mirror of
https://github.com/torvalds/linux
synced 2024-09-06 09:51:23 +00:00
a51749ab34
I have seen several cases of attempts to use mutex_unlock() to release an object such that the object can then be freed by another task. This is not safe because mutex_unlock(), in the MUTEX_FLAG_WAITERS && !MUTEX_FLAG_HANDOFF case, accesses the mutex structure after having marked it as unlocked; so mutex_unlock() requires its caller to ensure that the mutex stays alive until mutex_unlock() returns. If MUTEX_FLAG_WAITERS is set and there are real waiters, those waiters have to keep the mutex alive, but we could have a spurious MUTEX_FLAG_WAITERS left if an interruptible/killable waiter bailed between the points where __mutex_unlock_slowpath() did the cmpxchg reading the flags and where it acquired the wait_lock. ( With spinlocks, that kind of code pattern is allowed and, from what I remember, used in several places in the kernel. ) Document this, such a semantic difference between mutexes and spinlocks is fairly unintuitive. [ mingo: Made the changelog a bit more assertive, refined the comments. ] Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Ingo Molnar <mingo@kernel.org> Link: https://lore.kernel.org/r/20231130204817.2031407-1-jannh@google.com |
||
|---|---|---|
| .. | ||
| irqflag-debug.c | ||
| lock_events.c | ||
| lock_events.h | ||
| lock_events_list.h | ||
| lockdep.c | ||
| lockdep_internals.h | ||
| lockdep_proc.c | ||
| lockdep_states.h | ||
| locktorture.c | ||
| Makefile | ||
| mcs_spinlock.h | ||
| mutex-debug.c | ||
| mutex.c | ||
| mutex.h | ||
| osq_lock.c | ||
| percpu-rwsem.c | ||
| qrwlock.c | ||
| qspinlock.c | ||
| qspinlock_paravirt.h | ||
| qspinlock_stat.h | ||
| rtmutex.c | ||
| rtmutex_api.c | ||
| rtmutex_common.h | ||
| rwbase_rt.c | ||
| rwsem.c | ||
| semaphore.c | ||
| spinlock.c | ||
| spinlock_debug.c | ||
| spinlock_rt.c | ||
| test-ww_mutex.c | ||
| ww_mutex.h | ||
| ww_rt_mutex.c | ||