From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, borntraeger@de.ibm.com,
rafael.j.wysocki@intel.com, peterz@infradead.org,
oleg@redhat.com, bp@suse.de, jkosina@suse.cz
Subject: Re: [PATCH v2] CPU hotplug: active_writer not woken up in some cases - deadlock
Date: Tue, 9 Dec 2014 10:14:47 +0100 [thread overview]
Message-ID: <20141209091447.GD4362@osiris> (raw)
In-Reply-To: <20141209085930.6b831850@thinkpad-w530>
On Tue, Dec 09, 2014 at 08:59:30AM +0100, David Hildenbrand wrote:
> > The compiler is within its rights to optimize the active_writer local
> > variable out of existence, thus re-introducing the possible race with
> > the writer that can pass a NULL pointer to wake_up_process(). So you
> > really need the ACCESS_ONCE() on the read from cpu_hotplug.active_writer.
> > Please see http://lwn.net/Articles/508991/ for more information why
> > this is absolutely required.
>
> You're absolutely right, saw your reply on the other patch just after I sent
> this version ...
>
> So if you agree with the change below, I'll send an updated version!
>
> >
> > > + if (unlikely(active_writer))
> > > + wake_up_process(active_writer);
> > > cpuhp_lock_release();
> > > return;
> > > }
> > > @@ -161,15 +167,17 @@ void cpu_hotplug_begin(void)
> > > cpuhp_lock_acquire();
> > > for (;;) {
> > > mutex_lock(&cpu_hotplug.lock);
> > > + __set_current_state(TASK_UNINTERRUPTIBLE);
> >
> > You lost me on this one. How does this help?
> >
> > Thanx, Paul
>
> Imagine e.g. the following (simplified) scenario:
>
> CPU1 CPU2
> ----------------------------------------------------------------------------
> !mutex_trylock(&cpu_hotplug.lock) |
> | cpu_hotplug.puts_pending == 0
> cpu_hotplug.puts_pending++; |
> | cpu_hotplug.refcount != 0
> wake_up_process(active_writer)
> | __set_current_state(TASK_UNINTERRUPTIBLE);
> | schedule();
> | /* will never be woken up */
>
> Therefore we have to move the condition check inside the
> __set_current_state(TASK_UNINTERRUPTIBLE) -> schedule();
> section to not miss any wake ups when the condition is satisfied.
>
> So wake_up_process() will either see TASK_RUNNING and do nothing or see
> TASK_UNINTERRUPTIBLE and set it to TASK_RUNNING, so schedule() will in
> fact be woken up again.
Or the third alternative would be that 'active_writer' which was running
on CPU2 already terminated and wake_up_process() has a non-NULL pointer to
task_struct which is already dead.
Or is there anything that prevents this use-after-free race?
next prev parent reply other threads:[~2014-12-09 9:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-08 20:21 [PATCH v2] CPU hotplug: active_writer not woken up in some cases - deadlock David Hildenbrand
2014-12-08 21:22 ` Paul E. McKenney
2014-12-09 7:59 ` David Hildenbrand
2014-12-09 9:14 ` Heiko Carstens [this message]
2014-12-09 10:11 ` David Hildenbrand
2014-12-09 10:21 ` Heiko Carstens
2014-12-09 11:04 ` David Hildenbrand
2014-12-09 11:35 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141209091447.GD4362@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=dahi@linux.vnet.ibm.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=rafael.j.wysocki@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.