From: Ingo Molnar <mingo@kernel.org>
To: linux-kernel@vger.kernel.org
Cc: linux-tip-commits@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Chris Metcalf <cmetcalf@ezchip.com>,
Christoph Lameter <cl@linux.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kirill Tkhai <tkhai@yandex.ru>, Mike Galbraith <efault@gmx.de>,
Oleg Nesterov <oleg@redhat.com>,
"Paul E. McKenney" <paulmck@linux.ibm.com>,
Russell King - ARM Linux admin <linux@armlinux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>
Subject: Re: [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load
Date: Tue, 1 Oct 2019 10:44:05 +0200 [thread overview]
Message-ID: <20191001084405.GA115089@gmail.com> (raw)
In-Reply-To: <156957184332.9866.1795367595934026999.tip-bot2@tip-bot2>
* tip-bot2 for Mathieu Desnoyers <tip-bot2@linutronix.de> wrote:
> The following commit has been merged into the sched/urgent branch of tip:
>
> Commit-ID: 227a4aadc75ba22fcb6c4e1c078817b8cbaae4ce
> Gitweb: https://git.kernel.org/tip/227a4aadc75ba22fcb6c4e1c078817b8cbaae4ce
> Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> AuthorDate: Thu, 19 Sep 2019 13:37:02 -04:00
> Committer: Ingo Molnar <mingo@kernel.org>
> CommitterDate: Wed, 25 Sep 2019 17:42:30 +02:00
>
> sched/membarrier: Fix p->mm->membarrier_state racy load
> + rcu_read_unlock();
> if (!fallback) {
> preempt_disable();
> smp_call_function_many(tmpmask, ipi_mb, NULL, 1);
> @@ -136,6 +178,7 @@ static int membarrier_private_expedited(int flags)
> }
>
> cpus_read_lock();
> + rcu_read_lock();
> for_each_online_cpu(cpu) {
> struct task_struct *p;
>
> @@ -157,8 +200,8 @@ static int membarrier_private_expedited(int flags)
> else
> smp_call_function_single(cpu, ipi_mb, NULL, 1);
> }
> - rcu_read_unlock();
> }
> + rcu_read_unlock();
I noticed this too late, but the locking in this part is now bogus:
rcu_read_lock();
for_each_online_cpu(cpu) {
struct task_struct *p;
/*
* Skipping the current CPU is OK even through we can be
* migrated at any point. The current CPU, at the point
* where we read raw_smp_processor_id(), is ensured to
* be in program order with respect to the caller
* thread. Therefore, we can skip this CPU from the
* iteration.
*/
if (cpu == raw_smp_processor_id())
continue;
rcu_read_lock();
p = rcu_dereference(cpu_rq(cpu)->curr);
if (p && p->mm == mm)
__cpumask_set_cpu(cpu, tmpmask);
}
rcu_read_unlock();
Note the double rcu_read_lock() ....
This bug is now upstream, so requires an urgent fix, as it should be
trivial to trigger with pretty much any membarrier user.
Thanks,
Ingo
next prev parent reply other threads:[~2019-10-01 8:44 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-19 17:36 [RFC PATCH for 5.4 0/7] Membarrier fixes and cleanups Mathieu Desnoyers
2019-09-19 17:36 ` [RFC PATCH for 5.4 1/7] Fix: sched/membarrier: Private expedited registration check Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] sched/membarrier: Fix private " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 2/7] Cleanup: sched/membarrier: Remove redundant check Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 3/7] Cleanup: sched/membarrier: Only sync_core before usermode for same mm Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] sched/membarrier: Call sync_core only " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 4/7] Fix: sched/membarrier: p->mm->membarrier_state racy load (v4) Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load tip-bot2 for Mathieu Desnoyers
2019-10-01 8:44 ` Ingo Molnar [this message]
2019-10-01 8:50 ` Peter Zijlstra
2019-10-01 19:34 ` [tip: sched/urgent] membarrier: Fix RCU locking bug caused by faulty merge tip-bot2 for Peter Zijlstra
2019-09-19 17:37 ` [RFC PATCH for 5.4 5/7] selftests: sched/membarrier: Add multi-threaded test Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] selftests, " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 6/7] sched/membarrier: Skip IPIs when mm->mm_users == 1 Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 7/7] sched/membarrier: Return -ENOMEM to userspace on memory allocation failure Mathieu Desnoyers
2019-09-27 8:10 ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-23 9:06 ` [RFC PATCH for 5.4 0/7] Membarrier fixes and cleanups Peter Zijlstra
2019-09-23 14:55 ` Mathieu Desnoyers
2019-09-25 8:07 ` Peter Zijlstra
2019-09-25 15:50 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001084405.GA115089@gmail.com \
--to=mingo@kernel.org \
--cc=bp@alien8.de \
--cc=cl@linux.com \
--cc=cmetcalf@ezchip.com \
--cc=ebiederm@xmission.com \
--cc=efault@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mathieu.desnoyers@efficios.com \
--cc=oleg@redhat.com \
--cc=paulmck@linux.ibm.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tkhai@yandex.ru \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox