All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>
Cc: Hillf Danton <hdanton@sina.com>,
	syzbot <syzbot+6fb78d577e89e69602f9@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org, pbonzini@redhat.com,
	syzkaller-bugs@googlegroups.com,
	Steven Rostedt <rosted@goodmis.org>,
	Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [syzbot] WARNING in call_timer_fn
Date: Fri, 18 Nov 2022 09:53:41 +0900	[thread overview]
Message-ID: <d38fe3c3-1f0b-b5f6-2895-aee9476b20bf@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CABBYNZJYbzX9xoqU8_KEArTJ2=5eMTiDTjMbNjEYNVmi1rkp+A@mail.gmail.com>

On 2022/11/18 6:16, Luiz Augusto von Dentz wrote:
> Wasn't the following patch suppose to address such problem:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=deee93d13d385103205879a8a0915036ecd83261
> 
> It was merged in the last pull request to net-next:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a507ea32b9c2c407012bf89109ac0cf89fae313c
> 

No. Commit deee93d13d38 ("Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works")
is for handling queue_work() from hci_cmd_timeout(struct work_struct *work) from process_one_work()
(that is, called from a kernel workqueue thread from process context).

But this report says that queue_work() is called from timer interrupt handler from interrupt context
while drain_workqueue(hdev->workqueue) is in progress from process context.

But... is is_chained_work() check appropriate?
Why can't we exclude "timer interrupt handler" from "somebody else" ?

The comment for drain_workqueue() says

 * Wait until the workqueue becomes empty.  While draining is in progress,
 * only chain queueing is allowed.  IOW, only currently pending or running
 * work items on @wq can queue further work items on it.  @wq is flushed
 * repeatedly until it becomes empty.  The number of flushing is determined
 * by the depth of chaining and should be relatively short.  Whine if it
 * takes too long.

but why limited to "only currently pending or running work items on @wq" (that is,
only process context) ?

Although drain_workqueue() is also called from destroy_workqueue() (which would cause
use-after-free bug if interrupt handler calls queue_work() some time after drain_workqueue()),
I think that we can wait for drain_workqueue() to call __flush_workqueue() again if a further
work item is queued from interrupt handler...

Anyway, stopping all works and delayed works before calling drain_workqueue() would address
this problem.


  reply	other threads:[~2022-11-18  0:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-16 15:25 [syzbot] WARNING in call_timer_fn syzbot
2022-11-16 18:29 ` Thomas Gleixner
     [not found] ` <20221117024511.3606-1-hdanton@sina.com>
2022-11-17 11:54   ` Thomas Gleixner
     [not found]   ` <20221117125523.3783-1-hdanton@sina.com>
2022-11-17 16:06     ` Thomas Gleixner
2022-11-17 21:04       ` Luiz Augusto von Dentz
2022-11-17 21:16         ` Luiz Augusto von Dentz
2022-11-18  0:53           ` Tetsuo Handa [this message]
2022-11-18  1:17             ` Thomas Gleixner
     [not found]           ` <20221118012805.3862-1-hdanton@sina.com>
2022-11-18 20:01             ` Luiz Augusto von Dentz
     [not found] <20221117010835.3474-1-hdanton@sina.com>
2022-11-17  1:35 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d38fe3c3-1f0b-b5f6-2895-aee9476b20bf@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=pbonzini@redhat.com \
    --cc=rosted@goodmis.org \
    --cc=syzbot+6fb78d577e89e69602f9@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.