1. Patchew
  2. linux
  3. View series

[PATCH] locking/mutex: add MUTEX_WARN_ON() into fast path

Yunhui Cui posted 1 patch 1 year ago 
kernel/locking/mutex.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] locking/mutex: add MUTEX_WARN_ON() into fast path
Posted by Yunhui Cui 1 year ago 
Scenario: In platform_device_register, the driver misuses struct
device as platform_data, making kmemdup duplicate a device. Accessing
the duplicate may cause list corruption due to its mutex magic or list
holding old content.
It recurs randomly as the first mutex - getting process skips the slow
path and mutex check. Adding MUTEX_WARN_ON(lock->magic!= lock) in
__mutex_trylock_fast() makes it always happen.

Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
---
 kernel/locking/mutex.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
index b36f23de48f1..19b636f60a24 100644
--- a/kernel/locking/mutex.c
+++ b/kernel/locking/mutex.c
@@ -143,6 +143,8 @@ static __always_inline bool __mutex_trylock_fast(struct mutex *lock)
 	unsigned long curr = (unsigned long)current;
 	unsigned long zero = 0UL;
 
+	MUTEX_WARN_ON(lock->magic != lock);
+
 	if (atomic_long_try_cmpxchg_acquire(&lock->owner, &zero, curr))
 		return true;
 
-- 
2.39.2
Re: [PATCH] locking/mutex: add MUTEX_WARN_ON() into fast path
Posted by yunhui cui 11 months, 3 weeks ago 
Hi All,

Gentle ping. Any comments on this patch?

On Sun, Jan 26, 2025 at 11:32 AM Yunhui Cui <cuiyunhui@bytedance.com> wrote:
>
> Scenario: In platform_device_register, the driver misuses struct
> device as platform_data, making kmemdup duplicate a device. Accessing
> the duplicate may cause list corruption due to its mutex magic or list
> holding old content.
> It recurs randomly as the first mutex - getting process skips the slow
> path and mutex check. Adding MUTEX_WARN_ON(lock->magic!= lock) in
> __mutex_trylock_fast() makes it always happen.
>
> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
> ---
>  kernel/locking/mutex.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
> index b36f23de48f1..19b636f60a24 100644
> --- a/kernel/locking/mutex.c
> +++ b/kernel/locking/mutex.c
> @@ -143,6 +143,8 @@ static __always_inline bool __mutex_trylock_fast(struct mutex *lock)
>         unsigned long curr = (unsigned long)current;
>         unsigned long zero = 0UL;
>
> +       MUTEX_WARN_ON(lock->magic != lock);
> +
>         if (atomic_long_try_cmpxchg_acquire(&lock->owner, &zero, curr))
>                 return true;
>
> --
> 2.39.2
>

Thanks,
Yunhui
Re: [PATCH] locking/mutex: add MUTEX_WARN_ON() into fast path
Posted by Waiman Long 11 months, 3 weeks ago 
On 2/20/25 7:49 AM, yunhui cui wrote:
> Hi All,
>
> Gentle ping. Any comments on this patch?
>
> On Sun, Jan 26, 2025 at 11:32 AM Yunhui Cui <cuiyunhui@bytedance.com> wrote:
>> Scenario: In platform_device_register, the driver misuses struct
>> device as platform_data, making kmemdup duplicate a device. Accessing
>> the duplicate may cause list corruption due to its mutex magic or list
>> holding old content.
>> It recurs randomly as the first mutex - getting process skips the slow
>> path and mutex check. Adding MUTEX_WARN_ON(lock->magic!= lock) in
>> __mutex_trylock_fast() makes it always happen.
>>
>> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
>> ---
>>   kernel/locking/mutex.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
>> index b36f23de48f1..19b636f60a24 100644
>> --- a/kernel/locking/mutex.c
>> +++ b/kernel/locking/mutex.c
>> @@ -143,6 +143,8 @@ static __always_inline bool __mutex_trylock_fast(struct mutex *lock)
>>          unsigned long curr = (unsigned long)current;
>>          unsigned long zero = 0UL;
>>
>> +       MUTEX_WARN_ON(lock->magic != lock);
>> +
>>          if (atomic_long_try_cmpxchg_acquire(&lock->owner, &zero, curr))
>>                  return true;
>>
>> --
>> 2.39.2
>>
LGTM

Acked-by: Waiman Long <longman@redhat.com>
[tip: locking/core] locking/mutex: Add MUTEX_WARN_ON() into fast path
Posted by tip-bot2 for Yunhui Cui 11 months, 3 weeks ago 
The following commit has been merged into the locking/core branch of tip:

Commit-ID:     337369f8ce9e20226402cf139c4f0d3ada7d1705
Gitweb:        https://git.kernel.org/tip/337369f8ce9e20226402cf139c4f0d3ada7d1705
Author:        Yunhui Cui <cuiyunhui@bytedance.com>
AuthorDate:    Sun, 26 Jan 2025 11:32:43 +08:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Fri, 21 Feb 2025 20:19:12 +01:00

locking/mutex: Add MUTEX_WARN_ON() into fast path

Scenario: In platform_device_register, the driver misuses struct
device as platform_data, making kmemdup duplicate a device. Accessing
the duplicate may cause list corruption due to its mutex magic or list
holding old content.
It recurs randomly as the first mutex - getting process skips the slow
path and mutex check. Adding MUTEX_WARN_ON(lock->magic!= lock) in
__mutex_trylock_fast() makes it always happen.

Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250126033243.53069-1-cuiyunhui@bytedance.com
---
 kernel/locking/mutex.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
index b36f23d..19b636f 100644
--- a/kernel/locking/mutex.c
+++ b/kernel/locking/mutex.c
@@ -143,6 +143,8 @@ static __always_inline bool __mutex_trylock_fast(struct mutex *lock)
 	unsigned long curr = (unsigned long)current;
 	unsigned long zero = 0UL;
 
+	MUTEX_WARN_ON(lock->magic != lock);
+
 	if (atomic_long_try_cmpxchg_acquire(&lock->owner, &zero, curr))
 		return true;

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.