stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Lai Jiangshan <jiangshanlai@gmail.com>,
	"Paul E. McKenney" <paulmck@kernel.org>,
	"Peter Zijlstra (Intel)" <peterz@infradead.org>,
	Frederic Weisbecker <frederic@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Daniel Bristot de Oliveira <bristot@redhat.com>,
	Tejun Heo <tj@kernel.org>
Subject: [PATCH 5.15 02/41] workqueue: Fix unbind_workers() VS wq_worker_running() race
Date: Fri, 14 Jan 2022 09:16:02 +0100	[thread overview]
Message-ID: <20220114081545.245897527@linuxfoundation.org> (raw)
In-Reply-To: <20220114081545.158363487@linuxfoundation.org>

From: Frederic Weisbecker <frederic@kernel.org>

commit 07edfece8bcb0580a1828d939e6f8d91a8603eb2 upstream.

At CPU-hotplug time, unbind_worker() may preempt a worker while it is
waking up. In that case the following scenario can happen:

        unbind_workers()                     wq_worker_running()
        --------------                      -------------------
        	                      if (!(worker->flags & WORKER_NOT_RUNNING))
        	                          //PREEMPTED by unbind_workers
        worker->flags |= WORKER_UNBOUND;
        [...]
        atomic_set(&pool->nr_running, 0);
        //resume to worker
		                              atomic_inc(&worker->pool->nr_running);

After unbind_worker() resets pool->nr_running, the value is expected to
remain 0 until the pool ever gets rebound in case cpu_up() is called on
the target CPU in the future. But here the race leaves pool->nr_running
with a value of 1, triggering the following warning when the worker goes
idle:

	WARNING: CPU: 3 PID: 34 at kernel/workqueue.c:1823 worker_enter_idle+0x95/0xc0
	Modules linked in:
	CPU: 3 PID: 34 Comm: kworker/3:0 Not tainted 5.16.0-rc1+ #34
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
	Workqueue:  0x0 (rcu_par_gp)
	RIP: 0010:worker_enter_idle+0x95/0xc0
	Code: 04 85 f8 ff ff ff 39 c1 7f 09 48 8b 43 50 48 85 c0 74 1b 83 e2 04 75 99 8b 43 34 39 43 30 75 91 8b 83 00 03 00 00 85 c0 74 87 <0f> 0b 5b c3 48 8b 35 70 f1 37 01 48 8d 7b 48 48 81 c6 e0 93  0
	RSP: 0000:ffff9b7680277ed0 EFLAGS: 00010086
	RAX: 00000000ffffffff RBX: ffff93465eae9c00 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: ffff9346418a0000 RDI: ffff934641057140
	RBP: ffff934641057170 R08: 0000000000000001 R09: ffff9346418a0080
	R10: ffff9b768027fdf0 R11: 0000000000002400 R12: ffff93465eae9c20
	R13: ffff93465eae9c20 R14: ffff93465eae9c70 R15: ffff934641057140
	FS:  0000000000000000(0000) GS:ffff93465eac0000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000000 CR3: 000000001cc0c000 CR4: 00000000000006e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	  <TASK>
	  worker_thread+0x89/0x3d0
	  ? process_one_work+0x400/0x400
	  kthread+0x162/0x190
	  ? set_kthread_struct+0x40/0x40
	  ret_from_fork+0x22/0x30
	  </TASK>

Also due to this incorrect "nr_running == 1", further queued work may
end up not being served, because no worker is awaken at work insert time.
This raises rcutorture writer stalls for example.

Fix this with disabling preemption in the right place in
wq_worker_running().

It's worth noting that if the worker migrates and runs concurrently with
unbind_workers(), it is guaranteed to see the WORKER_UNBOUND flag update
due to set_cpus_allowed_ptr() acquiring/releasing rq->lock.

