Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp627023rdb; Thu, 30 Nov 2023 13:53:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IFhkVfxt+Kqjv+T/E3lPe6QR0R89ZO7aHVacKA297KZQtHlPffTJCSmZA0Y1rZHCIZGR97C X-Received: by 2002:a17:903:22d2:b0:1cc:3908:2ca7 with SMTP id y18-20020a17090322d200b001cc39082ca7mr24239314plg.33.1701381237249; Thu, 30 Nov 2023 13:53:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701381237; cv=none; d=google.com; s=arc-20160816; b=LFJlEZD+eo9Kj5Ihz1h7NPvW4k4ZSavTR0Jewotuy8V25ahfDLKjhTUAOCWRPadRXe LVQe52lYlPVnw3upq93I07U0vWb9xvj4MFXpNUdp1xBZQEob//qGSLfbxnpeiQrc87S8 k1xiHFxCTfQXpf6frPiqJluKGRUsosWKnth3i2UB9xUQ9E96FNBSVLh06j5dp+/h7rZC ztXADykBj74V/XsWWrOH0SJtiXQnqSSmodN73naI8UlFM1Ya9lL4vZ8LAg79CvIVeTBt pvmWy8VhskomUCxA6r1aMJ+P9T8ql2GmXjN+K7QjZDDx0SODjjv+vikvvytIbNr8gaZS 1IQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=1pG2lRKOWfMEjs9VpsMcZUPdW+pUgM81zvIo8oiA6l4=; fh=ktEEX4CYtN5SpOu3Kvv4Qvrx0D4GS1WUx/+mnkEnvRY=; b=JZtpbRdrlLsdbt15UkHnQRvNQ/agUycsPeCajKGZVmqdN81JSyNfqWr3dtSUXbB/I7 6NyNl8IZdAHxvatOiUcK6Y5J5yEDr0Ql0Jk5Lm96R3r9BLIZ95pP059Jt8BqT0AGeS83 MVL2rgUf3dU7PphQIw/HvlLvhhB6nexzS5RmGh77Mx57rZ3LeMB1+J4d1Ve+w56l+NRb I+RA3vmF7TJ021b/rKYaXzcHpfxOC2MW+bgTyuxIOCLYcTPS5GNjGyd0AdMn06UUUUPd G5jLqhO+XcAPRr40EpG4zvnD06gvAvfktJMy+F906ZaZ0GYxmsrk/Z7AgOMVs0bphilN 3x5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=b91mrb68; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id n7-20020a170903110700b001cfc35d12f4si2062554plh.140.2023.11.30.13.53.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 13:53:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=b91mrb68; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id D3BDD85A0434; Thu, 30 Nov 2023 13:53:45 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377035AbjK3Vx3 (ORCPT + 99 others); Thu, 30 Nov 2023 16:53:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377025AbjK3Vx3 (ORCPT ); Thu, 30 Nov 2023 16:53:29 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BAA610FD for ; Thu, 30 Nov 2023 13:53:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1701381214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1pG2lRKOWfMEjs9VpsMcZUPdW+pUgM81zvIo8oiA6l4=; b=b91mrb68zoVXgqPVGl1CzpK0nmD88am36WQuhBy1uxTYzJJ/AUn5Ko/UP8Q2AeV/sDQrxQ be8SOJwCShdcqPK7Gzv/mSoazNIl23vQRlINSHRi577Yh72FhLaUS7I7yWsf+VJWeYTdPv WZHDxwZO3IVDGwtDwuB4vd8u4DhusnE= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-622-23t9BpumOcWX-WjgRFx-gw-1; Thu, 30 Nov 2023 16:53:30 -0500 X-MC-Unique: 23t9BpumOcWX-WjgRFx-gw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5029B1C06E18; Thu, 30 Nov 2023 21:53:30 +0000 (UTC) Received: from [10.22.9.192] (unknown [10.22.9.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4C2F40C6EB9; Thu, 30 Nov 2023 21:53:29 +0000 (UTC) Message-ID: <2f17a9a6-5781-43ef-a09b-f39310843fe6@redhat.com> Date: Thu, 30 Nov 2023 16:53:29 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] locking: Document that mutex_unlock() is non-atomic Content-Language: en-US To: Jann Horn , Peter Zijlstra , Ingo Molnar , Will Deacon Cc: Jonathan Corbet , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org References: <20231130204817.2031407-1-jannh@google.com> From: Waiman Long In-Reply-To: <20231130204817.2031407-1-jannh@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 30 Nov 2023 13:53:46 -0800 (PST) On 11/30/23 15:48, Jann Horn wrote: > I have seen