On Tue, 26 Mar 2013 13:33:07 -0400 Sasha Levin <sasha.le...@oracle.com> wrote:
> [ 96.347341] ================================================ > [ 96.348085] [ BUG: lock held when returning to user space! ] > [ 96.348834] 3.9.0-rc4-next-20130326-sasha-00011-gbcb2313 #318 Tainted: G > W > [ 96.360300] ------------------------------------------------ > [ 96.361084] trinity-child9/7583 is leaving the kernel with locks still > held! > [ 96.362019] 1 lock held by trinity-child9/7583: > [ 96.362610] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff8192eafb>] > SYSC_semtimedop+0x1fb/0xec0 > > It seems that we can leave semtimedop without releasing the rcu read lock. Sasha, this patch untangles the RCU locking with find_alloc_undo, and should fix the above issue. As a side benefit, this makes the code a little cleaner. Next up: implement locking in a way that does not trigger any lockdep warnings... ---8<--- Subject: ipc,sem: untangle RCU locking with find_alloc_undo The ipc semaphore code has a nasty RCU locking tangle, with both find_alloc_undo and semtimedop taking the rcu_read_lock(). The code can be cleaned up somewhat by only taking the rcu_read_lock once. The only caller of find_alloc_undo is in semtimedop. This should solve the trinity issue reported by Sasha Levin. Reported-by: Sasha Levin <sasha.le...@oracle.com> Signed-off-by: Rik van Riel <r...@redhat.com> --- ipc/sem.c | 31 +++++++++---------------------- 1 files changed, 9 insertions(+), 22 deletions(-) diff --git a/ipc/sem.c b/ipc/sem.c index f46441a..2ec2945 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -1646,22 +1646,23 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, alter = 1; } + INIT_LIST_HEAD(&tasks); + if (undos) { + /* On success, find_alloc_undo takes the rcu_read_lock */ un = find_alloc_undo(ns, semid); if (IS_ERR(un)) { error = PTR_ERR(un); goto out_free; } - } else + } else { un = NULL; + rcu_read_lock(); + } - INIT_LIST_HEAD(&tasks); - - rcu_read_lock(); sma = sem_obtain_object_check(ns, semid); if (IS_ERR(sma)) { - if (un) - rcu_read_unlock(); + rcu_read_unlock(); error = PTR_ERR(sma); goto out_free; } @@ -1693,22 +1694,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, */ error = -EIDRM; locknum = sem_lock(sma, sops, nsops); - if (un) { - if (un->semid == -1) { - rcu_read_unlock(); - goto out_unlock_free; - } else { - /* - * rcu lock can be released, "un" cannot disappear: - * - sem_lock is acquired, thus IPC_RMID is - * impossible. - * - exit_sem is impossible, it always operates on - * current (or a dead task). - */ - - rcu_read_unlock(); - } - } + if (un && un->semid == -1) + goto out_unlock_free; error = try_atomic_semop (sma, sops, nsops, un, task_tgid_vnr(current)); if (error <= 0) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/