Fixes: 6d25be5782e4 ("sched/core, workqueues: Distangle worker accounting from rq lock")
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/workqueue.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -867,8 +867,17 @@ void wq_worker_running(struct task_struc
 
 	if (!worker->sleeping)
 		return;
+
+	/*
+	 * If preempted by unbind_workers() between the WORKER_NOT_RUNNING check
+	 * and the nr_running increment below, we may ruin the nr_running reset
+	 * and leave with an unexpected pool->nr_running == 1 on the newly unbound
+	 * pool. Protect against such race.
+	 */
+	preempt_disable();
 	if (!(worker->flags & WORKER_NOT_RUNNING))
 		atomic_inc(&worker->pool->nr_running);
+	preempt_enable();
 	worker->sleeping = 0;
 }
 



  parent reply	other threads:[~2022-01-14  8:20 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-14  8:16 [PATCH 5.15 00/41] 5.15.15-rc1 review Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 01/41] s390/kexec: handle R_390_PLT32DBL rela in arch_kexec_apply_relocations_add() Greg Kroah-Hartman
2022-01-14  8:16 ` Greg Kroah-Hartman [this message]
2022-01-14  8:16 ` [PATCH 5.15 03/41] staging: r8188eu: switch the led off during deinit Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 04/41] bpf: Fix out of bounds access from invalid *_or_null type verification Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 05/41] Bluetooth: btusb: Add protocol for MediaTek bluetooth devices(MT7922) Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 06/41] Bluetooth: btusb: Add the new support ID for Realtek RTL8852A Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 07/41] Bluetooth: btusb: Add support for IMC Networks Mediatek Chip(MT7921) Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 08/41] Bbluetooth: btusb: Add another Bluetooth part for Realtek 8852AE Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 09/41] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 10/41] Bluetooth: btusb: enable Mediatek to support AOSP extension Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 11/41] Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 12/41] Bluetooth: btusb: Add the new support IDs for WCN6855 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 13/41] fget: clarify and improve __fget_files() implementation Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 14/41] Bluetooth: btusb: Add one more Bluetooth part for WCN6855 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 15/41] Bluetooth: btusb: Add two more Bluetooth parts " Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 16/41] Bluetooth: btusb: Add support for Foxconn MT7922A Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 17/41] Bluetooth: btintel: Fix broken LED quirk for legacy ROM devices Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 18/41] Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 19/41] Bluetooth: bfusb: fix division by zero in send path Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 20/41] ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 21/41] USB: core: Fix bug in resuming hubs handling of wakeup requests Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 22/41] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 23/41] ath11k: Fix buffer overflow when scanning with extraie Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 24/41] mmc: sdhci-pci: Add PCI ID for Intel ADL Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 25/41] Bluetooth: add quirk disabling LE Read Transmit Power Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 26/41] Bluetooth: btbcm: disable read tx power for some Macs with the T2 Security chip Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 27/41] Bluetooth: btbcm: disable read tx power for MacBook Air 8,1 and 8,2 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 28/41] veth: Do not record rx queue hint in veth_xmit Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 29/41] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 30/41] x86/mce: Remove noinstr annotation from mce_setup() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 31/41] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 32/41] can: isotp: convert struct tpcon::{idx,len} to unsigned int Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 33/41] can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 34/41] random: fix data race on crng_node_pool Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 35/41] random: fix data race on crng init time Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 36/41] random: fix crash on multiple early calls to add_bootloader_randomness() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 37/41] platform/x86/intel: hid: add quirk to support Surface Go 3 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 38/41] media: Revert "media: uvcvideo: Set unique vdev name based in type" Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 39/41] staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 40/41] drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 41/41] staging: greybus: fix stack size warning with UBSAN Greg Kroah-Hartman
2022-01-14 17:43 ` [PATCH 5.15 00/41] 5.15.15-rc1 review Naresh Kamboju
2022-01-14 18:09 ` Jon Hunter
2022-01-14 19:59 ` Ron Economos
2022-01-15  8:14   ` Greg Kroah-Hartman
2022-01-15 11:52     ` Ron Economos
2022-01-15 12:15       ` Greg Kroah-Hartman
2022-01-15 12:31         ` Ron Economos
2022-01-14 22:29 ` Florian Fainelli
2022-01-14 23:32 ` Fox Chen
2022-01-15  0:24 ` Shuah Khan
2022-01-15 11:03 ` Sudip Mukherjee
2022-01-15 14:47 ` Andrei Rabusov
2022-01-15 16:39 ` Guenter Roeck
2022-01-15 16:48 ` Jeffrin Jose T

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220114081545.245897527@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=bigeasy@linutronix.de \
    --cc=bristot@redhat.com \
    --cc=frederic@kernel.org \
    --cc=jiangshanlai@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=paulmck@kernel.org \
    --cc=peterz@infradead.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).