Re: [PATCH 3.18] timers: Use proper base migration in add_timer_on()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sasha.levin@oracle.com>
To: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Tejun Heo <tj@kernel.org>, Thomas Gleixner <tglx@linutronix.de>,
	stable@vger.kernel.org
Subject: Re: [PATCH 3.18] timers: Use proper base migration in add_timer_on()
Date: Mon, 16 May 2016 09:29:15 -0400	[thread overview]
Message-ID: <5739CB2B.6070401@oracle.com> (raw)
In-Reply-To: <146338038104.19014.7494844489041339785.stgit@buzz>

On 05/16/2016 02:33 AM, Konstantin Khlebnikov wrote:
> From: Tejun Heo <tj@kernel.org>
> 
> [ Upstream commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8 ]
> 
> Regardless of the previous CPU a timer was on, add_timer_on()
> currently simply sets timer->flags to the new CPU.  As the caller must
> be seeing the timer as idle, this is locally fine, but the timer
> leaving the old base while unlocked can lead to race conditions as
> follows.
> 
> Let's say timer was on cpu 0.
> 
>   cpu 0					cpu 1
>   -----------------------------------------------------------------------------
>   del_timer(timer) succeeds
> 					del_timer(timer)
> 					  lock_timer_base(timer) locks cpu_0_base
>   add_timer_on(timer, 1)
>     spin_lock(&cpu_1_base->lock)
>     timer->flags set to cpu_1_base
>     operates on @timer			  operates on @timer
> 
> This triggered with mod_delayed_work_on() which contains
> "if (del_timer()) add_timer_on()" sequence eventually leading to the
> following oops.
> 
>   BUG: unable to handle kernel NULL pointer dereference at           (null)
>   IP: [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0
>   ...
>   Workqueue: wqthrash wqthrash_workfunc [wqthrash]
>   task: ffff8800172ca680 ti: ffff8800172d0000 task.ti: ffff8800172d0000
>   RIP: 0010:[<ffffffff810ca6e9>]  [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0
>   ...
>   Call Trace:
>    [<ffffffff810cb0b4>] del_timer+0x44/0x60
>    [<ffffffff8106e836>] try_to_grab_pending+0xb6/0x160
>    [<ffffffff8106e913>] mod_delayed_work_on+0x33/0x80
>    [<ffffffffa0000081>] wqthrash_workfunc+0x61/0x90 [wqthrash]
>    [<ffffffff8106dba8>] process_one_work+0x1e8/0x650
>    [<ffffffff8106e05e>] worker_thread+0x4e/0x450
>    [<ffffffff810746af>] kthread+0xef/0x110
>    [<ffffffff8185980f>] ret_from_fork+0x3f/0x70
> 
> Fix it by updating add_timer_on() to perform proper migration as
> __mod_timer() does.
> 
> Reported-and-tested-by: Jeff Layton <jlayton@poochiereds.net>
> Signed-off-by: Tejun Heo <tj@kernel.org>
> Cc: Chris Worley <chris.worley@primarydata.com>
> Cc: bfields@fieldses.org
> Cc: Michael Skralivetsky <michael.skralivetsky@primarydata.com>
> Cc: Trond Myklebust <trond.myklebust@primarydata.com>
> Cc: Shaohua Li <shli@fb.com>
> Cc: Jeff Layton <jlayton@poochiereds.net>
> Cc: kernel-team@fb.com
> Cc: stable@vger.kernel.org
> Link: http://lkml.kernel.org/r/20151029103113.2f893924@tlielax.poochiereds.net
> Link: http://lkml.kernel.org/r/20151104171533.GI5749@mtj.duckdns.org
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> ( backport for 3.18 )

Added to the queue, thanks!


Thanks,
Sasha

     prev parent reply	other threads:[~2016-05-16 13:29 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-16  6:33 [PATCH 3.18] timers: Use proper base migration in add_timer_on() Konstantin Khlebnikov
2016-05-16 13:29 ` Sasha Levin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5739CB2B.6070401@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=khlebnikov@yandex-team.ru \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.