Re: Scheduler Bug (set_cpus_allowed)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Robert Love <rml@tech9.net>
To: Mike Kravetz <kravetz@us.ibm.com>
Cc: Ingo Molnar <mingo@elte.hu>, linux-kernel@vger.kernel.org
Subject: Re: Scheduler Bug (set_cpus_allowed)
Date: 07 Jun 2002 11:36:46 -0700	[thread overview]
Message-ID: <1023475007.1137.62.camel@sinai> (raw)
In-Reply-To: <20020606162028.E3193@w-mikek2.des.beaverton.ibm.com>

On Thu, 2002-06-06 at 16:20, Mike Kravetz wrote:

> Consider the case where a task is to give up the CPU
> and schedule() is called.  In such a case the current
> task is removed from the runqueue (via deactivate_task).
> Now, further assume that there are no runnable tasks
> on the runqueue and we end up calling load_balance().
> In load_balance, we potentially drop the runqueue lock
> to obtain multiple runqueue locks in the proper order.
> Now, when we drop the runqueue lock we will still
> be running in the context of task p.  However, p does
> not reside on a runqueue.  It is now possible for
> set_cpus_allowed() to be called for p.  We can get the
> runqueue lock and take the fast path to simply update
> the task's cpu field.  If this happens, bad (very bad)
> things will happen!

Ugh I think you are right.  This is an incredibly small race, though!

> My first thought was to simply add a check to the
> above code to ensure that p was not currently running
> (p != rq->curr).  However, even with this change I
> 'think' the same problem exists later on in schedule()
> where we drop the runqueue lock before doing a context
> switch.  At this point, p is not on the runqueue and
> p != rq->curr, yet we are still runnning in the context
> of p until we actually do the context switch.  To tell
> the truth, I'm not exactly sure what 'rq->frozen' lock
> is for.  Also, the routine 'schedule_tail' does not
> appear to be used anywhere.

I agree here, too.

Fyi, schedule_tail is called from assembly code on SMP machines.  See
entry.S

rq->frozen is admittedly a bit confusing.  Dave Miller added it - on
some architectures mm->page_table_lock is grabbed during switch_mm(). 
Additionally, swap_out() and others grab page_table_lock during wakeups
which also grab rq->lock.  Bad locking... Dave's solution was to make
another lock, the "frozen state lock", which is held around context
switches.  This way we can protect the "not switched out yet" task
without grabbing the whole runqueue lock.

Anyhow, with this issue, I guess we need to fix it... I'll send a patch
to Linus.

	Robert Love

next prev parent reply	other threads:[~2002-06-07 18:36 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-06 23:20 Scheduler Bug (set_cpus_allowed) Mike Kravetz
2002-06-07 18:36 ` Robert Love [this message]
2002-06-07 19:12   ` Mike Kravetz
2002-06-10 20:12     ` Ingo Molnar
2002-06-10 20:57       ` Mike Kravetz
2002-06-10 22:35         ` Ingo Molnar
2002-06-10 23:15           ` Mike Kravetz
2002-06-10 23:24             ` Ingo Molnar
2002-06-10 23:28               ` Robert Love
2002-06-11  0:05                 ` [patch] current scheduler bits, 2.5.21 Ingo Molnar
2002-06-11  0:27                   ` Robert Love
2002-06-11 17:35                     ` [patch] current scheduler bits #2, 2.5.21 Ingo Molnar
2002-06-11 18:25                       ` Robert Love
2002-06-11 18:33                         ` [patch] current scheduler bits #3, 2.5.21 Ingo Molnar
2002-06-13 21:26                           ` [PATCH] " Robert Love
2002-06-13 22:06                             ` [patch] current scheduler bits #4, 2.5.21 Ingo Molnar
2002-06-07 23:20   ` Scheduler Bug (set_cpus_allowed) J.A. Magallon
2002-06-12  0:00     ` Andrea Arcangeli
2002-06-10 18:50   ` Mike Kravetz
2002-06-10 20:02     ` Ingo Molnar
2002-06-12 11:54       ` David S. Miller
2002-06-12 16:57         ` [patch] switch_mm()'s desire to run without the rq lock Ingo Molnar
2002-06-12 21:54           ` David S. Miller
2002-06-12 22:31           ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1023475007.1137.62.camel@sinai \
    --to=rml@tech9.net \
    --cc=kravetz@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox