e2970f2fb6
We are pleased to announce "lightweight userspace priority inheritance" (PI) support for futexes. The following patchset and glibc patch implements it, ontop of the robust-futexes patchset which is included in 2.6.16-mm1. We are calling it lightweight for 3 reasons: - in the user-space fastpath a PI-enabled futex involves no kernel work (or any other PI complexity) at all. No registration, no extra kernel calls - just pure fast atomic ops in userspace. - in the slowpath (in the lock-contention case), the system call and scheduling pattern is in fact better than that of normal futexes, due to the 'integrated' nature of FUTEX_LOCK_PI. [more about that further down] - the in-kernel PI implementation is streamlined around the mutex abstraction, with strict rules that keep the implementation relatively simple: only a single owner may own a lock (i.e. no read-write lock support), only the owner may unlock a lock, no recursive locking, etc. Priority Inheritance - why, oh why??? ------------------------------------- Many of you heard the horror stories about the evil PI code circling Linux for years, which makes no real sense at all and is only used by buggy applications and which has horrible overhead. Some of you have dreaded this very moment, when someone actually submits working PI code ;-) So why would we like to see PI support for futexes? We'd like to see it done purely for technological reasons. We dont think it's a buggy concept, we think it's useful functionality to offer to applications, which functionality cannot be achieved in other ways. We also think it's the right thing to do, and we think we've got the right arguments and the right numbers to prove that. We also believe that we can address all the counter-arguments as well. For these reasons (and the reasons outlined below) we are submitting this patch-set for upstream kernel inclusion. What are the benefits of PI? The short reply: ---------------- User-space PI helps achieving/improving determinism for user-space applications. In the best-case, it can help achieve determinism and well-bound latencies. Even in the worst-case, PI will improve the statistical distribution of locking related application delays. The longer reply: ----------------- Firstly, sharing locks between multiple tasks is a common programming technique that often cannot be replaced with lockless algorithms. As we can see it in the kernel [which is a quite complex program in itself], lockless structures are rather the exception than the norm - the current ratio of lockless vs. locky code for shared data structures is somewhere between 1:10 and 1:100. Lockless is hard, and the complexity of lockless algorithms often endangers to ability to do robust reviews of said code. I.e. critical RT apps often choose lock structures to protect critical data structures, instead of lockless algorithms. Furthermore, there are cases (like shared hardware, or other resource limits) where lockless access is mathematically impossible. Media players (such as Jack) are an example of reasonable application design with multiple tasks (with multiple priority levels) sharing short-held locks: for example, a highprio audio playback thread is combined with medium-prio construct-audio-data threads and low-prio display-colory-stuff threads. Add video and decoding to the mix and we've got even more priority levels. So once we accept that synchronization objects (locks) are an unavoidable fact of life, and once we accept that multi-task userspace apps have a very fair expectation of being able to use locks, we've got to think about how to offer the option of a deterministic locking implementation to user-space. Most of the technical counter-arguments against doing priority inheritance only apply to kernel-space locks. But user-space locks are different, there we cannot disable interrupts or make the task non-preemptible in a critical section, so the 'use spinlocks' argument does not apply (user-space spinlocks have the same priority inversion problems as other user-space locking constructs). Fact is, pretty much the only technique that currently enables good determinism for userspace locks (such as futex-based pthread mutexes) is priority inheritance: Currently (without PI), if a high-prio and a low-prio task shares a lock [this is a quite common scenario for most non-trivial RT applications], even if all critical sections are coded carefully to be deterministic (i.e. all critical sections are short in duration and only execute a limited number of instructions), the kernel cannot guarantee any deterministic execution of the high-prio task: any medium-priority task could preempt the low-prio task while it holds the shared lock and executes the critical section, and could delay it indefinitely. Implementation: --------------- As mentioned before, the userspace fastpath of PI-enabled pthread mutexes involves no kernel work at all - they behave quite similarly to normal futex-based locks: a 0 value means unlocked, and a value==TID means locked. (This is the same method as used by list-based robust futexes.) Userspace uses atomic ops to lock/unlock these mutexes without entering the kernel. To handle the slowpath, we have added two new futex ops: FUTEX_LOCK_PI FUTEX_UNLOCK_PI If the lock-acquire fastpath fails, [i.e. an atomic transition from 0 to TID fails], then FUTEX_LOCK_PI is called. The kernel does all the remaining work: if there is no futex-queue attached to the futex address yet then the code looks up the task that owns the futex [it has put its own TID into the futex value], and attaches a 'PI state' structure to the futex-queue. The pi_state includes an rt-mutex, which is a PI-aware, kernel-based synchronization object. The 'other' task is made the owner of the rt-mutex, and the FUTEX_WAITERS bit is atomically set in the futex value. Then this task tries to lock the rt-mutex, on which it blocks. Once it returns, it has the mutex acquired, and it sets the futex value to its own TID and returns. Userspace has no other work to perform - it now owns the lock, and futex value contains FUTEX_WAITERS|TID. If the unlock side fastpath succeeds, [i.e. userspace manages to do a TID -> 0 atomic transition of the futex value], then no kernel work is triggered. If the unlock fastpath fails (because the FUTEX_WAITERS bit is set), then FUTEX_UNLOCK_PI is called, and the kernel unlocks the futex on the behalf of userspace - and it also unlocks the attached pi_state->rt_mutex and thus wakes up any potential waiters. Note that under this approach, contrary to other PI-futex approaches, there is no prior 'registration' of a PI-futex. [which is not quite possible anyway, due to existing ABI properties of pthread mutexes.] Also, under this scheme, 'robustness' and 'PI' are two orthogonal properties of futexes, and all four combinations are possible: futex, robust-futex, PI-futex, robust+PI-futex. glibc support: -------------- Ulrich Drepper and Jakub Jelinek have written glibc support for PI-futexes (and robust futexes), enabling robust and PI (PTHREAD_PRIO_INHERIT) POSIX mutexes. (PTHREAD_PRIO_PROTECT support will be added later on too, no additional kernel changes are needed for that). [NOTE: The glibc patch is obviously inofficial and unsupported without matching upstream kernel functionality.] the patch-queue and the glibc patch can also be downloaded from: http://redhat.com/~mingo/PI-futex-patches/ Many thanks go to the people who helped us create this kernel feature: Steven Rostedt, Esben Nielsen, Benedikt Spranger, Daniel Walker, John Cooper, Arjan van de Ven, Oleg Nesterov and others. Credits for related prior projects goes to Dirk Grambow, Inaky Perez-Gonzalez, Bill Huey and many others. Clean up the futex code, before adding more features to it: - use u32 as the futex field type - that's the ABI - use __user and pointers to u32 instead of unsigned long - code style / comment style cleanups - rename hash-bucket name from 'bh' to 'hb'. I checked the pre and post futex.o object files to make sure this patch has no code effects. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Cc: Ulrich Drepper <drepper@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
144 lines
3.2 KiB
C
144 lines
3.2 KiB
C
/*
|
|
* linux/kernel/futex_compat.c
|
|
*
|
|
* Futex compatibililty routines.
|
|
*
|
|
* Copyright 2006, Red Hat, Inc., Ingo Molnar
|
|
*/
|
|
|
|
#include <linux/linkage.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/futex.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
/*
|
|
* Walk curr->robust_list (very carefully, it's a userspace list!)
|
|
* and mark any locks found there dead, and notify any waiters.
|
|
*
|
|
* We silently return on any sign of list-walking problem.
