Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755977AbbBJNS2 (ORCPT ); Tue, 10 Feb 2015 08:18:28 -0500 Received: from mail-qa0-f46.google.com ([209.85.216.46]:36310 "EHLO mail-qa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752735AbbBJNS0 (ORCPT ); Tue, 10 Feb 2015 08:18:26 -0500 MIME-Version: 1.0 In-Reply-To: <54D9CFC7.5020007@linux.vnet.ibm.com> References: <1423234148-13886-1-git-send-email-raghavendra.kt@linux.vnet.ibm.com> <54D7D19B.1000103@goop.org> <54D87F1E.9060307@linux.vnet.ibm.com> <20150209120227.GT21418@twins.programming.kicks-ass.net> <54D9CFC7.5020007@linux.vnet.ibm.com> From: Denys Vlasenko Date: Tue, 10 Feb 2015 14:18:05 +0100 Message-ID: Subject: Re: [PATCH] x86 spinlock: Fix memory corruption on completing completions To: Raghavendra K T Cc: Linus Torvalds , Jeremy Fitzhardinge , Sasha Levin , Davidlohr Bueso , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Peter Anvin , Konrad Rzeszutek Wilk , Paolo Bonzini , Paul McKenney , Waiman Long , Dave Jones , Oleg Nesterov , "the arch/x86 maintainers" , Paul Gortmaker , Andi Kleen , Jason Wang , Linux Kernel Mailing List , KVM list , virtualization , xen-devel@lists.xenproject.org, Rik van Riel , Christian Borntraeger , Andrew Morton , Andrey Ryabinin Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2167 Lines: 62 On Tue, Feb 10, 2015 at 10:30 AM, Raghavendra K T wrote: > On 02/10/2015 06:23 AM, Linus Torvalds wrote: >> add_smp(&lock->tickets.head, TICKET_LOCK_INC); >> if (READ_ONCE(lock->tickets.tail) & TICKET_SLOWPATH_FLAG) .. >> >> into something like >> >> val = xadd((&lock->ticket.head_tail, TICKET_LOCK_INC << >> TICKET_SHIFT); >> if (unlikely(val & TICKET_SLOWPATH_FLAG)) ... >> >> would be the right thing to do. Somebody should just check that I got >> that shift right, and that the tail is in the high bytes (head really >> needs to be high to work, if it's in the low byte(s) the xadd would >> overflow from head into tail which would be wrong). > > Unfortunately xadd could result in head overflow as tail is high. xadd can overflow, but is this really a problem? # define HEAD_MASK (TICKET_SLOWPATH_FLAG-1) ... unlock_again: val = xadd((&lock->ticket.head_tail, TICKET_LOCK_INC); if (unlikely(!(val & HEAD_MASK))) { /* overflow. we inadvertently incremented the tail word. * tail's lsb is TICKET_SLOWPATH_FLAG. * Increment inverted this bit, fix it up. * (inc _may_ have messed up tail counter too, * will deal with it after kick.) */ val ^= TICKET_SLOWPATH_FLAG; } if (unlikely(val & TICKET_SLOWPATH_FLAG)) { ...kick the waiting task... val -= TICKET_SLOWPATH_FLAG; if (unlikely(!(val & HEAD_MASK))) { /* overflow. we inadvertently incremented tail word, *and* * TICKET_SLOWPATH_FLAG was set, increment overflowed * that bit too and incremented tail counter. * This means we (inadvertently) taking the lock again! * Oh well. Take it, and unlock it again... */ while (1) { if (READ_ONCE(lock->tickets.head) != TICKET_TAIL(val)) cpu_relax(); } goto unlock_again; } Granted, this looks ugly. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/