| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jul 2015 22:23:51 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
cc: Darren Hart <dvhart@...radead.org>,
Torvald Riegel <triegel@...hat.com>,
Carlos O'Donell <carlos@...hat.com>,
Ingo Molnar <mingo@...e.hu>, Jakub Jelinek <jakub@...hat.com>,
linux-man <linux-man@...r.kernel.org>,
lkml <linux-kernel@...r.kernel.org>,
Davidlohr Bueso <dave@...olabs.net>,
Arnd Bergmann <arnd@...db.de>,
Steven Rostedt <rostedt@...dmis.org>,
Peter Zijlstra <peterz@...radead.org>,
Linux API <linux-api@...r.kernel.org>,
Roland McGrath <roland@...k.frob.com>,
Anton Blanchard <anton@...ba.org>,
Eric Dumazet <edumazet@...gle.com>,
bill o gallmeister <bgallmeister@...il.com>,
Jan Kiszka <jan.kiszka@...mens.com>,
Daniel Wagner <wagi@...om.org>, Rich Felker <dalias@...c.org>,
Andy Lutomirski <luto@...capital.net>,
bert hubert <bert.hubert@...herlabs.nl>,
Rusty Russell <rusty@...tcorp.com.au>,
Heinrich Schuchardt <xypron.glpk@....de>
Subject: Re: Next round: revised futex(2) man page for review
On Mon, 27 Jul 2015, Michael Kerrisk (man-pages) wrote:
> FUTEX_CLOCK_REALTIME (since Linux 2.6.28)
> This option bit can be employed only with the
> FUTEX_WAIT_BITSET and FUTEX_WAIT_REQUEUE_PI operations.
>
> If this option is set, the kernel treats timeout as an
> absolute time based on CLOCK_REALTIME.
>
> .\" FIXME XXX I added CLOCK_MONOTONIC below. Okay?
> If this option is not set, the kernel treats timeout as
> relative time, measured against the CLOCK_MONOTONIC clock.
That's correct.
> The operation specified in futex_op is one of the following:
>
> FUTEX_WAIT (since Linux 2.6.0)
> This operation tests that the value at the futex word
> pointed to by the address uaddr still contains the
> expected value val, and if so, then sleeps awaiting
> FUTEX_WAKE on the futex word. The load of the value of
> the futex word is an atomic memory access (i.e., using
> atomic machine instructions of the respective architec‐
> ture). This load, the comparison with the expected value,
> and starting to sleep are performed atomically and totally
> ordered with respect to other futex operations on the same
> futex word. If the thread starts to sleep, it is consid‐
> ered a waiter on this futex word. If the futex value does
> not match val, then the call fails immediately with the
> error EAGAIN.
>
> The purpose of the comparison with the expected value is
> to prevent lost wake-ups: If another thread changed the
> value of the futex word after the calling thread decided
> to block based on the prior value, and if the other thread
> executed a FUTEX_WAKE operation (or similar wake-up) after
> the value change and before this FUTEX_WAIT operation,
> then the latter will observe the value change and will not
> start to sleep.
>
> If the timeout argument is non-NULL, its contents specify
> a relative timeout for the wait, measured according to the
> .\" FIXME XXX I added CLOCK_MONOTONIC below. Okay?
Yes.
> CLOCK_MONOTONIC clock. (This interval will be rounded up
> to the system clock granularity, and kernel scheduling
> delays mean that the blocking interval may overrun by a
> small amount.)
The given wait time will be rounded up to the system
clock granularity and is guaranteed not to expire
early.
There are a gazillion reasons why it can expire late, but the
guarantee is that it never expires prematurely.
> If timeout is NULL, the call blocks indef‐
> initely.
Right.
> The arguments uaddr2 and val3 are ignored.
>
>
> FUTEX_WAKE (since Linux 2.6.0)
> This operation wakes at most val of the waiters that are
> waiting (e.g., inside FUTEX_WAIT) on the futex word at the
> address uaddr. Most commonly, val is specified as either
> 1 (wake up a single waiter) or INT_MAX (wake up all wait‐
> ers). No guarantee is provided about which waiters are
> awoken (e.g., a waiter with a higher scheduling priority
> is not guaranteed to be awoken in preference to a waiter
> with a lower priority).
That's only correct up to Linux 2.6.21.
Since 2.6.22 we have a priority ordered wakeup. For SCHED_OTHER
threads this takes the nice level into account. Threads with the same
priority are woken in FIFO order.
> The arguments timeout, uaddr2, and val3 are ignored.
>
> FUTEX_FD (from Linux 2.6.0 up to and including Linux 2.6.25)
> This operation creates a file descriptor that is associ‐
> ated with the futex at uaddr. The caller must close the
> returned file descriptor after use. When another process
> or thread performs a FUTEX_WAKE on the futex word, the
> file descriptor indicates as being readable with
> select(2), poll(2), and epoll(7)
>
> The file descriptor can be used to obtain asynchronous
> notifications: if val is nonzero, then when another
> process or thread executes a FUTEX_WAKE, the caller will
> receive the signal number that was passed in val.
>
> The arguments timeout, uaddr2 and val3 are ignored.
