From: Uladzislau Rezki <urezki@gmail.com>
To: Joel Fernandes <joel@joelfernandes.org>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>,
"Paul E . McKenney" <paulmck@kernel.org>,
RCU <rcu@vger.kernel.org>,
Neeraj upadhyay <Neeraj.Upadhyay@amd.com>,
Boqun Feng <boqun.feng@gmail.com>,
Hillf Danton <hdanton@sina.com>,
LKML <linux-kernel@vger.kernel.org>,
Oleksiy Avramchenko <oleksiy.avramchenko@sony.com>,
Frederic Weisbecker <frederic@kernel.org>
Subject: Re: [PATCH 1/2] rcu: Do not release a wait-head from a GP kthread
Date: Thu, 7 Mar 2024 13:31:41 +0100 [thread overview]
Message-ID: <ZemzrXfN7PUGiETd@pc636> (raw)
In-Reply-To: <648f31c5-e67c-4605-9ebd-7450e96a2dbe@joelfernandes.org>
On Thu, Mar 07, 2024 at 02:09:38AM -0500, Joel Fernandes wrote:
>
>
> On 3/7/2024 1:21 AM, Joel Fernandes wrote:
> >
> >
> > On 3/6/2024 5:31 PM, Joel Fernandes wrote:
> >>
> >>
> >> On 3/5/2024 2:57 PM, Uladzislau Rezki (Sony) wrote:
> >>> Fix a below race by not releasing a wait-head from the
> >>> GP-kthread as it can lead for reusing it whereas a worker
> >>> can still access it thus execute newly added callbacks too
> >>> early.
> >>>
> >>> CPU 0 CPU 1
> >>> ----- -----
> >>>
> >>> // wait_tail == HEAD1
> >>> rcu_sr_normal_gp_cleanup() {
> >>> // has passed SR_MAX_USERS_WAKE_FROM_GP
> >>> wait_tail->next = next;
> >>> // done_tail = HEAD1
> >>> smp_store_release(&rcu_state.srs_done_tail, wait_tail);
> >>> queue_work() {
> >>> test_and_set_bit(WORK_STRUCT_PENDING_BIT, work_data_bits(work)
> >>> __queue_work()
> >>> }
> >>> }
> >>>
> >>> set_work_pool_and_clear_pending()
> >>> rcu_sr_normal_gp_cleanup_work() {
> >>> // new GP, wait_tail == HEAD2
> >>> rcu_sr_normal_gp_cleanup() {
> >>> // executes all completion, but stop at HEAD1
> >>> wait_tail->next = HEAD1;
> >>> // done_tail = HEAD2
> >>> smp_store_release(&rcu_state.srs_done_tail, wait_tail);
> >>> queue_work() {
> >>> test_and_set_bit(WORK_STRUCT_PENDING_BIT, work_data_bits(work)
> >>> __queue_work()
> >>> }
> >>> }
> >>> // done = HEAD2
> >>> done = smp_load_acquire(&rcu_state.srs_done_tail);
> >>> // head = HEAD1
> >>> head = done->next;
> >>> done->next = NULL;
> >>> llist_for_each_safe() {
> >>> // completes all callbacks, release HEAD1
> >>> }
> >>> }
> >>> // Process second queue
> >>> set_work_pool_and_clear_pending()
> >>> rcu_sr_normal_gp_cleanup_work() {
> >>> // done = HEAD2
> >>> done = smp_load_acquire(&rcu_state.srs_done_tail);
> >>>
> >>> // new GP, wait_tail == HEAD3
> >>> rcu_sr_normal_gp_cleanup() {
> >>> // Finds HEAD2 with ->next == NULL at the end
> >>> rcu_sr_put_wait_head(HEAD2)
> >>> ...
> >>>
> >>> // A few more GPs later
> >>> rcu_sr_normal_gp_init() {
> >>> HEAD2 = rcu_sr_get_wait_head();
> >>> llist_add(HEAD2, &rcu_state.srs_next);
> >>> // head == rcu_state.srs_next
> >>> head = done->next;
> >>> done->next = NULL;
> >>> llist_for_each_safe() {
> >>> // EXECUTE CALLBACKS TOO EARLY!!!
