From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754126AbcDTHiO (ORCPT <rfc822;w@1wt.eu>);
	Wed, 20 Apr 2016 03:38:14 -0400
Received: from www.linutronix.de ([62.245.132.108]:42852 "EHLO
	Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751445AbcDTHiN (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 20 Apr 2016 03:38:13 -0400
Date: Wed, 20 Apr 2016 09:36:42 +0200 (CEST)
From: Thomas Gleixner <tglx@linutronix.de>
To: Davidlohr Bueso <dave@stgolabs.net>
cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] kernel/futex: handle the case where we got a "late"
 waiter
In-Reply-To: <20160419222737.GA27058@linux-uzut.site>
Message-ID: <alpine.DEB.2.11.1604200934190.3941@nanos>
References: <1460723739-5195-1-git-send-email-bigeasy@linutronix.de> <20160419222737.GA27058@linux-uzut.site>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 19 Apr 2016, Davidlohr Bueso wrote:
> On Fri, 15 Apr 2016, Sebastian Andrzej Siewior wrote:
> 
> > futex_unlock_pi() gets uval before taking the hb lock. Now imagine
> > someone in futex_lock_pi() took the lock. While futex_unlock_pi() waits
> > for the hb lock, the LOCK_PI sets FUTEX_WAITERS and drops the lock.
> > Now, futex_unlock_pi() figures out that there is waiter and invokes
> > wake_futex_pi() with the old uval which does not yet have FUTEX_WAITERS
> > set. This flaw lets cmpxchg_futex_value_locked() fail and return -EINVAL.
> 
> Hmm but if we're calling futex_unlock_pi() in the first place, doesn't that
> indicate that the uval already has FUTEX_WAITERS and therefore failed the
> TID->0 transition in userland? That or the thread is bogusly unlocking a
> lock that it doesn't own.

It can be called unconditionally w/o trying the TID->0 transition in user
space first and we should handle that case.
 
Thanks,

	tglx