several cases of attempts to use mutex_unlock() to release an > object such that the object can then be freed by another task. > My understanding is that this is not safe because mutex_unlock(), in the > MUTEX_FLAG_WAITERS && !MUTEX_FLAG_HANDOFF case, accesses the mutex > structure after having marked it as unlocked; so mutex_unlock() requires > its caller to ensure that the mutex stays alive until mutex_unlock() > returns. > > If MUTEX_FLAG_WAITERS is set and there are real waiters, those waiters > have to keep the mutex alive, I think; but we could have a spurious > MUTEX_FLAG_WAITERS left if an interruptible/killable waiter bailed > between the points where __mutex_unlock_slowpath() did the cmpxchg > reading the flags and where it acquired the wait_lock. Could you clarify under what condition a concurrent task can decide to free the object holding the mutex? Is it !mutex_is_locked() or after a mutex_lock()/mutex_unlock sequence? mutex_is_locked() will return true if the mutex has waiter even if it  is currently free. Cheers, Longman > > (With spinlocks, that kind of code pattern is allowed and, from what I > remember, used in several places in the kernel.) > > If my understanding of this is correct, we should probably document this - > I think such a semantic difference between mutexes and spinlocks is fairly > unintuitive. > > Signed-off-by: Jann Horn > --- > I hope for some thorough review on this patch to make sure the comments > I'm adding are actually true, and to confirm that mutexes intentionally > do not support this usage pattern. > > Documentation/locking/mutex-design.rst | 6 ++++++ > kernel/locking/mutex.c | 5 +++++ > 2 files changed, 11 insertions(+) > > diff --git a/Documentation/locking/mutex-design.rst b/Documentation/locking/mutex-design.rst > index 78540cd7f54b..087716bfa7b2 100644 > --- a/Documentation/locking/mutex-design.rst > +++ b/Documentation/locking/mutex-design.rst > @@ -101,6 +101,12 @@ features that make lock debugging easier and faster: > - Detects multi-task circular deadlocks and prints out all affected > locks and tasks (and only those tasks). > > +Releasing a mutex is not an atomic operation: Once a mutex release operation > +has begun, another context may be able to acquire the mutex before the release > +operation has completed. The mutex user must ensure that the mutex is not > +destroyed while a release operation is still in progress - in other words, > +callers of 'mutex_unlock' must ensure that the mutex stays alive until > +'mutex_unlock' has returned. > > Interfaces > ---------- > diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c > index 2deeeca3e71b..4c6b83bab643 100644 > --- a/kernel/locking/mutex.c > +++ b/kernel/locking/mutex.c > @@ -532,6 +532,11 @@ static noinline void __sched __mutex_unlock_slowpath(struct mutex *lock, unsigne > * This function must not be used in interrupt context. Unlocking > * of a not locked mutex is not allowed. > * > + * The caller must ensure that the mutex stays alive until this function has > + * returned - mutex_unlock() can NOT directly be used to release an object such > + * that another concurrent task can free it. > + * Mutexes are different from spinlocks in this aspect. > + * > * This function is similar to (but not equivalent to) up(). > */ > void __sched mutex_unlock(struct mutex *lock) > > base-commit: 3b47bc037bd44f142ac09848e8d3ecccc726be99