Re: [tip:locking/core] locking/rwsem: Fix lock optimistic spinning when owner is not running

[Linus Torvalds]

On Sat, Mar 7, 2015 at 9:13 AM, Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>> +             /*
>> +              * Ensure we emit the owner->on_cpu, dereference _after_
>> +              * checking sem->owner still matches owner, if that fails,
>> +              * owner might point to free()d memory, if it still matches,
>> +              * the rcu_read_lock() ensures the memory stays valid.
>                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Yes, this is another case when we wrongly assume this.
>
> Peter, should I resend
>
>         [PATCH 3/3] introduce task_rcu_dereference()
>         http://marc.info/?l=linux-kernel&m=141443631413914
>
> ? or should we add another call_rcu() in finish_task_switch() (like -rt does)
> to make this true?

I think we should just make 'task_struct_cachep' have SLAB_DESTROY_BY_RCU.

It has almost no overhead - since it only affects the final page
freeing, not the actual slab alloc/free paths - and it means that you
can do the "access for reading under rcu lock" without worrying.

Of course, with SLAB_DESTROY_BY_RCU, a task may be re-allocated (to
*another* task) even under RCU, so the results from unlocked RCU read
accesses aren't "guaranteed" in that sense, but it's fine for
optimistic spinning where the code also ends up re-checking that the
task pointer itself matches. Getting the occasional race with "oops,
task went away" is fine, as long as we don't keep looping over a dead
task.

                           Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/