From: sashiko-bot@kernel.org
To: "Waiman Long" <longman@redhat.com>
Cc: hannes@cmpxchg.org, linux-hwmon@vger.kernel.org, tj@kernel.org,
mkoutny@suse.com
Subject: Re: [PATCH 04/23] tick/nohz: Allow runtime changes in full dynticks CPUs
Date: Wed, 22 Apr 2026 03:08:56 +0000 [thread overview]
Message-ID: <20260422030857.2AD64C2BCB5@smtp.kernel.org> (raw)
In-Reply-To: <20260421030351.281436-5-longman@redhat.com>
Sashiko AI review found 4 potential issue(s):
- [High] Removing the TICK_DO_TIMER_NONE check in can_stop_idle_tick() allows all housekeeping CPUs to stop their ticks, permanently freezing timekeeping.
- [High] Modifying context_tracking.active for online CPUs bypasses RCU context tracking, causing Use-After-Free vulnerabilities.
- [High] Late context tracking initialization fails to propagate TIF_NOHZ to existing tasks and triggers an unconditional WARN_ON_ONCE.
- [Medium] Incomplete implementation: failed to remove the __init attribute from tick_nohz_init().
--
commit 4a1b2d82a8726c69f585b6c42f365c673f890897
Author: Waiman Long <longman@redhat.com>
tick/nohz: Allow runtime changes in full dynticks CPUs
This commit introduces tick_nohz_full_update_cpus() to update
tick_nohz_full_mask at runtime when isolated cpusets are changed.
It modifies context tracking to allow enabling and disabling user
context tracking dynamically.
> We also need to enable CPU context tracking for those CPUs that
> are in tick_nohz_full_mask. So remove __init from tick_nohz_init()
> and ct_cpu_track_user() so that they be called later when an isolated
> cpuset partition is being created.
This isn't a bug, but the commit message says __init is removed from
tick_nohz_init(), but this change doesn't appear in the patch diff.
> diff --git a/kernel/context_tracking.c b/kernel/context_tracking.c
> index 925999de1a28c..394e432630a39 100644
> --- a/kernel/context_tracking.c
> +++ b/kernel/context_tracking.c
[ ... ]
> @@ -674,9 +674,9 @@ void user_exit_callable(void)
> }
> NOKPROBE_SYMBOL(user_exit_callable);
>
> -void __init ct_cpu_track_user(int cpu)
> +void ct_cpu_track_user(int cpu)
> {
> - static __initdata bool initialized = false;
> + static bool initialized;
If this function runs for the first time during a runtime update, will it
trigger the WARN_ON_ONCE(!tasklist_empty()) located further down in this
function?
Also, since only the init_task receives the TIF_NOHZ flag during
this initialization block, will existing tasks that migrate to the newly
isolated CPUs be missing the flag and bypass context tracking checks?
> diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
> index 081f674a65882..67a747207f735 100644
> --- a/kernel/time/tick-sched.c
> +++ b/kernel/time/tick-sched.c
[ ... ]
> @@ -629,6 +626,36 @@ void __init tick_nohz_full_setup(cpumask_var_t cpumask)
> tick_nohz_full_running = true;
> }
>
> +/* Get the new set of run-time nohz CPU list & update accordingly */
> +void tick_nohz_full_update_cpus(struct cpumask *cpumask)
> +{
[ ... ]
> + for_each_cpu_andnot(cpu, tick_nohz_full_mask, cpumask) {
> + WARN_ON_ONCE(cpu_online(cpu));
> + ct_cpu_untrack_user(cpu);
> + cpumask_clear_cpu(cpu, tick_nohz_full_mask);
> + }
> +}
Could this cause Use-After-Free issues if a CPU is online and executing in
userspace when its context tracking is disabled?
The WARN_ON_ONCE warns if the CPU is online, but doesn't prevent
ct_cpu_untrack_user() from running.
If the active flag is cleared while the CPU is in an RCU Extended Quiescent
State, won't it enter the kernel without calling rcu_user_exit(), causing
RCU to incorrectly assume the CPU is still in a quiescent state?
[ ... ]
> @@ -1238,10 +1265,6 @@ static bool can_stop_idle_tick(int cpu, struct tick_sched *ts)
> */
> if (tick_cpu == cpu)
> return false;
> -
> - /* Should not happen for nohz-full */
> - if (WARN_ON_ONCE(tick_cpu == TICK_DO_TIMER_NONE))
> - return false;
> }
>
> return true;
Is it possible for timekeeping to permanently freeze here?
If tick_do_timer_cpu becomes TICK_DO_TIMER_NONE as mentioned in the commit
message, and all non-isolated housekeeping CPUs enter idle, won't they all
evaluate tick_cpu == cpu as false?
