From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Daniel Vacek <neelx@redhat.com>,
Yuya Fujita-bishamonten <fj-lsoft-rh-driver@dl.jp.fujitsu.com>,
Leon Romanovsky <leon@kernel.org>,
Sasha Levin <sashal@kernel.org>,
jinpu.wang@ionos.com, linux-rdma@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 22/35] IB/ipoib: Fix mcast list locking
Date: Mon, 22 Jan 2024 10:12:19 -0500 [thread overview]
Message-ID: <20240122151302.995456-22-sashal@kernel.org> (raw)
In-Reply-To: <20240122151302.995456-1-sashal@kernel.org>
From: Daniel Vacek <neelx@redhat.com>
[ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ]
Releasing the `priv->lock` while iterating the `priv->multicast_list` in
`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to
remove the items while in the middle of iteration. If the mcast is removed
while the lock was dropped, the for loop spins forever resulting in a hard
lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):
Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)
-----------------------------------+-----------------------------------
ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)
spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)
list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)
&priv->multicast_list, list) |
ipoib_mcast_join(dev, mcast) |
spin_unlock_irq(&priv->lock) |
| spin_lock_irqsave(&priv->lock, flags)
| list_for_each_entry_safe(mcast, tmcast,
| &priv->multicast_list, list)
| list_del(&mcast->list);
| list_add_tail(&mcast->list, &remove_list)
| spin_unlock_irqrestore(&priv->lock, flags)
spin_lock_irq(&priv->lock) |
| ipoib_mcast_remove_list(&remove_list)
(Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,
`priv->multicast_list` and we keep | remove_list, list)
spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)
the other thread which is blocked |
and the list is still valid on |
it's stack.)
Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent
eventual sleeps.
Unfortunately we could not reproduce the lockup and confirm this fix but
based on the code review I think this fix should address such lockups.
crash> bc 31
PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2"
--
[exception RIP: ipoib_mcast_join_task+0x1b1]
RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002
RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000
work (&priv->mcast_task{,.work})
RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000
&mcast->list
RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000
R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00
mcast
R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8
dev priv (&priv->lock) &priv->multicast_list (aka head)
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
--- <NMI exception stack> ---
#5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]
#6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967
crash> rx ff646f199a8c7e68
ff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work
crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000
(empty)
crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000
mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,
mcast_mutex.owner.counter = 0xff1c69998efec000
crash> b 8
PID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: "kworker/u72:0"
--
#3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646
#4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]
#5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]
#6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]
#7 [ff646f1980153e98] process_one_work+0x1a7 at ffffffff9bf10967
crash> rx ff646f1980153e68
ff646f1980153e68: ff1c6a1a04dc83f0 <<< work = &priv->flush_light
crash> ipoib_dev_priv.flush_light.func,broadcast ff1c6a1a04dc8000
flush_light.func = 0xffffffffc0943820 <ipoib_ib_dev_flush_light>,
broadcast = 0x0,
The mcast(s) on the `remove_list` (the remaining part of the ex `priv->multicast_list`):
crash> list -s ipoib_mcast.done.done ipoib_mcast.list -H ff646f1980153e10 | paste - -
ff1c6a192bd0c200 done.done = 0x0,
ff1c6a192d60ac00 done.done = 0x0,
Reported-by: Yuya Fujita-bishamonten <fj-lsoft-rh-driver@dl.jp.fujitsu.com>
Signed-off-by: Daniel Vacek <neelx@redhat.com>
Link: https://lore.kernel.org/all/20231212080746.1528802-1-neelx@redhat.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 9e6967a40042..319d4288eddd 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -531,21 +531,17 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast)
if (test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags))
rec.join_state = SENDONLY_FULLMEMBER_JOIN;
}
- spin_unlock_irq(&priv->lock);
multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port,
- &rec, comp_mask, GFP_KERNEL,
+ &rec, comp_mask, GFP_ATOMIC,
ipoib_mcast_join_complete, mcast);
- spin_lock_irq(&priv->lock);
if (IS_ERR(multicast)) {
ret = PTR_ERR(multicast);
ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret);
/* Requeue this join task with a backoff delay */
__ipoib_mcast_schedule_join_thread(priv, mcast, 1);
clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
- spin_unlock_irq(&priv->lock);
complete(&mcast->done);
- spin_lock_irq(&priv->lock);
return ret;
}
return 0;
--
2.43.0
next prev parent reply other threads:[~2024-01-22 15:14 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-22 15:11 [PATCH AUTOSEL 5.15 01/35] f2fs: fix to check return value of f2fs_reserve_new_block() Sasha Levin
2024-01-22 15:11 ` [PATCH AUTOSEL 5.15 02/35] ALSA: hda: Refer to correct stream index at loops Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 03/35] ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 04/35] drm: Fix color LUT rounding Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 05/35] fast_dput(): handle underflows gracefully Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 06/35] RDMA/IPoIB: Fix error code return in ipoib_mcast_join Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 07/35] drm/amd/display: Fix tiled display misalignment Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 08/35] f2fs: fix write pointers on zoned device after roll forward Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 09/35] drm/amd/display: Fix writeback_info never got updated Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 10/35] drm/drm_file: fix use of uninitialized variable Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 11/35] drm/framebuffer: Fix " Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 12/35] drm/mipi-dsi: Fix detach call without attach Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 13/35] media: stk1160: Fixed high volume of stk1160_dbg messages Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 14/35] media: rockchip: rga: fix swizzling for RGB formats Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 15/35] PCI: add INTEL_HDA_ARL to pci_ids.h Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 16/35] ALSA: hda: Intel: add HDA_ARL PCI ID support Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 17/35] ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 18/35] media: rkisp1: Drop IRQF_SHARED Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 19/35] hwmon: (pc87360) Bounds check data->innr usage Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 20/35] f2fs: fix to tag gcing flag on page during block migration Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 21/35] drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time Sasha Levin
2024-01-22 15:12 ` Sasha Levin [this message]
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 23/35] media: ddbridge: fix an error code problem in ddb_probe Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 24/35] media: i2c: imx335: Fix hblank min/max values Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 25/35] drm/msm/dpu: Ratelimit framedone timeout msgs Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 26/35] drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 27/35] clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 28/35] clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 29/35] watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 30/35] drm/amd/display: make flip_timestamp_in_us a 64-bit variable Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 31/35] clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu() Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 32/35] clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 33/35] drm/amdgpu: Let KFD sync with VM fences Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 34/35] drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' Sasha Levin
2024-01-22 15:12 ` [PATCH AUTOSEL 5.15 35/35] ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240122151302.995456-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=fj-lsoft-rh-driver@dl.jp.fujitsu.com \
--cc=jinpu.wang@ionos.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=neelx@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox