From: Anna-Maria Behnsen <anna-maria@linutronix.de>
To: Frederic Weisbecker <frederic@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] timers/migration: Fix ignored event due to missing CPU update
Date: Thu, 04 Apr 2024 18:52:52 +0200 [thread overview]
Message-ID: <878r1tvzmj.fsf@somnus> (raw)
In-Reply-To: <Zg2Ct6M2RJAYHgCB@localhost.localdomain>
Frederic Weisbecker <frederic@kernel.org> writes:
> Le Tue, Apr 02, 2024 at 11:52:23AM +0200, Anna-Maria Behnsen a écrit :
>> Frederic Weisbecker <frederic@kernel.org> writes:
>>
>> > When a group event is updated with its expiry unchanged but a different
>> > CPU, that target change may go unnoticed and the event may be propagated
>> > up with a stale CPU value. The following depicts a scenario that has
>> > been actually observed:
>>
>> urgh...
>>
>> >
>> > Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
>> > ---
>> > kernel/time/timer_migration.c | 5 ++++-
>> > 1 file changed, 4 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/kernel/time/timer_migration.c b/kernel/time/timer_migration.c
>> > index c63a0afdcebe..90786bb9a607 100644
>> > --- a/kernel/time/timer_migration.c
>> > +++ b/kernel/time/timer_migration.c
>> > @@ -762,8 +762,11 @@ bool tmigr_update_events(struct tmigr_group *group, struct tmigr_group *child,
>> > * queue when the expiry time changed only or when it could be ignored.
>> > */
>> > if (timerqueue_node_queued(&evt->nextevt)) {
>> > - if ((evt->nextevt.expires == nextexp) && !evt->ignore)
>> > + if ((evt->nextevt.expires == nextexp) && !evt->ignore) {
>> > + if (evt->cpu != first_childevt->cpu)
>> > + evt->cpu = first_childevt->cpu;
>>
>> Why not just unconditionally overwriting the evt->cpu value here?
>
> Right! See below:
>
> ---
> From d038dad7345398a2f6671a3cda98a48805f9eba3 Mon Sep 17 00:00:00 2001
> From: Frederic Weisbecker <frederic@kernel.org>
> Date: Mon, 1 Apr 2024 23:48:59 +0200
> Subject: [PATCH v2] timers/migration: Fix ignored event due to missing CPU update
>
> When a group event is updated with its expiry unchanged but a different
> CPU, that target change may go unnoticed and the event may be propagated
> up with a stale CPU value. The following depicts a scenario that has
> been actually observed:
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = TGRP1:0 (T0)
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T0
> / \
> 0 (T0) 1 (T1)
> idle idle
>
> 0) The hierarchy has 3 levels. The left part (GRP1:0) is all idle,
> including CPU 0 and CPU 1 which have a timer each: T0 and T1. They have
> the same expiry value.
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = KTIME_MAX
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T0
> / \
> 0 (T0) 1 (T1)
> idle idle
>
> 1) The migrator in GRP1:1 handles remotely T0. The event is dequeued
> from the top and T0 executed.
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = KTIME_MAX
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T1
> / \
> 0 1 (T1)
> idle idle
>
> 2) The migrator in GRP1:1 fetches the next timer for CPU 0 and finds
> none. But it updates the events from its groups, starting with GRP0:0
> which now has T1 as its next event. So far so good.
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = KTIME_MAX
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T1
> / \
> 0 1 (T1)
> idle idle
>
> 3) The migrator in GRP1:1 proceeds upward and updates the events in
> GRP1:0. The child event TGRP0:0 is found queued with the same expiry
> as before. And therefore it is left unchanged. However the target CPU
> is not the same but that fact is ignored so TGRP0:0 still points to
> CPU 0 when it should point to CPU 1.
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = TGRP1:0 (T0)
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T1
> / \
> 0 1 (T1)
> idle idle
>
> 4) The propagation has reached the top level and TGRP1:0, having TGRP0:0
> as its first event, also wrongly points to CPU 0. TGRP1:0 is added to
> the top level group.
>
> [GRP2:0]
> migrator = GRP1:1
> active = GRP1:1
> nextevt = KTIME_MAX
> / \
> [GRP1:0] [GRP1:1]
> migrator = NONE [...]
> active = NONE
> nextevt = TGRP0:0 (T0)
> / \
> [GRP0:0] [...]
> migrator = NONE
> active = NONE
> nextevt = T1
> / \
> 0 1 (T1)
> idle idle
>
> 5) The migrator in GRP1:1 dequeues the next event in top level pointing
> to CPU 0. But since it actually doesn't see any real event in CPU 0, it
> early returns.
>
> 6) T1 is left unhandled until either CPU 0 or CPU 1 wake up.
>
> Some other bad scenario may involve trees with just two levels.
>
> Fix this with unconditionally updating the CPU of the child event before
> considering to early return while updating a queued event with an
> unchanged expiry value.
>
> Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model")
> Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Thanks,
Anna-Maria
next prev parent reply other threads:[~2024-04-04 16:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 21:48 [PATCH] timers/migration: Fix ignored event due to missing CPU update Frederic Weisbecker
2024-04-01 22:18 ` Frederic Weisbecker
2024-04-02 9:52 ` Anna-Maria Behnsen
2024-04-03 16:24 ` [PATCH v2] " Frederic Weisbecker
2024-04-04 16:52 ` Anna-Maria Behnsen [this message]
2024-04-05 9:11 ` [tip: timers/urgent] " tip-bot2 for Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878r1tvzmj.fsf@somnus \
--to=anna-maria@linutronix.de \
--cc=frederic@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.