From: Steven Rostedt <rostedt@goodmis.org>
To: Andrew Morton <akpm@osdl.org>
Cc: linux-kernel@vger.kernel.org, mingo@elte.hu,
Roland McGrath <roland@redhat.com>
Subject: Re: [BUG] Race condition with it_real_fn in kernel/itimer.c
Date: Wed, 15 Jun 2005 17:01:29 -0400 [thread overview]
Message-ID: <1118869289.5035.14.camel@localhost.localdomain> (raw)
In-Reply-To: <20050615132522.3b6a857c.akpm@osdl.org>
On Wed, 2005-06-15 at 13:25 -0700, Andrew Morton wrote:
>
> And that will fix it. (Labels start in column zero, and a comment is
> needed here).
I blame emacs for that bad label :-)
>
> However I wonder if it would be sufficient to remove the del_timer_sync()
> call altogether and just do mod_timer() in it_real_arm().
>
> If the handler happens to be running on another CPU and if the handler
> tries to run mod_timer() _after_ the do_setitimer() has run mod_timer(),
> the handler will use the desired value of it_real_incr anyway.
>
So do you prefer a patch like the following?
--- linux-2.6.12-rc6/kernel/itimer.c.orig 2005-06-15 16:33:13.000000000 -0400
+++ linux-2.6.12-rc6/kernel/itimer.c 2005-06-15 16:42:45.000000000 -0400
@@ -118,6 +118,8 @@
*/
static inline void it_real_arm(struct task_struct *p, unsigned long interval)
{
+ unsigned long expires;
+
p->signal->it_real_value = interval; /* XXX unnecessary field?? */
if (interval == 0)
return;
@@ -127,8 +129,8 @@
* the interval requested. This could happen if
* time requested % (usecs per jiffy) is more than the usecs left
* in the current jiffy */
- p->signal->real_timer.expires = jiffies + interval + 1;
- add_timer(&p->signal->real_timer);
+ expires = jiffies + interval + 1;
+ mod_timer(&p->signal->real_timer, expires);
}
void it_real_fn(unsigned long __data)
@@ -156,8 +158,6 @@
spin_lock_irq(&tsk->sighand->siglock);
interval = tsk->signal->it_real_incr;
val = it_real_value(tsk->signal);
- if (val)
- del_timer_sync(&tsk->signal->real_timer);
tsk->signal->it_real_incr =
timeval_to_jiffies(&value->it_interval);
it_real_arm(tsk, timeval_to_jiffies(&value->it_value));
Now the question is, what happens on the following scenario?
ksoftirqd:
calls it_real_func
process:
calls do_setitimer blocks on siglock;
ksoftirqd: unlocks siglock calls it_real_arm and after it assigns
expires it takes an interrupt before calling mod_timer.
process:
calls it_real_arm and does the changes to mod_timer first.
ksoftirqd: comes back from interrupt and then calls mod_timer with the
wrong value.
This may be a small chance in hell of happening, and the result may not
be to drastic, but this is still a race condition. So far I think that
my unconditional calling of del_timer_sync, although inefficient, it
doesn't have any races.
-- Steve
next prev parent reply other threads:[~2005-06-15 21:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-15 16:23 [BUG] Race condition with it_real_fn in kernel/itimer.c Steven Rostedt
2005-06-15 17:35 ` Steven Rostedt
2005-06-15 20:25 ` Andrew Morton
2005-06-15 21:01 ` Steven Rostedt [this message]
2005-06-15 17:39 Oleg Nesterov
2005-06-15 18:37 ` Steven Rostedt
2005-06-16 9:03 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1118869289.5035.14.camel@localhost.localdomain \
--to=rostedt@goodmis.org \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).