On 04/20/2016 12:27 AM, Davidlohr Bueso wrote:
> On Fri, 15 Apr 2016, Sebastian Andrzej Siewior wrote:
>
>> futex_unlock_pi() gets uval before taking the hb lock. Now imagine
>> someone in futex_lock_pi() took the lock. While futex_unlock_pi() waits
>> for the hb lock, the LOCK_PI sets FUTEX_WAITERS and drops the lock.
>> Now, futex_unlock_pi() figures out that there is waiter and invokes
>> wake_futex_pi() with the old uval which does not yet have FUTEX_WAITERS
>> set. This flaw lets cmpxchg_futex_value_locked() fail and return -EINVAL.
>
> Hmm but if we're calling futex_unlock_pi() in the first place, doesn't that
> indicate that the uval already has FUTEX_WAITERS and therefore failed the
> TID->0 transition in userland? That or the thread is bogusly unlocking a
> lock that it doesn't own.
I hacked a testing tool which always did the syscall for LOCK_PI /
UNLOCK_PI and this popped up.
>
> This is of course different than the requeue_pi case which can specify
> set_waiters but also gets the value via get_futex_value_locked().
>
> Is this a real issue or did you find it by code inspection?
real issue.
https://breakpoint.cc/mass-futex2-rl.c
> Thanks,
> Davidlohr
Sebastian
