All of lore.kernel.org
 help / color / mirror / Atom feed
From: "tip-bot2 for Peter Zijlstra" <tip-bot2@linutronix.de>
To: linux-tip-commits@vger.kernel.org
Cc: ville.syrjala@linux.intel.com,
	"Peter Zijlstra (Intel)" <peterz@infradead.org>,
	x86@kernel.org, linux-kernel@vger.kernel.org
Subject: [tip: sched/urgent] sched: Fix race in task_call_func()
Date: Mon, 14 Nov 2022 09:10:14 -0000	[thread overview]
Message-ID: <166841701431.4906.7873933542030208235.tip-bot2@tip-bot2> (raw)
In-Reply-To: <Y1kdRNNfUeAU+FNl@hirez.programming.kicks-ass.net>

The following commit has been merged into the sched/urgent branch of tip:

Commit-ID:     91dabf33ae5df271da63e87ad7833e5fdb4a44b9
Gitweb:        https://git.kernel.org/tip/91dabf33ae5df271da63e87ad7833e5fdb4a44b9
Author:        Peter Zijlstra <peterz@infradead.org>
AuthorDate:    Wed, 26 Oct 2022 13:43:00 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Mon, 14 Nov 2022 09:58:32 +01:00

sched: Fix race in task_call_func()

There is a very narrow race between schedule() and task_call_func().

  CPU0						CPU1

  __schedule()
    rq_lock();
    prev_state = READ_ONCE(prev->__state);
    if (... && prev_state) {
      deactivate_tasl(rq, prev, ...)
        prev->on_rq = 0;

						task_call_func()
						  raw_spin_lock_irqsave(p->pi_lock);
						  state = READ_ONCE(p->__state);
						  smp_rmb();
						  if (... || p->on_rq) // false!!!
						    rq = __task_rq_lock()

						  ret = func();

    next = pick_next_task();
    rq = context_switch(prev, next)
      prepare_lock_switch()
        spin_release(&__rq_lockp(rq)->dep_map...)

So while the task is on it's way out, it still holds rq->lock for a
little while, and right then task_call_func() comes in and figures it
doesn't need rq->lock anymore (because the task is already dequeued --
but still running there) and then the __set_task_frozen() thing observes
it's holding rq->lock and yells murder.

Avoid this by waiting for p->on_cpu to get cleared, which guarantees
the task is fully finished on the old CPU.

( While arguably the fixes tag is 'wrong' -- none of the previous
  task_call_func() users appears to care for this case. )

Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://lkml.kernel.org/r/Y1kdRNNfUeAU+FNl@hirez.programming.kicks-ass.net
---
 kernel/sched/core.c | 52 +++++++++++++++++++++++++++++---------------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index cb2aa2b..daff72f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4200,6 +4200,40 @@ out:
 	return success;
 }
 
+static bool __task_needs_rq_lock(struct task_struct *p)
+{
+	unsigned int state = READ_ONCE(p->__state);
+
+	/*
+	 * Since pi->lock blocks try_to_wake_up(), we don't need rq->lock when
+	 * the task is blocked. Make sure to check @state since ttwu() can drop
+	 * locks at the end, see ttwu_queue_wakelist().
+	 */
+	if (state == TASK_RUNNING || state == TASK_WAKING)
+		return true;
+
+	/*
+	 * Ensure we load p->on_rq after p->__state, otherwise it would be
+	 * possible to, falsely, observe p->on_rq == 0.
+	 *
+	 * See try_to_wake_up() for a longer comment.
+	 */
+	smp_rmb();
+	if (p->on_rq)
+		return true;
+
+#ifdef CONFIG_SMP
+	/*
+	 * Ensure the task has finished __schedule() and will not be referenced
+	 * anymore. Again, see try_to_wake_up() for a longer comment.
+	 */
+	smp_rmb();
+	smp_cond_load_acquire(&p->on_cpu, !VAL);
+#endif
+
+	return false;
+}
+
 /**
  * task_call_func - Invoke a function on task in fixed state
  * @p: Process for which the function is to be invoked, can be @current.
@@ -4217,28 +4251,12 @@ out:
 int task_call_func(struct task_struct *p, task_call_f func, void *arg)
 {
 	struct rq *rq = NULL;
-	unsigned int state;
 	struct rq_flags rf;
 	int ret;
 
 	raw_spin_lock_irqsave(&p->pi_lock, rf.flags);
 
-	state = READ_ONCE(p->__state);
-
-	/*
-	 * Ensure we load p->on_rq after p->__state, otherwise it would be
-	 * possible to, falsely, observe p->on_rq == 0.
-	 *
-	 * See try_to_wake_up() for a longer comment.
-	 */
-	smp_rmb();
-
-	/*
-	 * Since pi->lock blocks try_to_wake_up(), we don't need rq->lock when
-	 * the task is blocked. Make sure to check @state since ttwu() can drop
-	 * locks at the end, see ttwu_queue_wakelist().
-	 */
-	if (state == TASK_RUNNING || state == TASK_WAKING || p->on_rq)
+	if (__task_needs_rq_lock(p))
 		rq = __task_rq_lock(p, &rf);
 
 	/*

      parent reply	other threads:[~2022-11-14  9:10 UTC|newest]

