From patchwork Fri Nov 11 21:54:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Izbyshev X-Patchwork-Id: 19018 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp988805wru; Fri, 11 Nov 2022 14:07:00 -0800 (PST) X-Google-Smtp-Source: AA0mqf4d0+Y/tAtKSYr0VrCex0vyuFBilgab2Lt2gLvtPDXKspMRJvQ/n2PNWEG1IUY07gu4MZ/T X-Received: by 2002:a17:902:ef8d:b0:17a:aca0:e295 with SMTP id iz13-20020a170902ef8d00b0017aaca0e295mr4545052plb.3.1668204420179; Fri, 11 Nov 2022 14:07:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668204420; cv=none; d=google.com; s=arc-20160816; b=sAa0Yq6FLmA/QJaaG/zGJDEwRPjc1Nhh8XA4lLjT3RZ+UJHjkOpKf/QBqTClTabEEF 6EbMeSwGWnoE0vFhIqfe3tfrsg6GbiMrl/BgTQOs9anccX4J/eKl1Vu8lpqu7LJhZisT P4inJWu9IEj4YOiMFlvEZOMMivZImKXlU+Mff4vpzQT3k6A6FVTHzcU0QgpMEp+NCnVq CreLlA6SP3lzmPFXGI3w2I/94GtKPkP9pmqiTKpgOaOKfB3gSGrDZxEt33CMPvqtYmZP 3xKlrEGeyNjcRh3qzJ24SRUxDnuxAiEVJ70Au4aM/TlXnx4g4yYmY2HbBNL21lcPedtf ic2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-filter; bh=bgMF0xg0oCNabULXJ/4aM9GjLl16rZpyuOOaalB8qak=; b=hnB+2n1U1mXPI43/6MpEZezG34y5itDjGAFZsyKmUxMbM6i7fNuqki4uHoYCGGkDPI Da2iPBMHQX9ECiPnADs5LWjG6JaSpMIcTqVZ8hpjfbbMamOyIYpb9QiFNR3emqD1gnQE YWC6p9kChoCyXXgZlCHytpkyScI7t30rdu+zTt+HW7UpmLeBbEfQlV2fn9m3q0CiXanL cMbl4/A7MNkfVqzkC53X7+SyyM9MoqTLcd1T4tAuyo4cG2jHlAwF5hukTUiAmVNb4K8e EJ7Rn8jhYvbeVEfn5mLyddn0pf8zhQl61+09knD1+TxTRjgDiY1EhF6wQCQVH9zcw5YS V08g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e9-20020a636909000000b00434ffe3cc11si3283632pgc.870.2022.11.11.14.06.44; Fri, 11 Nov 2022 14:07:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233911AbiKKWCX (ORCPT + 99 others); Fri, 11 Nov 2022 17:02:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234632AbiKKWCA (ORCPT ); Fri, 11 Nov 2022 17:02:00 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45BC8CE0A for ; Fri, 11 Nov 2022 14:01:55 -0800 (PST) Received: from vihara.intra.ispras.ru (unknown [10.10.3.38]) by mail.ispras.ru (Postfix) with ESMTP id 0D90F419E9CE; Fri, 11 Nov 2022 22:01:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 0D90F419E9CE From: Alexey Izbyshev To: linux-kernel@vger.kernel.org Cc: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?utf-8?q?Andr=C3=A9_Almeida?= , Yi Wang , Yang Tao Subject: [PATCH] futex: Resend potentially swallowed owner death notification Date: Sat, 12 Nov 2022 00:54:39 +0300 Message-Id: <20221111215439.248185-1-izbyshev@ispras.ru> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749239118286749652?= X-GMAIL-MSGID: =?utf-8?q?1749239118286749652?= Commit ca16d5bee598 ("futex: Prevent robust futex exit race") addressed two cases when tasks waiting on a robust non-PI futex remained blocked despite the futex not being owned anymore: * if the owner died after writing zero to the futex word, but before waking up a waiter * if a task waiting on the futex was woken up, but died before updating the futex word (effectively swallowing the notification without acting on it) In the second case, the task could be woken up either by the previous owner (after the futex word was reset to zero) or by the kernel (after the OWNER_DIED bit was set and the TID part of the futex word was reset to zero) if the previous owner died without the resetting the futex. Because the referenced commit wakes up a potential waiter only if the whole futex word is zero, the latter subcase remained unaddressed. Fix this by looking only at the TID part of the futex when deciding whether a wake up is needed. Fixes: ca16d5bee598 ("futex: Prevent robust futex exit race") Signed-off-by: Alexey Izbyshev Acked-by: Peter Zijlstra (Intel) --- kernel/futex/core.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/kernel/futex/core.c b/kernel/futex/core.c index b22ef1efe751..514e4582b863 100644 --- a/kernel/futex/core.c +++ b/kernel/futex/core.c @@ -638,6 +638,7 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, bool pi, bool pending_op) { u32 uval, nval, mval; + pid_t owner; int err; /* Futex address must be 32bit aligned */ @@ -659,6 +660,10 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, * 2. A woken up waiter is killed before it can acquire the * futex in user space. * + * In the second case, the wake up notification could be generated + * by the unlock path in user space after setting the futex value + * to zero or by the kernel after setting the OWNER_DIED bit below. + * * In both cases the TID validation below prevents a wakeup of * potential waiters which can cause these waiters to block * forever. @@ -667,24 +672,27 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, * * 1) task->robust_list->list_op_pending != NULL * @pending_op == true - * 2) User space futex value == 0 + * 2) The owner part of user space futex value == 0 * 3) Regular futex: @pi == false * * If these conditions are met, it is safe to attempt waking up a * potential waiter without touching the user space futex value and - * trying to set the OWNER_DIED bit. The user space futex value is - * uncontended and the rest of the user space mutex state is - * consistent, so a woken waiter will just take over the - * uncontended futex. Setting the OWNER_DIED bit would create - * inconsistent state and malfunction of the user space owner died - * handling. + * trying to set the OWNER_DIED bit. If the futex value is zero, + * the rest of the user space mutex state is consistent, so a woken + * waiter will just take over the uncontended futex. Setting the + * OWNER_DIED bit would create inconsistent state and malfunction + * of the user space owner died handling. Otherwise, the OWNER_DIED + * bit is already set, and the woken waiter is expected to deal with + * this. */ - if (pending_op && !pi && !uval) { + owner = uval & FUTEX_TID_MASK; + + if (pending_op && !pi && !owner) { futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY); return 0; } - if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr)) + if (owner != task_pid_vnr(curr)) return 0; /*