futex_requeue() can acquire the lock on behalf of a waiter during the requeue
loop in the event of a lock steal or owner died. futex_wait_requeue_pi() cleans
up the pi_state owner, using the lock_ptr to protect against concurrent access
to the pi_state. The pi_state is found on the requeue target futex hash bucket
so the lock_ptr needs to be updated accordingly. The problem manifested by
triggering the WARN_ON in lookup_pi_state() about the pid != pi_state->owner
pid.
The astute reviewer will note that still exists a race between the time
futex_requeue() releases hb2->lock() and the time when futex_wait_requeue_pi()
acquires it. During this time the pi_state and the futex uaddr are not in sync
with the rt_mutex ownership. This patch closes the window to the point where
my tests now pass, but we still need to address it.
Note: Please apply to mainline and rt
Signed-off-by: Darren Hart <dvhltc@xxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Steven Rostedt <rostedt@xxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxx>
CC: Dinakar Guniguntala <dino@xxxxxxxxxx>
CC: John Stultz <johnstul@xxxxxxxxxx>
CC: John Kacur <jkacur@xxxxxxxxxx>
Index: 2.6.31-rc4-rt1/kernel/futex.c
===================================================================
--- 2.6.31-rc4-rt1.orig/kernel/futex.c 2009-08-05 10:00:56.000000000 -0700
+++ 2.6.31-rc4-rt1/kernel/futex.c 2009-08-05 10:29:56.000000000 -0700
@@ -1059,19 +1059,24 @@ void requeue_futex(struct futex_q *q, st
* requeue_pi_wake_futex() - Wake a task that acquired the lock during requeue
* q: the futex_q
* key: the key of the requeue target futex
+ * hb: the hash_bucket of the requeue target futex
*
* During futex_requeue, with requeue_pi=1, it is possible to acquire the
* target futex if it is uncontended or via a lock steal. Set the futex_q key
* to the requeue target futex so the waiter can detect the wakeup on the right
* futex, but remove it from the hb and NULL the rt_waiter so it can detect
- * atomic lock acquisition. Must be called with the q->lock_ptr held.
+ * atomic lock acquisition. Set the q->lock_ptr to the requeue target hb->lock
+ * to protect access to the pi_state to fixup the owner later. Must be called
+ * with the q->lock_ptr held.
*/
static inline
-void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key)
+void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ struct futex_hash_bucket *hb)
{
drop_futex_key_refs(&q->key);
get_futex_key_refs(key);
q->key = *key;
+ q->lock_ptr = &hb->lock;
WARN_ON(plist_node_empty(&q->list));
plist_del(&q->list, &q->list.plist);
@@ -1137,7 +1142,7 @@ static int futex_proxy_trylock_atomic(u3
ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
set_waiters);
if (ret == 1)
- requeue_pi_wake_futex(top_waiter, key2);
+ requeue_pi_wake_futex(top_waiter, key2, hb2);
return ret;
}
@@ -1323,7 +1328,7 @@ retry_private:
this->task, 1);
if (ret == 1) {
/* We got the lock. */
- requeue_pi_wake_futex(this, &key2);
+ requeue_pi_wake_futex(this, &key2, hb2);
continue;
} else if (ret) {
/* -EDEADLK */
--
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team
--
To unsubscribe from this list: send the line "unsubscribe linux-rt-users" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
