From: zhong jiang <zhongjiang@huawei.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Borislav Petkov <bp@alien8.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mel Gorman <mgorman@suse.de>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Nadav Amit <nadav.amit@gmail.com>, Rik van Riel <riel@redhat.com>,
Dave Hansen <dave.hansen@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH] x86/mm: Don't reenter flush_tlb_func_common()
Date: Tue, 20 Jun 2017 10:56:34 +0800 [thread overview]
Message-ID: <59488EE2.1080403@huawei.com> (raw)
In-Reply-To: <CALCETrX0jitvM8LZye9BMqHsGEM0vVQvimtmgRpUyL4GATT1PQ@mail.gmail.com>
On 2017/6/19 23:05, Andy Lutomirski wrote:
> On Mon, Jun 19, 2017 at 6:33 AM, zhong jiang <zhongjiang@huawei.com> wrote:
>> On 2017/6/19 12:48, Andy Lutomirski wrote:
>>> It was historically possible to have two concurrent TLB flushes
>>> targeting the same CPU: one initiated locally and one initiated
>>> remotely. This can now cause an OOPS in leave_mm() at
>>> arch/x86/mm/tlb.c:47:
>>>
>>> if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
>>> BUG();
>>>
>>> with this call trace:
>>> flush_tlb_func_local arch/x86/mm/tlb.c:239 [inline]
>>> flush_tlb_mm_range+0x26d/0x370 arch/x86/mm/tlb.c:317
>>>
>>> Without reentrancy, this OOPS is impossible: leave_mm() is only
>>> called if we're not in TLBSTATE_OK, but then we're unexpectedly
>>> in TLBSTATE_OK in leave_mm().
>>>
>>> This can be caused by flush_tlb_func_remote() happening between
>>> the two checks and calling leave_mm(), resulting in two consecutive
>>> leave_mm() calls on the same CPU with no intervening switch_mm()
>>> calls.
>>>
>>> We never saw this OOPS before because the old leave_mm()
>>> implementation didn't put us back in TLBSTATE_OK, so the assertion
>>> didn't fire.
>> HI, Andy
>>
>> Today, I see same OOPS in linux 3.4 stable. It prove that it indeed has fired.
>> but It is rarely to appear. I review the code. I found the a issue.
>> when current->mm is NULL, leave_mm will be called. but it maybe in
>> TLBSTATE_OK, eg: unuse_mm call after task->mm = NULL , but before enter_lazy_tlb.
>>
>> therefore, it will fire. is it right?
> Is there a code path that does this?
eg:
cpu1 cpu2
flush_tlb_page unuse_mm
current->mm = NULL
current->mm == NULL
leave_mm (cpu_tlbstate.state is TLBSATATE_OK)
enter_lazy_tlb
I am not sure the above race whether exist or not. Do you point out the problem if it is not existence? please
Thanks
zhongjiang
>
> Also, the IPI handler on 3.4 looks like this:
>
> if (f->flush_mm == percpu_read(cpu_tlbstate.active_mm)) {
> if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
> if (f->flush_va == TLB_FLUSH_ALL)
> local_flush_tlb();
> else
> __flush_tlb_one(f->flush_va);
> } else
> leave_mm(cpu);
> }
>
> but leave_mm() checks the same condition (cpu_tlbstate.state, not
> current->mm). How is the BUG triggering?
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: zhong jiang <zhongjiang@huawei.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Borislav Petkov <bp@alien8.de>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mel Gorman <mgorman@suse.de>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Nadav Amit <nadav.amit@gmail.com>, Rik van Riel <riel@redhat.com>,
Dave Hansen <dave.hansen@intel.com>,
"Arjan van de Ven" <arjan@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH] x86/mm: Don't reenter flush_tlb_func_common()
Date: Tue, 20 Jun 2017 10:56:34 +0800 [thread overview]
Message-ID: <59488EE2.1080403@huawei.com> (raw)
In-Reply-To: <CALCETrX0jitvM8LZye9BMqHsGEM0vVQvimtmgRpUyL4GATT1PQ@mail.gmail.com>
On 2017/6/19 23:05, Andy Lutomirski wrote:
> On Mon, Jun 19, 2017 at 6:33 AM, zhong jiang <zhongjiang@huawei.com> wrote:
>> On 2017/6/19 12:48, Andy Lutomirski wrote:
>>> It was historically possible to have two concurrent TLB flushes
>>> targeting the same CPU: one initiated locally and one initiated
>>> remotely. This can now cause an OOPS in leave_mm() at
>>> arch/x86/mm/tlb.c:47:
>>>
>>> if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
>>> BUG();
>>>
>>> with this call trace:
>>> flush_tlb_func_local arch/x86/mm/tlb.c:239 [inline]
>>> flush_tlb_mm_range+0x26d/0x370 arch/x86/mm/tlb.c:317
>>>
>>> Without reentrancy, this OOPS is impossible: leave_mm() is only
>>> called if we're not in TLBSTATE_OK, but then we're unexpectedly
>>> in TLBSTATE_OK in leave_mm().
>>>
>>> This can be caused by flush_tlb_func_remote() happening between
>>> the two checks and calling leave_mm(), resulting in two consecutive
>>> leave_mm() calls on the same CPU with no intervening switch_mm()
>>> calls.
>>>
>>> We never saw this OOPS before because the old leave_mm()
>>> implementation didn't put us back in TLBSTATE_OK, so the assertion
>>> didn't fire.
>> HI, Andy
>>
>> Today, I see same OOPS in linux 3.4 stable. It prove that it indeed has fired.
>> but It is rarely to appear. I review the code. I found the a issue.
>> when current->mm is NULL, leave_mm will be called. but it maybe in
>> TLBSTATE_OK, eg: unuse_mm call after task->mm = NULL , but before enter_lazy_tlb.
>>
>> therefore, it will fire. is it right?
> Is there a code path that does this?
eg:
cpu1 cpu2
flush_tlb_page unuse_mm
current->mm = NULL
current->mm == NULL
leave_mm (cpu_tlbstate.state is TLBSATATE_OK)
enter_lazy_tlb
I am not sure the above race whether exist or not. Do you point out the problem if it is not existence? please
Thanks
zhongjiang
>
> Also, the IPI handler on 3.4 looks like this:
>
> if (f->flush_mm == percpu_read(cpu_tlbstate.active_mm)) {
> if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
> if (f->flush_va == TLB_FLUSH_ALL)
> local_flush_tlb();
> else
> __flush_tlb_one(f->flush_va);
> } else
> leave_mm(cpu);
> }
>
> but leave_mm() checks the same condition (cpu_tlbstate.state, not
> current->mm). How is the BUG triggering?
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
>
>
next prev parent reply other threads:[~2017-06-20 3:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 4:48 [PATCH] x86/mm: Don't reenter flush_tlb_func_common() Andy Lutomirski
2017-06-19 4:48 ` Andy Lutomirski
2017-06-19 13:33 ` zhong jiang
2017-06-19 13:33 ` zhong jiang
2017-06-19 15:05 ` Andy Lutomirski
2017-06-19 15:05 ` Andy Lutomirski
2017-06-20 2:56 ` zhong jiang [this message]
2017-06-20 2:56 ` zhong jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59488EE2.1080403@huawei.com \
--to=zhongjiang@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mgorman@suse.de \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.