Thread overview: 92+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-22 11:18 [PATCH v3 0/6] Freezer Rewrite Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 1/6] freezer: Have {,un}lock_system_sleep() save/restore flags Peter Zijlstra
2022-08-23 17:25   ` Rafael J. Wysocki
2022-09-09  9:00   ` [tip: sched/core] " tip-bot2 for Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 2/6] freezer,umh: Clean up freezer/initrd interaction Peter Zijlstra
2022-08-23 17:28   ` Rafael J. Wysocki
2022-09-09  9:00   ` [tip: sched/core] " tip-bot2 for Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 3/6] sched: Change wait_task_inactive()s match_state Peter Zijlstra
2022-09-04 10:44   ` Ingo Molnar
2022-09-06 10:54     ` Peter Zijlstra
2022-09-07  7:23       ` Ingo Molnar
2022-09-07  9:29       ` Peter Zijlstra
2022-09-09  9:00         ` [tip: sched/core] sched: Rename task_running() to task_on_cpu() tip-bot2 for Peter Zijlstra
2022-09-07  9:30       ` [PATCH v3 3/6] sched: Change wait_task_inactive()s match_state Peter Zijlstra
2022-09-09  9:00   ` [tip: sched/core] " tip-bot2 for Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 4/6] sched/completion: Add wait_for_completion_state() Peter Zijlstra
2022-08-23 17:32   ` Rafael J. Wysocki
2022-08-26 21:54     ` Peter Zijlstra
2022-09-04 10:46   ` Ingo Molnar
2022-09-06 10:24     ` Peter Zijlstra
2022-09-07  7:35       ` Ingo Molnar
2022-09-07  9:24         ` Peter Zijlstra
2022-09-09  9:00   ` [tip: sched/core] " tip-bot2 for Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 5/6] sched/wait: Add wait_event_state() Peter Zijlstra
2022-09-04  9:54   ` Ingo Molnar
2022-09-06 11:08     ` Peter Zijlstra
2022-09-07  7:26       ` Ingo Molnar
2022-09-09  9:00   ` [tip: sched/core] " tip-bot2 for Peter Zijlstra
2022-08-22 11:18 ` [PATCH v3 6/6] freezer,sched: Rewrite core freezer logic Peter Zijlstra
2022-08-23 17:36   ` Rafael J. Wysocki
2022-09-04 10:09   ` Ingo Molnar
2022-09-06 11:23     ` Peter Zijlstra
2022-09-07  7:30       ` Ingo Molnar
2022-09-09  9:00       ` [tip: sched/core] sched: Show PF_flag holes tip-bot2 for Peter Zijlstra
2022-09-09  9:00   ` [tip: sched/core] freezer,sched: Rewrite core freezer logic tip-bot2 for Peter Zijlstra
2022-09-23  7:21   ` [PATCH v3 6/6] " Christian Borntraeger
2022-09-23  7:53     ` Christian Borntraeger
2022-09-26  8:06       ` Christian Borntraeger
2022-09-26 10:55         ` Christian Borntraeger
2022-09-26 12:13           ` Peter Zijlstra
2022-09-26 12:13             ` Peter Zijlstra
2022-09-26 12:32           ` Christian Borntraeger
2022-09-26 12:32             ` Christian Borntraeger
2022-09-26 12:55             ` Peter Zijlstra
2022-09-26 12:55               ` Peter Zijlstra
2022-09-26 13:23               ` Christian Borntraeger
2022-09-26 13:23                 ` Christian Borntraeger
2022-09-26 13:37                 ` Peter Zijlstra
2022-09-26 13:37                   ` Peter Zijlstra
2022-09-26 13:54                   ` Christian Borntraeger
2022-09-26 13:54                     ` Christian Borntraeger
2022-09-26 15:49                   ` Christian Borntraeger
2022-09-26 15:49                     ` Christian Borntraeger
2022-09-26 18:06                     ` Peter Zijlstra
2022-09-26 18:06                       ` Peter Zijlstra
2022-09-26 18:22                       ` Peter Zijlstra
2022-09-26 18:22                         ` Peter Zijlstra
2022-09-27  5:35                         ` Christian Borntraeger
2022-09-27  5:35                           ` Christian Borntraeger
2022-09-28  5:44                           ` Christian Borntraeger
2022-09-28  5:44                             ` Christian Borntraeger
2022-10-21 17:22   ` Ville Syrjälä
2022-10-21 17:22     ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-10-25  4:52     ` [PATCH v3 6/6] freezer,sched: " Ville Syrjälä
2022-10-25  4:52       ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-10-25 10:49       ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-10-25 10:49         ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-10-26 10:32         ` [PATCH v3 6/6] freezer,sched: " Ville Syrjälä
2022-10-26 10:32           ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-10-26 11:43           ` Peter Zijlstra
2022-10-26 11:43             ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-10-26 12:12             ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-10-26 12:12               ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-10-26 12:14               ` Peter Zijlstra
2022-10-26 12:14                 ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-10-27  5:58             ` [PATCH v3 6/6] freezer,sched: " Chen Yu
2022-10-27  5:58               ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Chen Yu
2022-10-27  7:39               ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-10-27  7:39                 ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-10-27 13:09             ` [PATCH v3 6/6] freezer,sched: " Ville Syrjälä
2022-10-27 13:09               ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-10-27 16:53               ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-10-27 16:53                 ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-11-02 16:57                 ` [PATCH v3 6/6] freezer,sched: " Ville Syrjälä
2022-11-02 16:57                   ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-11-02 22:16                   ` [PATCH v3 6/6] freezer,sched: " Peter Zijlstra
2022-11-02 22:16                     ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Peter Zijlstra
2022-11-07 11:47                     ` [PATCH v3 6/6] freezer,sched: " Ville Syrjälä
2022-11-07 11:47                       ` [Intel-gfx] [PATCH v3 6/6] freezer, sched: " Ville Syrjälä
2022-11-10 20:27                       ` Ville Syrjälä
2022-11-10 20:27                         ` Ville Syrjälä
2022-11-14  9:10             ` tip-bot2 for Peter Zijlstra [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=166841701431.4906.7873933542030208235.tip-bot2@tip-bot2 \
    --to=tip-bot2@linutronix.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=ville.syrjala@linux.intel.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.