Re: PROBLEM: Concurrency issue in sem_lock

Fri, 09 Oct 2015 23:51:07 -0700 

Hi,

On 10/09/2015 10:24 AM, Felix Hübner wrote:

Hi all,

I have just reported a concurrency issue in the implementation of
sem_lock, see https://bugzilla.kernel.org/show_bug.cgi?id=105651

[...]
# P0 does spin_lock(&sem->lock); in line 336.

                spin_lock(&sem->lock);

[...]

# P2 performs rest of semtimedop, increments complex_count and ends up
in line 1961 and starts to sleep.

                return -1;
        }
That is the problem: semtimedop() increments complex_count - thus sem_wait_array() returns without a spin_unlock_wait() loop - but P0 already owns spin_lock(&sem->lock). 

How do we want to fix it?
- revert my patch (simplify code, but slower for one corner case)
- add the missing sem_wait_array (more complex, but also better for complex semops). 

what do you think?

(patch untested)

--
    Manfred

>From 0ce84d118e2ee7ebc98ad4a8cfd23f04ad45115c Mon Sep 17 00:00:00 2001
From: Manfred Spraul <[email protected]>
Date: Sat, 10 Oct 2015 08:37:22 +0200
Subject: [PATCH] ipc/sem.c: Alternative for fixing Concurrency bug

Two ideas for fixing the bug found by Felix:
- Revert my initial patch.
	Problem: Significant slowdown for application that use large sem
	arrays and complex operations: Every semop() does a loop
	with spin_lock() on all semaphores.

- Add another sem_wait_array() that catches operations that are in
  the middle of sem_lock().

What do you think? Is it worth to optimize for complex ops?

Reported-by: [email protected]
Signed-off-by: Manfred Spraul <[email protected]>
---
 ipc/sem.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipc/sem.c b/ipc/sem.c
index b471e5a..9a55cfb 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -1936,9 +1936,16 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
 			list_add_tail(&queue.list, &curr->pending_const);
 		}
 	} else {
-		if (!sma->complex_count)
+		if (!sma->complex_count) {
 			merge_queues(sma);
 
+			/*
+			 * squeeze out any simple operations that are in the middle
+			 * of sem_lock()
+			 */
+			sem_wait_array(sma);
+		}
+
 		if (alter)
 			list_add_tail(&queue.list, &sma->pending_alter);
 		else
-- 
2.4.3

Reply via email to