Re: safety of *mutex_unlock() (Was: [BUG] signal: sighand unprotected when accessed by /proc)
From: Thomas Gleixner
Date: Tue Jun 10 2014 - 13:51:24 EST
On Tue, 10 Jun 2014, Oleg Nesterov wrote:
> On 06/10, Thomas Gleixner wrote:
> >
> > +static inline bool unlock_rt_mutex_safe(struct rt_mutex *lock)
> > + __releases(lock->wait_lock)
> > +{
> > + unsigned long owner, *p = (unsigned long *) &lock->owner;
> > +
> > + owner = (unsigned long) rt_mutex_owner(lock);
> > + clear_rt_mutex_waiters(lock);
> > + raw_spin_unlock(&lock->wait_lock);
> > + /*
> > + * If a new waiter comes in between the unlock and the cmpxchg
> > + * we have two situations:
> > + *
> > + * unlock(wait_lock);
> > + * lock(wait_lock);
> > + * cmpxchg(p, owner, 0) == owner
> > + * mark_rt_mutex_waiters(lock);
> > + * acquire(lock);
> > + * or:
> > + *
> > + * unlock(wait_lock);
> > + * lock(wait_lock);
> > + * mark_rt_mutex_waiters(lock);
> > + *
> > + * cmpxchg(p, owner, 0) != owner
> > + * enqueue_waiter();
> > + * unlock(wait_lock);
> > + * lock(wait_lock);
> > + * wake waiter();
> > + * unlock(wait_lock);
> > + * lock(wait_lock);
> > + * acquire(lock);
> > + */
> > + return rt_mutex_cmpxchg(p, owner, 0);
>
> Wait, but this looks like a typo. rt_mutex_cmpxchg() needs "struct rt_mutex *",
> not "long *". It seems that you should simply kill "*p" above.
Uurgh. I had cmpxchg there first and then changed it. You're right, I
can kill the p magic. Bah, thats what you get sending out stuff just
before jumping into a car.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/