linux/kernel
Alexey Kuznetsov 778e9a9c3e pi-futex: fix exit races and locking problems
1. New entries can be added to tsk->pi_state_list after task completed
   exit_pi_state_list(). The result is memory leakage and deadlocks.

2. handle_mm_fault() is called under spinlock. The result is obvious.

3. results in self-inflicted deadlock inside glibc.
   Sometimes futex_lock_pi returns -ESRCH, when it is not expected
   and glibc enters to for(;;) sleep() to simulate deadlock. This problem
   is quite obvious and I think the patch is right. Though it looks like
   each "if" in futex_lock_pi() got some stupid special case "else if". :-)

4. sometimes futex_lock_pi() returns -EDEADLK,
   when nobody has the lock. The reason is also obvious (see comment
   in the patch), but correct fix is far beyond my comprehension.
   I guess someone already saw this, the chunk:

                        if (rt_mutex_trylock(&q.pi_state->pi_mutex))
                                ret = 0;

   is obviously from the same opera. But it does not work, because the
   rtmutex is really taken at this point: wake_futex_pi() of previous
   owner reassigned it to us. My fix works. But it looks very stupid.
   I would think about removal of shift of ownership in wake_futex_pi()
   and making all the work in context of process taking lock.

From: Thomas Gleixner <tglx@linutronix.de>

Fix 1) Avoid the tasklist lock variant of the exit race fix by adding
    an additional state transition to the exit code.

    This fixes also the issue, when a task with recursive segfaults
    is not able to release the futexes.

Fix 2) Cleanup the lookup_pi_state() failure path and solve the -ESRCH
    problem finally.

Fix 3) Solve the fixup_pi_state_owner() problem which needs to do the fixup
    in the lock protected section by using the in_atomic userspace access
    functions.

    This removes also the ugly lock drop / unqueue inside of fixup_pi_state()

Fix 4) Fix a stale lock in the error path of futex_wake_pi()

Added some error checks for verification.

The -EDEADLK problem is solved by the rtmutex fixups.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-06-08 17:23:34 -07:00
..
irq Fix crash with irqpoll due to the IRQF_IRQPOLL flag testing 2007-05-24 08:37:14 -07:00
power power: Fix sizeof(PAGE_SIZE) typo 2007-05-23 20:14:14 -07:00
time timer stats: speedups 2007-06-01 08:18:30 -07:00
.gitignore
acct.c
audit.c
audit.h [PATCH] audit signal recipients 2007-05-11 05:38:25 -04:00
auditfilter.c audit_match_signal() and friends are used only if CONFIG_AUDITSYSCALL is set 2007-05-15 18:56:37 -07:00
auditsc.c [PATCH] Abnormal End of Processes 2007-05-11 05:38:26 -04:00
capability.c
compat.c signal/timer/event: timerfd compat code 2007-05-11 08:29:36 -07:00
configs.c use simple_read_from_buffer in kernel/ 2007-05-09 12:30:49 -07:00
cpu.c microcode: use suspend-related CPU hotplug notifications 2007-05-09 12:30:56 -07:00
cpuset.c use simple_read_from_buffer in kernel/ 2007-05-09 12:30:49 -07:00
delayacct.c
die_notifier.c
dma.c
exec_domain.c
exit.c pi-futex: fix exit races and locking problems 2007-06-08 17:23:34 -07:00
extable.c
fork.c freezer: fix vfork problem 2007-05-23 20:14:11 -07:00
futex_compat.c fix compat futex code for private futexes 2007-06-01 08:18:28 -07:00
futex.c pi-futex: fix exit races and locking problems 2007-06-08 17:23:34 -07:00
hrtimer.c Add suspend-related notifications for CPU hotplug 2007-05-09 12:30:56 -07:00
itimer.c
kallsyms.c fix possible null ptr deref in kallsyms_lookup 2007-05-30 10:51:38 -07:00
Kconfig.hz
Kconfig.preempt Fix trivial typos in Kconfig* files 2007-05-09 07:12:20 +02:00
kexec.c
kfifo.c
kmod.c wait_for_helper: remove unneeded do_sigaction() 2007-05-09 12:30:53 -07:00
kprobes.c Kprobes: The ON/OFF knob thru debugfs 2007-05-08 11:15:19 -07:00
ksysfs.c
kthread.c freezer: fix kthread_create vs freezer theoretical race 2007-05-23 20:14:11 -07:00
latency.c
lockdep_internals.h
lockdep_proc.c
lockdep.c
Makefile
module.c Fix minor typoes in kernel/module.c 2007-05-09 07:26:28 +02:00
mutex-debug.c
mutex-debug.h
mutex.c wrap access to thread_info 2007-05-09 12:30:56 -07:00
mutex.h
nsproxy.c
panic.c
params.c
pid.c statically initialize struct pid for swapper 2007-05-11 08:29:35 -07:00
posix-cpu-timers.c
posix-timers.c
printk.c
profile.c Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
ptrace.c [PATCH] auditing ptrace 2007-05-11 05:38:25 -04:00
rcupdate.c Add suspend-related notifications for CPU hotplug 2007-05-09 12:30:56 -07:00
rcutorture.c rcutorture: Remove redundant assignment to cur_ops in for loop 2007-05-08 11:15:17 -07:00
relay.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial 2007-05-09 12:54:17 -07:00
resource.c
rtmutex_common.h futex_requeue_pi optimization 2007-05-09 12:30:55 -07:00
rtmutex-debug.c
rtmutex-debug.h
rtmutex-tester.c
rtmutex.c rt-mutex: fix chain walk early wakeup bug 2007-06-08 17:23:34 -07:00
rtmutex.h
rwsem.c
sched.c Prevent going idle with softirq pending 2007-05-23 20:14:15 -07:00
seccomp.c
signal.c Restrict clearing TIF_SIGPENDING 2007-06-07 08:52:15 -07:00
softirq.c Add suspend-related notifications for CPU hotplug 2007-05-09 12:30:56 -07:00
softlockup.c Add suspend-related notifications for CPU hotplug 2007-05-09 12:30:56 -07:00
spinlock.c
srcu.c
stacktrace.c
stop_machine.c stop_machine() now uses hard_irq_disable 2007-05-11 08:29:34 -07:00
sys_ni.c compat signalfd and timerfd are cond syscalls 2007-05-12 10:55:40 -07:00
sys.c attach_pid() with struct pid parameter 2007-05-11 08:29:35 -07:00
sysctl.c make sysctl/kernel/core_pattern and fs/exec.c agree on maximum core filename size 2007-05-17 05:23:05 -07:00
taskstats.c
time.c
timer.c NOHZ: prevent multiplication overflow - stop timer for huge timeouts 2007-05-29 18:11:10 -07:00
tsacct.c
uid16.c
user.c
utsname_sysctl.c
utsname.c
wait.c Fix occurrences of "the the " 2007-05-09 08:57:56 +02:00
workqueue.c simplify cleanup_workqueue_thread() 2007-05-23 20:14:13 -07:00