> >>> }
> >>> }
> >>>
> >>> Reported-by: Frederic Weisbecker <frederic@kernel.org>
> >>> Fixes: 05a10b921000 ("rcu: Support direct wake-up of synchronize_rcu() users")
> >>> Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
> >>> ---
> >>> kernel/rcu/tree.c | 22 ++++++++--------------
> >>> 1 file changed, 8 insertions(+), 14 deletions(-)
> >>>
> >>> diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
> >>> index 31f3a61f9c38..475647620b12 100644
> >>> --- a/kernel/rcu/tree.c
> >>> +++ b/kernel/rcu/tree.c
> >>> @@ -1656,21 +1656,11 @@ static void rcu_sr_normal_gp_cleanup(void)
> >>> WARN_ON_ONCE(!rcu_sr_is_wait_head(wait_tail));
> >>>
> >>> /*
> >>> - * Process (a) and (d) cases. See an illustration. Apart of
> >>> - * that it handles the scenario when all clients are done,
> >>> - * wait-head is released if last. The worker is not kicked.
> >>> + * Process (a) and (d) cases. See an illustration.
> >>> */
> >>> llist_for_each_safe(rcu, next, wait_tail->next) {
> >>> - if (rcu_sr_is_wait_head(rcu)) {
> >>> - if (!rcu->next) {
> >>> - rcu_sr_put_wait_head(rcu);
> >>> - wait_tail->next = NULL;
> >>> - } else {
> >>> - wait_tail->next = rcu;
> >>> - }
> >>> -
> >>> + if (rcu_sr_is_wait_head(rcu))
> >>> break;
> >>> - }
> >>>
> >>> rcu_sr_normal_complete(rcu);
> >>> // It can be last, update a next on this step.
> >>> @@ -1684,8 +1674,12 @@ static void rcu_sr_normal_gp_cleanup(void)
> >>> smp_store_release(&rcu_state.srs_done_tail, wait_tail);
> >>> ASSERT_EXCLUSIVE_WRITER(rcu_state.srs_done_tail);
> >>>
> >>> - if (wait_tail->next)
> >>> - queue_work(system_highpri_wq, &rcu_state.srs_cleanup_work);
> >>> + /*
> >>> + * We schedule a work in order to perform a final processing
> >>> + * of outstanding users(if still left) and releasing wait-heads
> >>> + * added by rcu_sr_normal_gp_init() call.
> >>> + */
> >>> + queue_work(system_highpri_wq, &rcu_state.srs_cleanup_work);
> >>> }
> >
> > One question, why do you need to queue_work() if wait_tail->next == NULL?
> >
> > AFAICS, at this stage if wait_tail->next == NULL, you are in CASE f. so the last
> > remaining HEAD stays? (And llist_for_each_safe() in
> > rcu_sr_normal_gp_cleanup_work becomes a NOOP).
> >
>
> Never mind, sorry for spewing nonsense. You can never end up with CASE f here so
> you still need the queue_work(). I think it is worth looking into how to free
> the last HEAD, without queuing a work though (while not causing wreckage).
>
No problem at all :)
--
Uladzislau Rezki
next prev parent reply other threads:[~2024-03-07 12:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-05 19:57 [PATCH 1/2] rcu: Do not release a wait-head from a GP kthread Uladzislau Rezki (Sony)
2024-03-05 19:57 ` [PATCH 2/2] rcu: Allocate WQ with WQ_MEM_RECLAIM bit set Uladzislau Rezki (Sony)
2024-03-06 2:15 ` Z qiang
2024-03-06 11:56 ` Uladzislau Rezki
2024-03-06 17:57 ` Joel Fernandes
2024-03-07 12:16 ` Uladzislau Rezki
2024-03-06 22:31 ` [PATCH 1/2] rcu: Do not release a wait-head from a GP kthread Joel Fernandes
2024-03-06 22:44 ` Joel Fernandes
2024-03-07 12:25 ` Uladzislau Rezki
2024-03-07 6:21 ` Joel Fernandes
2024-03-07 7:09 ` Joel Fernandes
2024-03-07 12:31 ` Uladzislau Rezki [this message]
2024-03-07 12:28 ` Uladzislau Rezki
2024-03-07 12:57 ` Uladzislau Rezki
2024-03-07 13:13 ` Joel Fernandes
2024-03-07 0:04 ` Frederic Weisbecker
2024-03-07 12:17 ` Uladzislau Rezki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZemzrXfN7PUGiETd@pc636 \
--to=urezki@gmail.com \
--cc=Neeraj.Upadhyay@amd.com \
--cc=boqun.feng@gmail.com \
--cc=frederic@kernel.org \
--cc=hdanton@sina.com \
--cc=joel@joelfernandes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleksiy.avramchenko@sony.com \
--cc=paulmck@kernel.org \
--cc=rcu@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.