \
--cc=gowrishankar.m@linux.vnet.ibm.com \
--cc=linux-rt-users@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.