From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Salman Qazi <sqazi@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: [049/103] hrtimer: Preserve timer state in remove_hrtimer()
Date: Fri, 22 Oct 2010 11:51:23 -0700 [thread overview]
Message-ID: <20101022185231.748920418@clark.site> (raw)
In-Reply-To: <20101022185455.GA9114@kroah.com>
2.6.35-stable review patch. If anyone has any objections, please let us know.
------------------
From: Salman Qazi <sqazi@google.com>
commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream.
The race is described as follows:
CPU X CPU Y
remove_hrtimer
// state & QUEUED == 0
timer->state = CALLBACK
unlock timer base
timer->f(n) //very long
hrtimer_start
lock timer base
remove_hrtimer // no effect
hrtimer_enqueue
timer->state = CALLBACK |
QUEUED
unlock timer base
hrtimer_start
lock timer base
remove_hrtimer
mode = INACTIVE
// CALLBACK bit lost!
switch_hrtimer_base
CALLBACK bit not set:
timer->base
changes to a
different CPU.
lock this CPU's timer base
The bug was introduced with commit ca109491f (hrtimer: removing all ur
callback modes) in 2.6.29
[ tglx: Feed new state via local variable and add a comment. ]
Signed-off-by: Salman Qazi <sqazi@google.com>
Cc: akpm@linux-foundation.org
Cc: Peter Zijlstra <peterz@infradead.org>
LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/hrtimer.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -936,6 +936,7 @@ static inline int
remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
{
if (hrtimer_is_queued(timer)) {
+ unsigned long state;
int reprogram;
/*
@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st
debug_deactivate(timer);
timer_stats_hrtimer_clear_start_info(timer);
reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
- reprogram);
+ /*
+ * We must preserve the CALLBACK state flag here,
+ * otherwise we could move the timer base in
+ * switch_hrtimer_base.
+ */
+ state = timer->state & HRTIMER_STATE_CALLBACK;
+ __remove_hrtimer(timer, base, state, reprogram);
return 1;
}
return 0;
@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer
BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
enqueue_hrtimer(timer, base);
}
+
+ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
+
timer->state &= ~HRTIMER_STATE_CALLBACK;
}
next prev parent reply other threads:[~2010-10-22 19:11 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 18:54 [000/103] 2.6.35.8-stable review Greg KH
2010-10-22 18:50 ` [001/103] x86, cpu: After uncapping CPUID, re-run CPU feature detection Greg KH
2010-10-22 18:50 ` [002/103] ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory Greg KH
2010-10-22 18:50 ` [003/103] ALSA: oxygen: fix analog capture on Claro halo cards Greg KH
2010-10-22 18:50 ` [004/103] ALSA: hda - Add Dell Latitude E6400 model quirk Greg KH
2010-10-22 18:50 ` [005/103] ALSA: prevent heap corruption in snd_ctl_new() Greg KH
2010-10-22 18:50 ` [006/103] ALSA: rawmidi: fix oops (use after free) when unloading a driver module Greg KH
2010-10-22 18:50 ` [007/103] hwmon: (lis3) Fix Oops with NULL platform data Greg KH
2010-10-22 18:50 ` [008/103] USB: fix bug in initialization of interface minor numbers Greg KH
2010-10-22 18:50 ` [009/103] usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style Greg KH
2010-10-22 18:50 ` [010/103] usb: musb: gadget: restart request on clearing endpoint halt Greg KH
2010-10-22 18:50 ` [011/103] HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl Greg KH
2010-10-22 18:50 ` [012/103] HID: hidraw, fix a NULL pointer dereference in hidraw_write Greg KH
2010-10-22 18:50 ` [013/103] ahci: fix module refcount breakage introduced by libahci split Greg KH
2010-10-22 18:50 ` [014/103] lib/list_sort: do not pass bad pointers to cmp callback Greg KH
2010-10-22 18:50 ` [015/103] ACPI: invoke DSDT corruption workaround on all Toshiba Satellite Greg KH
2010-10-22 18:50 ` [016/103] oprofile: Add Support for Intel CPU Family 6 / Model 29 Greg KH
2010-10-22 18:50 ` [017/103] oprofile, ARM: Release resources on failure Greg KH
2010-10-22 18:50 ` [018/103] RDMA/cxgb3: Turn off RX coalescing for iWARP connections Greg KH
2010-10-22 18:50 ` [019/103] drm/radeon/kms: fix bad cast/shift in evergreen.c Greg KH
2010-10-22 18:50 ` [020/103] drm/radeon/kms: avivo cursor workaround applies to evergreen as well Greg KH
2010-10-22 18:50 ` [021/103] ARM: 6400/1: at91: fix arch_gettimeoffset fallout Greg KH
2010-10-22 18:50 ` [022/103] ARM: 6395/1: VExpress: Set bit 22 in the PL310 (cache controller) AuxCtlr register Greg KH
2010-10-22 18:50 ` [023/103] V4L/DVB: gspca - main: Fix a crash of some webcams on ARM arch Greg KH
2010-10-22 18:50 ` [024/103] V4L/DVB: gspca - sn9c20x: Bad transfer size of Bayer images Greg KH
2010-10-22 18:50 ` [025/103] mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove Greg KH
2010-10-22 18:51 ` [026/103] x86/amd-iommu: Set iommu configuration flags in enable-loop Greg KH
2010-10-22 18:51 ` [027/103] x86/amd-iommu: Fix rounding-bug in __unmap_single Greg KH
2010-10-22 18:51 ` [028/103] x86/amd-iommu: Work around S3 BIOS bug Greg KH
2010-10-22 18:51 ` [029/103] tracing/x86: Dont use mcount in pvclock.c Greg KH
2010-10-22 18:51 ` [030/103] tracing/x86: Dont use mcount in kvmclock.c Greg KH
2010-10-22 18:51 ` [031/103] ksm: fix bad user data when swapping Greg KH
2010-10-22 18:51 ` [032/103] i7core_edac: fix panic in udimm sysfs attributes registration Greg KH
2010-10-22 18:51 ` [033/103] v4l1: fix 32-bit compat microcode loading translation Greg KH
2010-10-22 18:51 ` [034/103] V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) Greg KH
2010-10-22 18:51 ` [035/103] V4L/DVB: IR: fix keys beeing stuck down forever Greg KH
2010-10-22 18:51 ` [036/103] V4L/DVB: Dont identify PV SBTVD Hybrid as a DibCom device Greg KH
2010-10-22 18:51 ` [037/103] Input: joydev - fix JSIOCSAXMAP ioctl Greg KH
2010-10-22 18:51 ` [038/103] Input: wacom - fix pressure in Cintiq 21UX2 Greg KH
2010-10-22 18:51 ` [039/103] ioat2: fix performance regression Greg KH
2010-10-22 18:51 ` [040/103] mac80211: fix use-after-free Greg KH
2010-10-22 18:51 ` [041/103] x86, hpet: Fix bogus error check in hpet_assign_irq() Greg KH
2010-10-22 18:51 ` [042/103] x86, irq: Plug memory leak in sparse irq Greg KH
2010-10-22 18:51 ` [043/103] ubd: fix incorrect sector handling during request restart Greg KH
2010-10-22 18:51 ` [044/103] OSS: soundcard: locking bug in sound_ioctl() Greg KH
2010-10-22 18:51 ` [045/103] virtio-blk: fix request leak Greg KH
2010-10-22 18:51 ` [046/103] ring-buffer: Fix typo of time extends per page Greg KH
2010-10-22 18:51 ` [047/103] dmaengine: fix interrupt clearing for mv_xor Greg KH
2010-10-22 18:51 ` [048/103] drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code Greg KH
2010-10-22 18:51 ` Greg KH [this message]
2010-10-22 18:51 ` [050/103] i2c-pca: Fix waitforcompletion() return value Greg KH
2010-10-22 18:51 ` [051/103] reiserfs: fix dependency inversion between inode and reiserfs mutexes Greg KH
2010-10-22 18:51 ` [052/103] reiserfs: fix unwanted reiserfs lock recursion Greg KH
2010-10-22 18:51 ` [053/103] ocfs2: Dont walk off the end of fast symlinks Greg KH
2010-10-22 18:51 ` [054/103] mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types Greg KH
2010-10-22 18:51 ` [055/103] wext: fix potential private ioctl memory content leak Greg KH
2010-10-22 18:51 ` [056/103] atl1: fix resume Greg KH
2010-10-22 18:51 ` [057/103] x86, numa: For each node, register the memory blocks actually used Greg KH
2010-10-22 18:51 ` [058/103] x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order Greg KH
2010-10-22 18:51 ` [059/103] De-pessimize rds_page_copy_user Greg KH
2010-10-22 18:51 ` [060/103] firewire: ohci: fix TI TSB82AA2 regression since 2.6.35 Greg KH
2010-10-22 18:51 ` [061/103] drm/i915: Prevent module unload to avoid random memory corruption Greg KH
2010-10-22 18:51 ` [062/103] drm/i915: Sanity check pread/pwrite Greg KH
2010-10-22 18:51 ` [063/103] drm/i915: fix GMCH power reporting Greg KH
2010-10-22 18:51 ` [064/103] drm: Prune GEM vma entries Greg KH
2010-10-22 18:51 ` [065/103] drm: Hold the mutex when dropping the last GEM reference (v2) Greg KH
2010-10-22 18:51 ` [066/103] drm/radeon: fix PCI ID 5657 to be an RV410 Greg KH
2010-10-22 18:51 ` [067/103] drm/radeon/kms: fix possible sigbus in evergreen accel code Greg KH
2010-10-22 18:51 ` [068/103] drm/radeon/kms: fix up encoder info messages for DFP6 Greg KH
2010-10-22 18:51 ` [069/103] drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle Greg KH
2010-10-22 18:51 ` [070/103] drm/radeon/kms: add quirk for MSI K9A2GM motherboard Greg KH
2010-10-22 18:51 ` [071/103] mmc: sdio: fix SDIO suspend/resume regression Greg KH
2010-10-22 18:51 ` [072/103] V4L/DVB: dib7770: enable the current mirror Greg KH
2010-10-22 18:51 ` [073/103] xfs: properly account for reclaimed inodes Greg KH
2010-10-22 18:51 ` [074/103] skge: add quirk to limit DMA Greg KH
2010-10-22 18:51 ` [075/103] r8169: allocate with GFP_KERNEL flag when able to sleep Greg KH
2010-10-22 18:51 ` [076/103] KVM: i8259: fix migration Greg KH
2010-10-22 18:51 ` [077/103] KVM: x86: Fix SVM VMCB reset Greg KH
2010-10-23 9:51 ` Michael Tokarev
2010-10-23 13:47 ` Zachary Amsden
2010-10-23 15:59 ` [stable] " Greg KH
2010-10-22 18:51 ` [078/103] KVM: x86: Move TSC reset out of vmcb_init Greg KH
2010-10-22 18:51 ` [079/103] KVM: fix irqfd assign/deassign race Greg KH
2010-10-22 18:51 ` [080/103] KVM: Fix reboot on Intel hosts Greg KH
2010-10-22 18:51 ` [081/103] [SCSI] bsg: fix incorrect device_status value Greg KH
2010-10-22 18:51 ` [082/103] [SCSI] Fix VPD inquiry page wrapper Greg KH
2010-10-22 18:51 ` [083/103] virtio: console: Dont block entire guest if host doesnt read data Greg KH
2010-10-22 18:51 ` [084/103] ACPI: Handle ACPI0007 Device in acpi_early_set_pdc Greg KH
2010-10-22 18:51 ` [085/103] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-10-22 18:52 ` [086/103] powerpc: Dont use kernel stack with translation off Greg KH
2010-10-22 18:52 ` [087/103] b44: fix carrier detection on bind Greg KH
2010-10-22 18:52 ` [088/103] ALSA: hda - add ideapad model for Conexant 5051 codec Greg KH
2010-10-22 18:52 ` [089/103] ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume Greg KH
2010-10-22 18:52 ` [090/103] intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang Greg KH
2010-10-22 18:52 ` [091/103] ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 Greg KH
2010-10-22 18:52 ` [092/103] ACPI: delete ZEPTO idle=nomwait DMI quirk Greg KH
2010-10-22 18:52 ` [093/103] ACPI: Disable Windows Vista compatibility for Toshiba P305D Greg KH
2010-10-22 18:52 ` [094/103] PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs Greg KH
2010-10-22 18:52 ` [095/103] x86: detect scattered cpuid features earlier Greg KH
2010-10-22 18:52 ` [096/103] agp/intel: Fix cache control for Sandybridge Greg KH
2010-10-22 18:52 ` [097/103] x86-32: Separate 1:1 pagetables from swapper_pg_dir Greg KH
2010-10-22 18:52 ` [098/103] x86-32: Fix dummy trampoline-related inline stubs Greg KH
2010-10-22 18:52 ` [099/103] x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline Greg KH
2010-10-22 18:52 ` [100/103] setup_arg_pages: diagnose excessive argument size Greg KH
2010-10-22 18:52 ` [101/103] execve: improve interactivity with large arguments Greg KH
2010-10-22 18:52 ` [102/103] execve: make responsive to SIGKILL " Greg KH
2010-10-22 18:52 ` [103/103] mm: Move vma_stack_continue into mm.h Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101022185231.748920418@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=sqazi@google.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox