From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753427AbcDSW1s (ORCPT ); Tue, 19 Apr 2016 18:27:48 -0400 Received: from mx2.suse.de ([195.135.220.15]:55136 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752407AbcDSW1r (ORCPT ); Tue, 19 Apr 2016 18:27:47 -0400 Date: Tue, 19 Apr 2016 15:27:37 -0700 From: Davidlohr Bueso To: Sebastian Andrzej Siewior Cc: Thomas Gleixner , linux-kernel@vger.kernel.org Subject: Re: [PATCH] kernel/futex: handle the case where we got a "late" waiter Message-ID: <20160419222737.GA27058@linux-uzut.site> References: <1460723739-5195-1-git-send-email-bigeasy@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1460723739-5195-1-git-send-email-bigeasy@linutronix.de> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 15 Apr 2016, Sebastian Andrzej Siewior wrote: >futex_unlock_pi() gets uval before taking the hb lock. Now imagine >someone in futex_lock_pi() took the lock. While futex_unlock_pi() waits >for the hb lock, the LOCK_PI sets FUTEX_WAITERS and drops the lock. >Now, futex_unlock_pi() figures out that there is waiter and invokes >wake_futex_pi() with the old uval which does not yet have FUTEX_WAITERS >set. This flaw lets cmpxchg_futex_value_locked() fail and return -EINVAL. Hmm but if we're calling futex_unlock_pi() in the first place, doesn't that indicate that the uval already has FUTEX_WAITERS and therefore failed the TID->0 transition in userland? That or the thread is bogusly unlocking a lock that it doesn't own. This is of course different than the requeue_pi case which can specify set_waiters but also gets the value via get_futex_value_locked(). Is this a real issue or did you find it by code inspection? Thanks, Davidlohr