>
> .\" FIXME(Torvald) We never define "upped". Maybe just remove the
> .\" following sentence?
> To prevent race conditions, the caller should test if the
> futex has been upped after FUTEX_FD returns.
Yes, just remove it.
> Because it was inherently racy, FUTEX_FD has been removed
> from Linux 2.6.26 onward.
>
> FUTEX_REQUEUE (since Linux 2.6.0)
> .\" FIXME(Torvald) Is there some indication that FUTEX_REQUEUE is broken
> .\" in general, or is this comment implicitly speaking about the
> .\" condvar (?) use case? If the latter we might want to weaken the
> .\" advice below a little.
> .\" [Anyone else have input on this?]
The condvar use case exposes the flaw nicely, but that's pretty much
true for everything which wants a sane requeue operation.
> Avoid using this operation. It is broken for its intended
> purpose. Use FUTEX_CMP_REQUEUE instead.
>
> This operation performs the same task as
> FUTEX_CMP_REQUEUE, except that no check is made using the
> value in val3. (The argument val3 is ignored.)
>
> FUTEX_CMP_REQUEUE (since Linux 2.6.7)
> This operation first checks whether the location uaddr
> still contains the value val3. If not, the operation
> fails with the error EAGAIN. Otherwise, the operation
> wakes up a maximum of val waiters that are waiting on the
> futex at uaddr. If there are more than val waiters, then
> the remaining waiters are removed from the wait queue of
> the source futex at uaddr and added to the wait queue of
> the target futex at uaddr2. The val2 argument specifies
> an upper limit on the number of waiters that are requeued
> to the futex at uaddr2.
>
> .\" FIXME(Torvald) Is the following correct? Or is just the decision
> .\" which threads to wake or requeue part of the atomic operation?
>
> The load from uaddr is an atomic memory access (i.e.,
> using atomic machine instructions of the respective archi‐
> tecture). This load, the comparison with val3, and the
> requeueing of any waiters are performed atomically and
> totally ordered with respect to other operations on the
> same futex word.
It's atomic as the other atomic operations on the futex word. It's
always performed with the proper lock(s) held in the kernel. That
means any concurrent operation will serialize on that lock(s). User
space has to make sure, that depending on the observed value no
concurrent operations happen, but that's something the kernel cannot
control.
> This operation was added as a replacement for the earlier
> FUTEX_REQUEUE. The difference is that the check of the
> value at uaddr can be used to ensure that requeueing hap‐
> pens only under certain conditions. Both operations can
> be used to avoid a "thundering herd" effect when
> FUTEX_WAKE is used and all of the waiters that are woken
> need to acquire another futex.
>
> .\" FIXME Please review the following new paragraph to see if it is
> .\" accurate.
> Typical values to specify for val are 0 or or 1. (Speci‐
> fying INT_MAX is not useful, because it would make the
> FUTEX_CMP_REQUEUE operation equivalent to FUTEX_WAKE.)
> The limit value specified via val2 is typically either 1
> or INT_MAX. (Specifying the argument as 0 is not useful,
> because it would make the FUTEX_CMP_REQUEUE operation
> equivalent to FUTEX_WAIT.)
It's correct.
> .\" FIXME Here, it would be helpful to have an example of how
> .\" FUTEX_CMP_REQUEUE might be used, at the same time illustrating
> .\" why FUTEX_WAKE is unsuitable for the same use case.
Waiters:
lock(A)
while (!check_value(V)) {
unlock(A);
block_on(B);
lock(A);
};
unlock(A);
Note: B is a wait queue implemented with futexes.
If the waker would use FUTEX_WAKE and wake all waiters waiting on B
then those would all try to acquire lock A. That's called thundering
herd and pointless because all except one would immediately block on
lock A again.
Requeueing prevents that because it only wakes one waiter and moves
the other waiters to lock A. When that waiter unlocks A then the next
waiter can proceed ...
> FUTEX_WAKE_OP (since Linux 2.6.14)
> .\" FIXME I added a lengthy piece of text on FUTEX_WAKE_OP text,
> .\" and I'd be happy if someone checked it.
> .\"
> .\" FIXME(Torvald) The glibc condvar implementation is currently being
> .\" revised (e.g., to not use an internal lock anymore).
> .\" It is probably more future-proof to remove this paragraph.
> .\" [Torvald, do you have an update here?]
> .\"
> This operation was added to support some user-space use
> cases where more than one futex must be handled at the
> same time. The most notable example is the implementation
> of pthread_cond_signal(3), which requires operations on
> two futexes, the one used to implement the mutex and the
> one used in the implementation of the wait queue associ‐
> ated with the condition variable. FUTEX_WAKE_OP allows
> such cases to be implemented without leading to high rates
> of contention and context switching.
>
> The FUTEX_WAIT_OP operation is equivalent to executing the
> following code atomically and totally ordered with respect
> to other futex operations on any of the two supplied futex
> words:
>
> int oldval = *(int *) uaddr2;
> *(int *) uaddr2 = oldval op oparg;
> futex(uaddr, FUTEX_WAKE, val, 0, 0, 0);
> if (oldval cmp cmparg)
> futex(uaddr2, FUTEX_WAKE, val2, 0, 0, 0);
>
> In other words, FUTEX_WAIT_OP does the following:
>
> * saves the original value of the futex word at uaddr2
> and performs an operation to modify the value of the
> futex at uaddr2; this is an atomic read-modify-write
> memory access (i.e., using atomic machine instructions
> of the respective architecture)
>
> * wakes up a maximum of val waiters on the futex for the
> futex word at uaddr; and
>
> * dependent on the results of a test of the original
> value of the futex word at uaddr2, wakes up a maximum
> of val2 waiters on the futex for the futex word at
> uaddr2.
>
> The operation and comparison that are to be performed are
> encoded in the bits of the argument val3. Pictorially,
> the encoding is:
>
> +---+---+-----------+-----------+
> |op |cmp| oparg | cmparg |
> +---+---+-----------+-----------+
> 4 4 12 12 <== # of bits
>
> Expressed in code, the encoding is:
>
> #define FUTEX_OP(op, oparg, cmp, cmparg) \
> (((op & 0xf) << 28) | \
> ((cmp & 0xf) << 24) | \
> ((oparg & 0xfff) << 12) | \
> (cmparg & 0xfff))
>
> In the above, op and cmp are each one of the codes listed
> below. The oparg and cmparg components are literal
> numeric values, except as noted below.
>
> The op component has one of the following values:
>
> FUTEX_OP_SET 0 /* uaddr2 = oparg; */
> FUTEX_OP_ADD 1 /* uaddr2 += oparg; */
> FUTEX_OP_OR 2 /* uaddr2 |= oparg; */
> FUTEX_OP_ANDN 3 /* uaddr2 &= ~oparg; */
> FUTEX_OP_XOR 4 /* uaddr2 ^= oparg; */
>
> In addition, bit-wise ORing the following value into op
> causes (1 << oparg) to be used as the operand:
>
> FUTEX_OP_ARG_SHIFT 8 /* Use (1 << oparg) as operand */
>
> The cmp field is one of the following:
>
> FUTEX_OP_CMP_EQ 0 /* if (oldval == cmparg) wake */
> FUTEX_OP_CMP_NE 1 /* if (oldval != cmparg) wake */
> FUTEX_OP_CMP_LT 2 /* if (oldval < cmparg) wake */
> FUTEX_OP_CMP_LE 3 /* if (oldval <= cmparg) wake */
> FUTEX_OP_CMP_GT 4 /* if (oldval > cmparg) wake */
> FUTEX_OP_CMP_GE 5 /* if (oldval >= cmparg) wake */
>
> The return value of FUTEX_WAKE_OP is the sum of the number
> of waiters woken on the futex uaddr plus the number of
> waiters woken on the futex uaddr2.
>
> FUTEX_WAIT_BITSET (since Linux 2.6.25)
> This operation is like FUTEX_WAIT except that val3 is used
> to provide a 32-bit bitset to the kernel. This bitset is
> stored in the kernel-internal state of the waiter. See
> the description of FUTEX_WAKE_BITSET for further details.
>
> The FUTEX_WAIT_BITSET operation also interprets the time‐
> out argument differently from FUTEX_WAIT. See the discus‐
> sion of FUTEX_CLOCK_REALTIME, above.
>
> The uaddr2 argument is ignored.
>
> FUTEX_WAKE_BITSET (since Linux 2.6.25)
> This operation is the same as FUTEX_WAKE except that the
> val3 argument is used to provide a 32-bit bitset to the
> kernel. This bitset is used to select which waiters
> should be woken up. The selection is done by a bit-wise
> AND of the "wake" bitset (i.e., the value in val3) and the
> bitset which is stored in the kernel-internal state of the
> waiter (the "wait" bitset that is set using
> FUTEX_WAIT_BITSET). All of the waiters for which the
> result of the AND is nonzero are woken up; the remaining
> waiters are left sleeping.
>
> .\" FIXME XXX Is this next paragraph that I added okay?
> The effect of FUTEX_WAIT_BITSET and FUTEX_WAKE_BITSET is
> to allow selective wake-ups among multiple waiters that
> are blocked on the same futex. Note, however, that using
> this bitset multiplexing feature on a futex is less effi‐
> cient than simply using multiple futexes, because employ‐
s/is less efficient/can be less efficient/
It really depends on the usecase.
> ing bitset multiplexing requires the kernel to check all
> waiters on a futex, including those that are not inter‐
> ested in being woken up (i.e., they do not have the rele‐
> vant bit set in their "wait" bitset).
>
> The uaddr2 and timeout arguments are ignored.
>
> The FUTEX_WAIT and FUTEX_WAKE operations correspond to
> FUTEX_WAIT_BITSET and FUTEX_WAKE_BITSET operations where
> the bitsets are all ones.
>
> Priority-inheritance futexes
> Linux supports priority-inheritance (PI) futexes in order to han‐
> dle priority-inversion problems that can be encountered with nor‐
> mal futex locks. Priority inversion is the problem that occurs
> when a high-priority task is blocked waiting to acquire a lock
> held by a low-priority task, while tasks at an intermediate pri‐
> ority continuously preempt the low-priority task from the CPU.
> Consequently, the low-priority task makes no progress toward
> releasing the lock, and the high-priority task remains blocked.
>
> Priority inheritance is a mechanism for dealing with the prior‐
> ity-inversion problem. With this mechanism, when a high-priority
> task becomes blocked by a lock held by a low-priority task, the
> latter's priority is temporarily raised to that of the former, so
> that it is not preempted by any intermediate level tasks, and can
> thus make progress toward releasing the lock. To be effective,
> priority inheritance must be transitive, meaning that if a high-
> priority task blocks on a lock held by a lower-priority task that
> is itself blocked by lock held by another intermediate-priority
> task (and so on, for chains of arbitrary length), then both of
> those task (or more generally, all of the tasks in a lock chain)
> have their priorities raised to be the same as the high-priority
> task.
>
> .\" FIXME XXX The following is my attempt at a definition of PI futexes,
> .\" based on mail discussions with Darren Hart. Does it seem okay?
>
> From a user-space perspective, what makes a futex PI-aware is a
> policy agreement between user space and the kernel about the
> value of the futex word (described in a moment), coupled with the
> use of the PI futex operations described below (in particular,
> FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, and FUTEX_CMP_REQUEUE_PI).
>
> .\" FIXME XXX ===== Start of adapted Hart/Guniguntala text =====
> .\" The following text is drawn from the Hart/Guniguntala paper
> .\" (listed in SEE ALSO), but I have reworded some pieces
> .\" significantly. Please check it.
>
> The PI futex operations described below differ from the other
> futex operations in that they impose policy on the use of the
> value of the futex word:
>
> * If the lock is not acquired, the futex word's value shall be
> 0.
>
> * If the lock is acquired, the futex word's value shall be the
> thread ID (TID; see gettid(2)) of the owning thread.
>
> * If the lock is owned and there are threads contending for the
> lock, then the FUTEX_WAITERS bit shall be set in the futex
> word's value; in other words, this value is:
>
> FUTEX_WAITERS | TID
>
>
> Note that a PI futex word never just has the value FUTEX_WAITERS,
> which is a permissible state for non-PI futexes.
>
> With this policy in place, a user-space application can acquire a
> not-acquired lock or release a lock that no other threads try to
> acquire using atomic instructions executed in user space (e.g., a
> compare-and-swap operation such as cmpxchg on the x86 architec‐
> ture). Acquiring a lock simply consists of using compare-and-
> swap to atomically set the futex word's value to the caller's TID
> if its previous value was 0. Releasing a lock requires using
> compare-and-swap to set the futex word's value to 0 if the previ‐
> ous value was the expected TID.
>
> If a futex is already acquired (i.e., has a nonzero value), wait‐
> ers must employ the FUTEX_LOCK_PI operation to acquire the lock.
> If other threads are waiting for the lock, then the FUTEX_WAITERS
> bit is set in the futex value; in this case, the lock owner must
> employ the FUTEX_UNLOCK_PI operation to release the lock.
>
> In the cases where callers are forced into the kernel (i.e.,
> required to perform a futex() call), they then deal directly with
> a so-called RT-mutex, a kernel locking mechanism which implements
> the required priority-inheritance semantics. After the RT-mutex
> is acquired, the futex value is updated accordingly, before the
> calling thread returns to user space.
> .\" FIXME ===== End of adapted Hart/Guniguntala text =====
That's correct.
> .\" FIXME We need some explanation in the following paragraph of *why*
> .\" it is important to note that "the kernel will update the
> .\" futex word's value prior
> It is important to note to returning to user space" . Can someone
> explain? that the kernel will update the futex word's value
> prior to returning to user space. Unlike the other futex opera‐
> tions described above, the PI futex operations are designed for
> the implementation of very specific IPC mechanisms.
If there are multiple waiters on a pi futex then a wake pi operation
will wake the first waiter and hand over the lock to this waiter. This
includes handing over the rtmutex which represents the futex in the
kernel. The strict requirement is that the futex owner and the rtmutex
owner must be the same, except for the update period which is
serialized by the futex internal locking. That means the kernel must
update the user space value prior to returning to user space.
> .\"
> .\" FIXME XXX In discussing errors for FUTEX_CMP_REQUEUE_PI, Darren Hart
> .\" made the observation that "EINVAL is returned if the non-pi
> .\" to pi or op pairing semantics are violated."
> .\" Probably there needs to be a general statement about this
> .\" requirement, probably located at about this point in the page.
> .\" Darren (or someone else), care to take a shot at this?
Well, that's hard to describe because the kernel only has a limited
way of detecting such mismatches. It only can detect it when there are
non PI waiters on a futex and a PI function is called or vice versa.
> .\" FIXME Somewhere on this page (I guess under the discussion of PI
> .\" futexes) we need a discussion of the FUTEX_OWNER_DIED bit.
> .\" Can someone propose a text?
If a futex has a rtmutex associated in the kernel, i.e. when there are
blocked waiters, and the owner of the futex/rtmutex dies unexpectedly,
then the kernel cleans up the rtmutex (as it holds a reference to the
dying task) and hands it over to the next waiter. That requires that
the user space value is updated accordingly. The kernel sets the
FUTEX_OWNER_DIED in the user space value along with the TID of the new
owner. User space is responsible for cleaning this up, though there
are cases where the kernel does the cleanup.
The FUTEX_OWNER_DIED bit can also be set on uncontended futexes, where
the kernel has no state associated. This happens via the robust futex
mechanism. In that case the futex value will be set to
FUTEX_OWNER_DIED. The robust futex mechanism is also available for non
PI futexes.
> PI futexes are operated on by specifying one of the following
> values in futex_op:
>
> FUTEX_LOCK_PI (since Linux 2.6.18)
> .\" FIXME I did some significant rewording of tglx's text to create
> .\" the text below.
> .\" Please check the following paragraph, in case I injected
> .\" errors.
> This operation is used after after an attempt to acquire
> the lock via an atomic user-space instruction failed
> because the futex word has a nonzero value—specifically,
> because it contained the namespace-specific TID of the
> lock owner.
> .\" FIXME In the preceding line, what does "namespace-specific" mean?
> .\" (I kept those words from tglx.)
> .\" That is, what kind of namespace are we talking about?
> .\" (I suppose we are talking PID namespaces here, but I want to
> .\" be sure.)
Yes.
> The operation checks the value of the futex word at the
> address uaddr. If the value is 0, then the kernel tries
> to atomically set the futex value to the caller's TID.
> .\" FIXME What would be the cause(s) of failure referred to
> .\" in the following sentence?
> If
> that fails, or the futex word's value is nonzero, the ker‐
'If that fails' does not make sense. If the user space access fails we
return -EFAULT and let user space deal with the mess.
The operation here is similar to the FUTEX_WAIT logic. When the user
space atomic acquire does not succeed because the futex value was non
zero, then the waiter goes into the kernel, takes the kernel internal
lock and retries the acquisition under the lock. If the acquisition
does not succeed either, then it sets the FUTEX_WAITERS bit, to signal
the lock owner that it needs to go into the kernel. Here is the pseudo
code:
lock(kernel_lock);
retry:
/*
* Owner might have unlocked in userspace before we
* were able to set the waiter bit.
*/
if (atomic_acquire(futex) == SUCCESS) {
unlock(kernel_lock());
return 0;
}
/*
* Owner might have unlocked after the above atomic_acquire()
* attempt.
*/
if (atomic_set_waiters_bit(futex) != SUCCESS)
goto retry;
queue_waiter();
unlock(kernel_lock);
block();
> nel atomically sets the FUTEX_WAITERS bit, which signals
> the futex owner that it cannot unlock the futex in user
> space atomically by setting the futex value to 0. After
> that, the kernel tries to find the thread which is associ‐
> ated with the owner TID, creates or reuses kernel state on
> behalf of the owner and attaches the waiter to it.
> .\" FIXME Could I get a bit more detail on the previous lines?
> .\" What is "creates or reuses kernel state" about?
> .\" (I think this needs to be clearer in the page)
If this is the first waiter then there is no kernel state for this
futex, so it is created. That means the rtmutex is locked and the
futex owner established as the owner of the rtmutex. If there is a
waiter, then the state is reused, i.e. the new waiter is enqueued into
the rtmutex waiter list.
> .\" FIXME In the next line, what type of "priority" are we talking about?
> .\" Realtime priorities for SCHED_FIFO and SCHED_RR?
> .\" Or something else?
>
> The
> enqueueing of the waiter is in descending priority order
> if more than one waiter exists.
That also covers sched deadline.
> .\" FIXME In the next sentence, what type of "priority" are we talking about?
> .\" Realtime priorities for SCHED_FIFO and SCHED_RR?
> .\" Or something else?
> .\" FIXME What does "bandwidth" refer to in the next sentence?
>
> The owner inherits either
> the priority or the bandwidth of the waiter.
If the highest priority waiter is SCHED_DEADLINE, then the owner
inherits cpu bandwidth from the waiter as there is no priority
associated to SCHED_DEADLINE tasks.
If the highest priority waiter is SCHED_FIFO/RR, then the owner
inherits the waiter priority.
> .\" FIXME In the preceding sentence, what determines whether the
> .\" owner inherits the priority versus the bandwidth?
>
> .\" FIXME Could I get some help translating the next sentence into
> .\" something that user-space developers (and I) can understand?
> .\" In particular, what are "nested locks" in this context?
>
> This inheri‐
> tance follows the lock chain in the case of nested locking
> and performs deadlock detection.
T1 blocks on lock A held by T2
T2 blocks on lock B held by T3
So we have a lock chain A, B. The inheritance mechanism follows the
lock chain and propagates the highest waiter priority up to the end of
the chain.
> .\" FIXME tglx said "The timeout argument is handled as described in
> .\" FUTEX_WAIT." However, it appears to me that this is not right.
> .\" Is the following formulation correct?
> The timeout argument provides a timeout for the lock
> attempt. It is interpreted as an absolute time, measured
> against the CLOCK_REALTIME clock. If timeout is NULL, the
> operation will block indefinitely.
Indeed.
> The uaddr2, val, and val3 arguments are ignored.
>
> FUTEX_TRYLOCK_PI (since Linux 2.6.18)
> .\" FIXME I think it would be helpful here to say a few more words about
> .\" the difference(s) between FUTEX_LOCK_PI and FUTEX_TRYLOCK_PI.
> .\" Can someone propose something?
> This operation tries to acquire the futex at uaddr. It
> deals with the situation where the TID value at uaddr is
> 0, but the FUTEX_WAITERS bit is set. User space cannot
> handle this condition in a race-free manner
> .\" FIXME How does the situation in the previous sentence come about?
> .\" Probably it would be helpful to say something about that in
> .\" the man page.
> .\" FIXME And *how* does FUTEX_TRYLOCK_PI deal with this situation?
That should be expressed differently:
This operation tries to acquire the futex at uaddr. It's
invoked when the user space atomic acquire did not
succeed because the user space value was not 0.
The trylock in kernel might succeed because the user space
value contains stale state (FUTEX_WAITERS and or
FUTEX_OWNER_DIED). This can happen when the owner of the
futex died.
> The uaddr2, val, timeout, and val3 arguments are ignored.
>
> FUTEX_UNLOCK_PI (since Linux 2.6.18)
> This operation wakes the top priority waiter that is wait‐
> ing in FUTEX_LOCK_PI on the futex address provided by the
> uaddr argument.
>
> This is called when the user space value at uaddr cannot
> be changed atomically from a TID (of the owner) to 0.
>
> The uaddr2, val, timeout, and val3 arguments are ignored.
>
> FUTEX_CMP_REQUEUE_PI (since Linux 2.6.31)
> This operation is a PI-aware variant of FUTEX_CMP_REQUEUE.
> It requeues waiters that are blocked via
> FUTEX_WAIT_REQUEUE_PI on uaddr from a non-PI source futex
> (uaddr) to a PI target futex (uaddr2).
>
> As with FUTEX_CMP_REQUEUE, this operation wakes up a maxi‐
> mum of val waiters that are waiting on the futex at uaddr.
> However, for FUTEX_CMP_REQUEUE_PI, val is required to be 1
> (since the main point is to avoid a thundering herd). The
> remaining waiters are removed from the wait queue of the
> source futex at uaddr and added to the wait queue of the
> target futex at uaddr2.
>
> The val2 and val3 arguments serve the same purposes as for
> FUTEX_CMP_REQUEUE.
> .\" FIXME The page at http://locklessinc.com/articles/futex_cheat_sheet/
> .\" notes that "priority-inheritance Futex to priority-inheritance
> .\" Futex requeues are currently unsupported". Do we need to say
> .\" something in the man page about that?
>
And they never will be supported because they make no sense at all.
>
> FUTEX_WAIT_REQUEUE_PI (since Linux 2.6.31)
>
> .\" FIXME I find the next sentence (from tglx) pretty hard to grok.
> .\" Could someone explain it a bit more?
>
> Wait operation to wait on a non-PI futex at uaddr and
> potentially be requeued onto a PI futex at uaddr2. The
> wait operation on uaddr is the same as FUTEX_WAIT.
let me copy the pseudo code from cmp_requeue
lock(A)
while (!check_value(V)) {
unlock(A);
block_on(B);
lock(A);
};
unlock(A);
So in this case B is the non-PI futex (the wait queue) and A is a PI
futex. So wait operation on B is the same as in FUTEX_WAIT.
>
> .\" FIXME I'm not quite clear on the meaning of the following sentence.
> .\" Is this trying to say that while blocked in a
> .\" FUTEX_WAIT_REQUEUE_PI, it could happen that another
> .\" task does a FUTEX_WAKE on uaddr that simply causes
> .\" a normal wake, with the result that the FUTEX_WAIT_REQUEUE_PI
> .\" does not complete? What happens then to the FUTEX_WAIT_REQUEUE_PI
> .\" opertion? Does it remain blocked, or does it unblock
> .\" In which case, what does user space see?
It unblocks and returns -EWOULDBLOCK.
> The
> waiter can be removed from the wait on uaddr via
> FUTEX_WAKE without requeueing on uaddr2.
> .\" FIXME Please check the following. tglx said "The timeout argument
> .\" is handled as described in FUTEX_WAIT.", but the truth is
> .\" as below, AFAICS
>
> If timeout is not NULL, it specifies a timeout for the
> wait operation; this timeout is interpreted as outlined
> above in the description of the FUTEX_CLOCK_REALTIME
> option. If timeout is NULL, the operation can block
> indefinitely.
>
> The val3 argument is ignored.
Correct
> .\" FIXME Re the preceding sentence... Actually 'val3' is internally set to
> .\" FUTEX_BITSET_MATCH_ANY before calling futex_wait_requeue_pi().
> .\" I'm not sure we need to say anything about this though.
> .\" Comments?
That's a kernel internal and can be removed
>
> The FUTEX_WAIT_REQUEUE_PI and FUTEX_CMP_REQUEUE_PI were
> added to support a fairly specific use case: support for
> priority-inheritance-aware POSIX threads condition vari‐
> ables. The idea is that these operations should always be
> paired, in order to ensure that user space and the kernel
> remain in sync. Thus, in the FUTEX_WAIT_REQUEUE_PI opera‐
> tion, the user-space application pre-specifies the target
> of the requeue that takes place in the
> FUTEX_CMP_REQUEUE_PI operation.
>
> RETURN VALUE
> In the event of an error (and assuming that futex() was invoked
> via syscall(2)), all operations return -1 and set errno to indi‐
> cate the cause of the error. The return value on success depends
> on the operation, as described in the following list:
>
> FUTEX_WAIT
> Returns 0 if the caller was woken up. Note that a wake-up
> can also be caused by common futex usage patterns in unre‐
> lated code that happened to have previously used the futex
> word's memory location (e.g., typical futex-based imple‐
> mentations of Pthreads mutexes can cause this under some
> conditions). Therefore, callers should always conserva‐
> tively assume that a return value of 0 can mean a spurious
> wake-up, and use the futex word's value (i.e., the user
> space synchronization scheme)
> to decide whether to continue to block or not.
>
> FUTEX_WAKE
> Returns the number of waiters that were woken up.
>
> FUTEX_FD
> Returns the new file descriptor associated with the futex.
>
> FUTEX_REQUEUE
> Returns the number of waiters that were woken up.
>
> FUTEX_CMP_REQUEUE
> Returns the total number of waiters that were woken up or
> requeued to the futex for the futex word at uaddr2. If
> this value is greater than val, then difference is the
> number of waiters requeued to the futex for the futex word
> at uaddr2.
>
> FUTEX_WAKE_OP
> Returns the total number of waiters that were woken up.
> This is the sum of the woken waiters on the two futexes
> for the futex words at uaddr and uaddr2.
>
> FUTEX_WAIT_BITSET
> Returns 0 if the caller was woken up. See FUTEX_WAIT for
> how to interpret this correctly in practice.
>
> FUTEX_WAKE_BITSET
> Returns the number of waiters that were woken up.
>
> FUTEX_LOCK_PI
> Returns 0 if the futex was successfully locked.
>
> FUTEX_TRYLOCK_PI
> Returns 0 if the futex was successfully locked.
>
> FUTEX_UNLOCK_PI
> Returns 0 if the futex was successfully unlocked.
>
> FUTEX_CMP_REQUEUE_PI
> Returns the total number of waiters that were woken up or
> requeued to the futex for the futex word at uaddr2. If
> this value is greater than val, then difference is the
> number of waiters requeued to the futex for the futex word
> at uaddr2.
>
> FUTEX_WAIT_REQUEUE_PI
> Returns 0 if the caller was successfully requeued to the
> futex for the futex word at uaddr2.
>
> ERRORS
> EACCES No read access to the memory of a futex word.
>
> EAGAIN (FUTEX_WAIT, FUTEX_WAIT_BITSET, FUTEX_WAIT_REQUEUE_PI) The
> value pointed to by uaddr was not equal to the expected
> value val at the time of the call.
>
> Note: on Linux, the symbolic names EAGAIN and EWOULDBLOCK
> (both of which appear in different parts of the kernel
> futex code) have the same value.
>
> EAGAIN (FUTEX_CMP_REQUEUE, FUTEX_CMP_REQUEUE_PI) The value
> pointed to by uaddr is not equal to the expected value
> val3. (This probably indicates a race; use the safe
> FUTEX_WAKE now.)
> .\" FIXME: Is the preceding sentence "(This probably...") correct?
> .\" [I would prefer to remove this sentence. --triegel@...hat.com]
This part should be removed:
"(This probably indicates a race; use the safe FUTEX_WAKE now.)
>
> EAGAIN (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_CMP_REQUEUE_PI)
> The futex owner thread ID of uaddr (for
> FUTEX_CMP_REQUEUE_PI: uaddr2) is about to exit, but has
> not yet handled the internal state cleanup. Try again.
>
> .\" FIXME XXX Should there be an EAGAIN case for FUTEX_TRYLOCK_PI?
> .\" It seems so, looking at the handling of the rt_mutex_trylock()
> .\" call in futex_lock_pi()
> .\" (Davidlohr also thinks so.)
Yes. It's the same internal logic so it can return EAGAIN
>
> EDEADLK
> (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_CMP_REQUEUE_PI)
> The futex word at uaddr is already locked by the caller.
>
> EDEADLK
>
> .\" FIXME I reworded tglx's text somewhat; is the following okay?
>
> (FUTEX_CMP_REQUEUE_PI) While requeueing a waiter to the PI
> futex for the futex word at uaddr2, the kernel detected a
> deadlock.
Yes
>
> .\" FIXME XXX I see that kernel/locking/rtmutex.c uses EDEADLK in some
> .\" places, and EDEADLOCK in others. On almost all architectures
> .\" these constants are synonymous. Is there a reason that both
> .\" names are used?
No. We should probably fix that.
> EFAULT A required pointer argument (i.e., uaddr, uaddr2, or time‐
> out) did not point to a valid user-space address.
>
> EINTR A FUTEX_WAIT or FUTEX_WAIT_BITSET operation was inter‐
> rupted by a signal (see signal(7)). In kernels before
> Linux 2.6.22, this error could also be returned for on a
> spurious wakeup; since Linux 2.6.22, this no longer hap‐
> pens.
>
> EINVAL The operation in futex_op is one of those that employs a
> timeout, but the supplied timeout argument was invalid
> (tv_sec was less than zero, or tv_nsec was not less than
> 1,000,000,000).
>
> EINVAL The operation specified in futex_op employs one or both of
> the pointers uaddr and uaddr2, but one of these does not
> point to a valid object—that is, the address is not four-
> byte-aligned.
>
> EINVAL (FUTEX_WAIT_BITSET, FUTEX_WAKE_BITSET) The bitset supplied
> in val3 is zero.
>
> EINVAL (FUTEX_CMP_REQUEUE_PI) uaddr equals uaddr2 (i.e., an
> attempt was made to requeue to the same futex).
>
> EINVAL (FUTEX_FD) The signal number supplied in val is invalid.
>
> EINVAL (FUTEX_WAKE, FUTEX_WAKE_OP, FUTEX_WAKE_BITSET,
> FUTEX_REQUEUE, FUTEX_CMP_REQUEUE) The kernel detected an
> inconsistency between the user-space state at uaddr and
> the kernel state—that is, it detected a waiter which waits
> in FUTEX_LOCK_PI on uaddr.
>
> EINVAL (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_UNLOCK_PI) The
> kernel detected an inconsistency between the user-space
> state at uaddr and the kernel state. This indicates
> either state corruption or that the kernel found a waiter
> on uaddr which is waiting via FUTEX_WAIT or
> FUTEX_WAIT_BITSET.
> .\" FIXME Above, tglx did not mention the "state corruption" case for
> .\" FUTEX_UNLOCK_PI, but I have added it, since I'm estimating
> .\" that it also applied for FUTEX_UNLOCK_PI.
> .\" So, does that case also apply for FUTEX_UNLOCK_PI?
Yes
>
> EINVAL (FUTEX_CMP_REQUEUE_PI) The kernel detected an inconsis‐
> tency between the user-space state at uaddr2 and the ker‐
> nel state; that is, the kernel detected a waiter which
> waits via FUTEX_WAIT on uaddr2.
> .\" FIXME In the preceding sentence, tglx did not mention FUTEX_WAIT_BITSET,
> .\" but should that not also be included here?
Yes
>
> EINVAL (FUTEX_CMP_REQUEUE_PI) The kernel detected an inconsis‐
> tency between the user-space state at uaddr and the kernel
> state; that is, the kernel detected a waiter which waits
> via FUTEX_WAIT or FUTEX_WAIT_BITESET on uaddr.
>
> EINVAL (FUTEX_CMP_REQUEUE_PI) The kernel detected an inconsis‐
> tency between the user-space state at uaddr and the kernel
> state; that is, the kernel detected a waiter which waits
> on uaddr via FUTEX_LOCK_PI (instead of
> FUTEX_WAIT_REQUEUE_PI).
>
> .\" FIXME XXX The following is a reworded version of Darren Hart's text.
> .\" Please check that I did not introduce any errors.
> EINVAL (FUTEX_CMP_REQUEUE_PI) An attempt was made to requeue a
> waiter to a futex other than that specified by the match‐
> ing FUTEX_WAIT_REQUEUE_PI call for that waiter.
Correct. That handles the case:
wait_requeue_pi(A, B);
requeue_pi(A, C);
> EINVAL (FUTEX_CMP_REQUEUE_PI) The val argument is not 1.
>
> EINVAL Invalid argument.
>
> ENOMEM (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_CMP_REQUEUE_PI)
> The kernel could not allocate memory to hold state infor‐
> mation.
>
> ENFILE (FUTEX_FD) The system limit on the total number of open
> files has been reached.
>
> ENOSYS Invalid operation specified in futex_op.
>
> ENOSYS The FUTEX_CLOCK_REALTIME option was specified in futex_op,
> but the accompanying operation was neither FUTEX_WAIT_BIT‐
> SET nor FUTEX_WAIT_REQUEUE_PI.
>
> ENOSYS (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_UNLOCK_PI,
> FUTEX_CMP_REQUEUE_PI, FUTEX_WAIT_REQUEUE_PI) A run-time
> check determined that the operation is not available. The
> PI futex operations are not implemented on all architec‐
> tures and are not supported on some CPU variants.
>
> EPERM (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_CMP_REQUEUE_PI)
> The caller is not allowed to attach itself to the futex at
> uaddr (for FUTEX_CMP_REQUEUE_PI: the futex at uaddr2).
> (This may be caused by a state corruption in user space.)
>
> EPERM (FUTEX_UNLOCK_PI) The caller does not own the lock repre‐
> sented by the futex word.
>
> ESRCH (FUTEX_LOCK_PI, FUTEX_TRYLOCK_PI, FUTEX_CMP_REQUEUE_PI)
>
> .\" FIXME I reworded the following sentence a bit differently from
> .\" tglx's formulation. Is it okay?
>
> The thread ID in the futex word at uaddr does not exist.
Right.
> ESRCH (FUTEX_CMP_REQUEUE_PI)
>
> .\" FIXME I reworded the following sentence a bit differently from
> .\" tglx's formulation. Is it okay?
>
> The thread ID in the futex word at
> uaddr2 does not exist.
Right
Thanks,
tglx
Powered by blists - more mailing lists