Without this check, it seems they will all proceed to stop their ticks,
leaving no CPU to take over the timekeeping duty.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260421030351.281436-1-longman@redhat.com?part=4
next prev parent reply other threads:[~2026-04-22 3:08 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 3:03 [PATCH-next 00/23] cgroup/cpuset: Enable runtime update of nohz_full and managed_irq CPUs Waiman Long
2026-04-21 3:03 ` [PATCH 01/23] sched/isolation: Add HK_TYPE_KERNEL_NOISE_BOOT & HK_TYPE_MANAGED_IRQ_BOOT Waiman Long
2026-04-21 3:03 ` [PATCH 02/23] sched/isolation: Enhance housekeeping_update() to support updating more than one HK cpumask Waiman Long
2026-04-22 3:08 ` sashiko-bot
2026-04-22 6:39 ` Chen Ridong
2026-04-21 3:03 ` [PATCH 03/23] tick/nohz: Make nohz_full parameter optional Waiman Long
2026-04-21 8:32 ` Thomas Gleixner
2026-04-21 14:14 ` Waiman Long
2026-04-22 3:08 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 04/23] tick/nohz: Allow runtime changes in full dynticks CPUs Waiman Long
2026-04-21 8:50 ` Thomas Gleixner
2026-04-21 14:24 ` Waiman Long
2026-04-22 3:08 ` sashiko-bot [this message]
2026-04-21 3:03 ` [PATCH 05/23] tick: Pass timer tick job to an online HK CPU in tick_cpu_dying() Waiman Long
2026-04-21 8:55 ` Thomas Gleixner
2026-04-21 14:22 ` Waiman Long
2026-04-21 3:03 ` [PATCH 06/23] rcu/nocbs: Allow runtime changes in RCU NOCBS cpumask Waiman Long
2026-04-22 3:08 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 07/23] watchdog: Sync up with runtime change of isolated CPUs Waiman Long
2026-04-22 3:08 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 08/23] arm64: topology: Use RCU to protect access to HK_TYPE_TICK cpumask Waiman Long
2026-04-22 3:08 ` sashiko-bot
2026-04-22 9:34 ` Chen Ridong
2026-04-21 3:03 ` [PATCH 09/23] workqueue: Use RCU to protect access of HK_TYPE_TIMER cpumask Waiman Long
2026-04-21 3:03 ` [PATCH 10/23] cpu: " Waiman Long
2026-04-21 8:57 ` Thomas Gleixner
2026-04-21 14:25 ` Waiman Long
2026-04-21 3:03 ` [PATCH 11/23] hrtimer: " Waiman Long
2026-04-21 8:59 ` Thomas Gleixner
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 12/23] net: Use boot time housekeeping cpumask settings for now Waiman Long
2026-04-21 3:03 ` [PATCH 13/23] sched/core: Use RCU to protect access of HK_TYPE_KERNEL_NOISE cpumask Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 14/23] hwmon/coretemp: Use RCU to protect access of HK_TYPE_MISC cpumask Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 15/23] Drivers: hv: Use RCU to protect access of HK_TYPE_MANAGED_IRQ cpumask Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 16/23] genirq/cpuhotplug: " Waiman Long
2026-04-21 9:02 ` Thomas Gleixner
2026-04-21 14:29 ` Waiman Long
2026-04-21 3:03 ` [PATCH 17/23] sched/isolation: Extend housekeeping_dereference_check() to cover changes in nohz_full or manged_irqs cpumasks Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 18/23] cpu/hotplug: Add a new cpuhp_offline_cb() API Waiman Long
2026-04-21 16:17 ` Thomas Gleixner
2026-04-21 17:29 ` Waiman Long
2026-04-21 18:43 ` Thomas Gleixner
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 19/23] cgroup/cpuset: Improve check for calling housekeeping_update() Waiman Long
2026-04-21 3:03 ` [PATCH 20/23] cgroup/cpuset: Enable runtime update of HK_TYPE_{KERNEL_NOISE,MANAGED_IRQ} cpumasks Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 21/23] cgroup/cpuset: Limit the side effect of using CPU hotplug on isolated partition Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 22/23] cgroup/cpuset: Prevent offline_disabled CPUs from being used in " Waiman Long
2026-04-22 3:09 ` sashiko-bot
2026-04-21 3:03 ` [PATCH 23/23] cgroup/cpuset: Documentation and kselftest updates Waiman Long
2026-04-22 3:09 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260422030857.2AD64C2BCB5@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=longman@redhat.com \
--cc=mkoutny@suse.com \
--cc=sashiko@lists.linux.dev \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox