Re: [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Peter Zijlstra <peterz@infradead.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-tip-commits@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Chris Metcalf <cmetcalf@ezchip.com>,
	Christoph Lameter <cl@linux.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Kirill Tkhai <tkhai@yandex.ru>, Mike Galbraith <efault@gmx.de>,
	Oleg Nesterov <oleg@redhat.com>,
	"Paul E. McKenney" <paulmck@linux.ibm.com>,
	Russell King - ARM Linux admin <linux@armlinux.org.uk>,
	Thomas Gleixner <tglx@linutronix.de>,
	Borislav Petkov <bp@alien8.de>
Subject: Re: [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load
Date: Tue, 1 Oct 2019 10:50:33 +0200	[thread overview]
Message-ID: <20191001085033.GP4519@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20191001084405.GA115089@gmail.com>

On Tue, Oct 01, 2019 at 10:44:05AM +0200, Ingo Molnar wrote:
> 
> * tip-bot2 for Mathieu Desnoyers <tip-bot2@linutronix.de> wrote:
> 
> > The following commit has been merged into the sched/urgent branch of tip:
> > 
> > Commit-ID:     227a4aadc75ba22fcb6c4e1c078817b8cbaae4ce
> > Gitweb:        https://git.kernel.org/tip/227a4aadc75ba22fcb6c4e1c078817b8cbaae4ce
> > Author:        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> > AuthorDate:    Thu, 19 Sep 2019 13:37:02 -04:00
> > Committer:     Ingo Molnar <mingo@kernel.org>
> > CommitterDate: Wed, 25 Sep 2019 17:42:30 +02:00
> > 
> > sched/membarrier: Fix p->mm->membarrier_state racy load
> 
> > +	rcu_read_unlock();
> >  	if (!fallback) {
> >  		preempt_disable();
> >  		smp_call_function_many(tmpmask, ipi_mb, NULL, 1);
> > @@ -136,6 +178,7 @@ static int membarrier_private_expedited(int flags)
> >  	}
> >  
> >  	cpus_read_lock();
> > +	rcu_read_lock();
> >  	for_each_online_cpu(cpu) {
> >  		struct task_struct *p;
> >  
> > @@ -157,8 +200,8 @@ static int membarrier_private_expedited(int flags)
> >  			else
> >  				smp_call_function_single(cpu, ipi_mb, NULL, 1);
> >  		}
> > -		rcu_read_unlock();
> >  	}
> > +	rcu_read_unlock();
> 
> I noticed this too late, but the locking in this part is now bogus:
> 
> 	rcu_read_lock();
> 	for_each_online_cpu(cpu) {
> 		struct task_struct *p;
> 
> 		/*
> 		 * Skipping the current CPU is OK even through we can be
> 		 * migrated at any point. The current CPU, at the point
> 		 * where we read raw_smp_processor_id(), is ensured to
> 		 * be in program order with respect to the caller
> 		 * thread. Therefore, we can skip this CPU from the
> 		 * iteration.
> 		 */
> 		if (cpu == raw_smp_processor_id())
> 			continue;
> 		rcu_read_lock();

Yeah, that one needs to go.

> 		p = rcu_dereference(cpu_rq(cpu)->curr);
> 		if (p && p->mm == mm)
> 			__cpumask_set_cpu(cpu, tmpmask);
> 	}
> 	rcu_read_unlock();
> 
> Note the double rcu_read_lock() ....
> 
> This bug is now upstream, so requires an urgent fix, as it should be 
> trivial to trigger with pretty much any membarrier user.

---
Subject: membarrier: Fix faulty merge

Commit 227a4aadc75b ("sched/membarrier: Fix p->mm->membarrier_state racy
load") got fat fingered by me when merging it with other patches. It
meant to move the rcu section out of the for loop but ended up doing it
partially, leaving a superfluous rcu_read_lock() inside, causing havok.

Fixes: 227a4aadc75b ("sched/membarrier: Fix p->mm->membarrier_state racy load")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
 kernel/sched/membarrier.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c
index a39bed2c784f..168479a7d61b 100644
--- a/kernel/sched/membarrier.c
+++ b/kernel/sched/membarrier.c
@@ -174,7 +174,6 @@ static int membarrier_private_expedited(int flags)
 		 */
 		if (cpu == raw_smp_processor_id())
 			continue;
-		rcu_read_lock();
 		p = rcu_dereference(cpu_rq(cpu)->curr);
 		if (p && p->mm == mm)
 			__cpumask_set_cpu(cpu, tmpmask);

next prev parent reply	other threads:[~2019-10-01  8:51 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-19 17:36 [RFC PATCH for 5.4 0/7] Membarrier fixes and cleanups Mathieu Desnoyers
2019-09-19 17:36 ` [RFC PATCH for 5.4 1/7] Fix: sched/membarrier: Private expedited registration check Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] sched/membarrier: Fix private " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 2/7] Cleanup: sched/membarrier: Remove redundant check Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 3/7] Cleanup: sched/membarrier: Only sync_core before usermode for same mm Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] sched/membarrier: Call sync_core only " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 4/7] Fix: sched/membarrier: p->mm->membarrier_state racy load (v4) Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load tip-bot2 for Mathieu Desnoyers
2019-10-01  8:44     ` Ingo Molnar
2019-10-01  8:50       ` Peter Zijlstra [this message]
2019-10-01 19:34         ` [tip: sched/urgent] membarrier: Fix RCU locking bug caused by faulty merge tip-bot2 for Peter Zijlstra
2019-09-19 17:37 ` [RFC PATCH for 5.4 5/7] selftests: sched/membarrier: Add multi-threaded test Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] selftests, " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 6/7] sched/membarrier: Skip IPIs when mm->mm_users == 1 Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-19 17:37 ` [RFC PATCH for 5.4 7/7] sched/membarrier: Return -ENOMEM to userspace on memory allocation failure Mathieu Desnoyers
2019-09-27  8:10   ` [tip: sched/urgent] " tip-bot2 for Mathieu Desnoyers
2019-09-23  9:06 ` [RFC PATCH for 5.4 0/7] Membarrier fixes and cleanups Peter Zijlstra
2019-09-23 14:55   ` Mathieu Desnoyers
2019-09-25  8:07     ` Peter Zijlstra
2019-09-25 15:50       ` Mathieu Desnoyers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a39bed2c784 dfblob:168479a7d61 )
 OR (
bs:"Re: [tip: sched/urgent] sched/membarrier: Fix p->mm->membarrier_state racy load" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191001085033.GP4519@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=bp@alien8.de \
    --cc=cl@linux.com \
    --cc=cmetcalf@ezchip.com \
    --cc=ebiederm@xmission.com \
    --cc=efault@gmx.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mingo@kernel.org \
    --cc=oleg@redhat.com \
    --cc=paulmck@linux.ibm.com \
    --cc=tglx@linutronix.de \
    --cc=tkhai@yandex.ru \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox