Darren Hart wrote:

Darren Hart wrote:

quoted

futex_requeue() can acquire the lock on behalf of a waiter during the 
requeue
loop in the event of a lock steal or owner died. 
futex_wait_requeue_pi() cleans
up the pi_state owner, using the lock_ptr to protect against 
concurrent access
to the pi_state.  The pi_state is found on the requeue target futex 
hash bucket
so the lock_ptr needs to be updated accordingly.  The problem 
manifested by
triggering the WARN_ON in lookup_pi_state() about the pid != 
pi_state->owner
pid.
The astute reviewer will note that still exists a race between the time
futex_requeue() releases hb2->lock() and the time when 
futex_wait_requeue_pi()
acquires it.  During this time the pi_state and the futex uaddr are 
not in sync
with the rt_mutex ownership.  This patch closes the window to the 
point where
my tests now pass, but we still need to address it.

Note: Please apply to mainline and rt

quoted

static inline
-void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key)
+void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+               struct futex_hash_bucket *hb)
{
    drop_futex_key_refs(&q->key);
    get_futex_key_refs(key);
    q->key = *key;
+    q->lock_ptr = &hb->lock;

Hrm... turns out changing this breaks the 
handle_early_requeue_pi_wakeup() logic.  I'll have to respin this patch 
to account for that as well.  Please hold off on this patch.

In fact, this doesn't affect the handle_early_requeue_pi_wakeup() code 
in the slightest.  It only needs to hold a hb->lock (either one is 
adequate) to ensure the requeue routine has completed.  By changing the 
q->lock_ptr of the waiter to hb2->lock we ensure the pi_state is 
protected from concurrent access by futex_wait_requeue_pi() and new 
contending threads.

Ingo, please apply to tip/urgent.

Thanks,

-- 
Darren Hart
IBM Linux Technology Center
Real-Time Linux Team