|
|
*/
|
|
void compat_exit_robust_list(struct task_struct *curr)
|
|
{
|
|
struct compat_robust_list_head __user *head = curr->compat_robust_list;
|
|
struct robust_list __user *entry, *pending;
|
|
compat_uptr_t uentry, upending;
|
|
unsigned int limit = ROBUST_LIST_LIMIT;
|
|
compat_long_t futex_offset;
|
|
|
|
/*
|
|
* Fetch the list head (which was registered earlier, via
|
|
* sys_set_robust_list()):
|
|
*/
|
|
if (get_user(uentry, &head->list.next))
|
|
return;
|
|
entry = compat_ptr(uentry);
|
|
/*
|
|
* Fetch the relative futex offset:
|
|
*/
|
|
if (get_user(futex_offset, &head->futex_offset))
|
|
return;
|
|
/*
|
|
* Fetch any possibly pending lock-add first, and handle it
|
|
* if it exists:
|
|
*/
|
|
if (get_user(upending, &head->list_op_pending))
|
|
return;
|
|
pending = compat_ptr(upending);
|
|
if (upending)
|
|
handle_futex_death((void *)pending + futex_offset, curr);
|
|
|
|
while (compat_ptr(uentry) != &head->list) {
|
|
/*
|
|
* A pending lock might already be on the list, so
|
|
* dont process it twice:
|
|
*/
|
|
if (entry != pending)
|
|
if (handle_futex_death((void *)entry + futex_offset,
|
|
curr))
|
|
return;
|
|
|
|
/*
|
|
* Fetch the next entry in the list:
|
|
*/
|
|
if (get_user(uentry, (compat_uptr_t *)&entry->next))
|
|
return;
|
|
entry = compat_ptr(uentry);
|
|
/*
|
|
* Avoid excessively long or circular lists:
|
|
*/
|
|
if (!--limit)
|
|
break;
|
|
|
|
cond_resched();
|
|
}
|
|
}
|
|
|
|
asmlinkage long
|
|
compat_sys_set_robust_list(struct compat_robust_list_head __user *head,
|
|
compat_size_t len)
|
|
{
|
|
if (unlikely(len != sizeof(*head)))
|
|
return -EINVAL;
|
|
|
|
current->compat_robust_list = head;
|
|
|
|
return 0;
|
|
}
|
|
|
|
asmlinkage long
|
|
compat_sys_get_robust_list(int pid, compat_uptr_t *head_ptr,
|
|
compat_size_t __user *len_ptr)
|
|
{
|
|
struct compat_robust_list_head *head;
|
|
unsigned long ret;
|
|
|
|
if (!pid)
|
|
head = current->compat_robust_list;
|
|
else {
|
|
struct task_struct *p;
|
|
|
|
ret = -ESRCH;
|
|
read_lock(&tasklist_lock);
|
|
p = find_task_by_pid(pid);
|
|
if (!p)
|
|
goto err_unlock;
|
|
ret = -EPERM;
|
|
if ((current->euid != p->euid) && (current->euid != p->uid) &&
|
|
!capable(CAP_SYS_PTRACE))
|
|
goto err_unlock;
|
|
head = p->compat_robust_list;
|
|
read_unlock(&tasklist_lock);
|
|
}
|
|
|
|
if (put_user(sizeof(*head), len_ptr))
|
|
return -EFAULT;
|
|
return put_user(ptr_to_compat(head), head_ptr);
|
|
|
|
err_unlock:
|
|
read_unlock(&tasklist_lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
asmlinkage long compat_sys_futex(u32 __user *uaddr, int op, u32 val,
|
|
struct compat_timespec __user *utime, u32 __user *uaddr2,
|
|
u32 val3)
|
|
{
|
|
struct timespec t;
|
|
unsigned long timeout = MAX_SCHEDULE_TIMEOUT;
|
|
int val2 = 0;
|
|
|
|
if (utime && (op == FUTEX_WAIT)) {
|
|
if (get_compat_timespec(&t, utime))
|
|
return -EFAULT;
|
|
if (!timespec_valid(&t))
|
|
return -EINVAL;
|
|
timeout = timespec_to_jiffies(&t) + 1;
|
|
}
|
|
if (op >= FUTEX_REQUEUE)
|
|
val2 = (int) (unsigned long) utime;
|
|
|
|
return do_futex(uaddr, op, val, timeout, uaddr2, val2, val3);
|
|
}
|