From: Tejun Heo <tj@kernel.org>
To: Lai Jiangshan <jiangshanlai@gmail.com>
Cc: linux-kernel@vger.kernel.org,
Lai Jiangshan <jiangshan.ljs@antgroup.com>,
Marc Hartmayer <mhartmay@linux.ibm.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] workqueue: Clear worker->pool in the worker thread context
Date: Wed, 11 Sep 2024 19:59:11 -1000 [thread overview]
Message-ID: <ZuKDL1xuDeAzExSN@slm.duckdns.org> (raw)
In-Reply-To: <20240912032329.419054-1-jiangshanlai@gmail.com>
On Thu, Sep 12, 2024 at 11:23:29AM +0800, Lai Jiangshan wrote:
> From: Lai Jiangshan <jiangshan.ljs@antgroup.com>
>
> Marc Hartmayer reported:
> [ 23.133876] Unable to handle kernel pointer dereference in virtual kernel address space
> [ 23.133950] Failing address: 0000000000000000 TEID: 0000000000000483
> [ 23.133954] Fault in home space mode while using kernel ASCE.
> [ 23.133957] AS:000000001b8f0007 R3:0000000056cf4007 S:0000000056cf3800 P:000000000000003d
> [ 23.134207] Oops: 0004 ilc:2 [#1] SMP
> (snip)
> [ 23.134516] Call Trace:
> [ 23.134520] [<0000024e326caf28>] worker_thread+0x48/0x430
> [ 23.134525] ([<0000024e326caf18>] worker_thread+0x38/0x430)
> [ 23.134528] [<0000024e326d3a3e>] kthread+0x11e/0x130
> [ 23.134533] [<0000024e3264b0dc>] __ret_from_fork+0x3c/0x60
> [ 23.134536] [<0000024e333fb37a>] ret_from_fork+0xa/0x38
> [ 23.134552] Last Breaking-Event-Address:
> [ 23.134553] [<0000024e333f4c04>] mutex_unlock+0x24/0x30
> [ 23.134562] Kernel panic - not syncing: Fatal exception: panic_on_oops
>
> With debuging and analysis, worker_thread() accesses to the nullified
> worker->pool when the newly created worker is destroyed before being
> waken-up, in which case worker_thread() can see the result detach_worker()
> reseting worker->pool to NULL at the begining.
>
> Move the code "worker->pool = NULL;" out from detach_worker() to fix the
> problem.
>
> worker->pool had been designed to be constant for regular workers and
> changeable for rescuer. To share attaching/detaching code for regular
> and rescuer workers and to avoid worker->pool being accessed inadvertently
> when the worker has been detached, worker->pool is reset to NULL when
> detached no matter the worker is rescuer or not.
>
> To maintain worker->pool being reset after detached, move the code
> "worker->pool = NULL;" in the worker thread context after detached.
>
> It is either be in the regular worker thread context after PF_WQ_WORKER
> is cleared or in rescuer worker thread context with wq_pool_attach_mutex
> held. So it is safe to do so.
>
> Cc: Marc Hartmayer <mhartmay@linux.ibm.com>
> Link: https://lore.kernel.org/lkml/87wmjj971b.fsf@linux.ibm.com/
> Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
> Fixes: f4b7b53c94af ("workqueue: Detach workers directly in idle_cull_fn()")
> Cc: stable@vger.kernel.org # v6.11+
> Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Applied to wq/for-6.11-fxes.
Thanks.
--
tejun
next prev parent reply other threads:[~2024-09-12 5:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 3:23 [PATCH] workqueue: Clear worker->pool in the worker thread context Lai Jiangshan
2024-09-12 5:59 ` Tejun Heo [this message]
2024-09-12 14:21 ` Marc Hartmayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuKDL1xuDeAzExSN@slm.duckdns.org \
--to=tj@kernel.org \
--cc=jiangshan.ljs@antgroup.com \
--cc=jiangshanlai@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhartmay@linux.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.