linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andrea Arcangeli <andrea@suse.de>
To: Ingo Molnar <mingo@elte.hu>
Cc: Andrew Morton <akpm@osdl.org>,
	linas@austin.ibm.com, linux-kernel@vger.kernel.org
Subject: Re: PATCH: Race in 2.6.0-test2 timer code
Date: Wed, 30 Jul 2003 13:16:39 +0200	[thread overview]
Message-ID: <20030730111639.GI23835@dualathlon.random> (raw)
In-Reply-To: <Pine.LNX.4.44.0307301223450.13299-100000@localhost.localdomain>

On Wed, Jul 30, 2003 at 12:31:23PM +0200, Ingo Molnar wrote:
> 
> On Wed, 30 Jul 2003, Andrea Arcangeli wrote:
> 
> > 
> > 	cpu0			cpu1
> > 	------------		--------------------
> > 
> > 	do_setitimer
> > 				it_real_fn
> > 	del_timer_sync		add_timer	-> crash
> 
> would you mind to elaborate the precise race? I cannot see how the above
> sequence could crash on current 2.6:
> 
> del_timer_sync() takes the base pointer in timer->base and locks it, then
> checks whether the timer has this base or not and repeats the sequence if
> not. add_timer() locks the current CPU's base, then installs the timer and
> sets timer->base. Where's the race?

not sure why you mention timer->base, you know the base lock means
nothing if it's in two different cpus (if it meant anything, it would
mean we'd still suffer the cacheline bouncing with timer ops running in
different cpus). To make it more clear I edit timer.c deleting all
spin_lock(&base->lock) so the base->lock won't make it look like it can
serialize anything. I delete the local_irqsave too since it doesn't
matter too for this example (also assume premption turned off so I don't
need to add the preempt disable in place of the local irq save).

so for this example we have this:

int del_timer(struct timer_list *timer)
{
	tvec_base_t *base;

repeat:
 	base = timer->base;
	if (!base)
		return 0;
	if (base != timer->base) {
		goto repeat;
	}
	list_del(&timer->entry);
	timer->base = NULL;

	return 1;
}

against this:

void add_timer(struct timer_list *timer)
{
	tvec_base_t *base = &get_cpu_var(tvec_bases);
  
  	BUG_ON(timer_pending(timer) || !timer->function);

	internal_add_timer(base, timer);
	timer->base = base;
	put_cpu_var(tvec_bases);
}


in del_timer, list_del can be reordered after the timer->base = NULL,
the C compiler can do that. so list_del will run at the same time of
internal_add_timer(base, timer) that does the list_add_tail.

list_del and list_add_tail running at the same time will crash.

Andrea

  reply	other threads:[~2003-07-30 11:14 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-29 15:41 PATCH: Race in 2.6.0-test2 timer code linas
2003-07-29 20:56 ` Andrew Morton
2003-07-30  5:57   ` Ingo Molnar
2003-07-30  6:36     ` Andrew Morton
2003-07-30  7:07       ` Ingo Molnar
2003-07-30  7:34         ` Andrea Arcangeli
2003-07-30  7:34           ` Ingo Molnar
2003-07-30  8:28             ` Andrea Arcangeli
2003-07-30 10:31               ` Ingo Molnar
2003-07-30 11:16                 ` Andrea Arcangeli [this message]
2003-07-30 11:49                   ` Ingo Molnar
2003-07-30 12:34                     ` Andrea Arcangeli
2003-07-30 21:18                       ` linas
2003-07-30 22:06                         ` Andrea Arcangeli
2003-07-30 22:17                           ` Andrea Arcangeli
2003-07-31  7:04                             ` Ingo Molnar
2003-07-30 21:19                       ` Andrea Arcangeli
2003-07-30 23:43                 ` linas
2003-07-30 23:56                   ` Andrea Arcangeli
2003-07-30 23:54                     ` Andrew Morton
2003-07-31  0:16                       ` Andrea Arcangeli
2003-07-31 17:23                     ` linas
2003-08-01  6:27                       ` Ingo Molnar
2003-07-30  7:40           ` Ingo Molnar
2003-07-30  8:37             ` Andrea Arcangeli
2003-07-30 10:34               ` Ingo Molnar
2003-07-30 10:51                 ` Andrew Morton
2003-07-30 11:28                   ` Andrea Arcangeli
2003-07-30 11:22                 ` Andrea Arcangeli
2003-07-30 20:05     ` linas
2003-07-31  6:50       ` Ingo Molnar
2003-07-31 22:56     ` linas
2003-08-01  6:23       ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030730111639.GI23835@dualathlon.random \
    --to=andrea@suse.de \
    --cc=akpm@osdl.org \
    --cc=linas@austin.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).