Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755914AbaLJN02 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 10 Dec 2014 08:26:28 -0500
Received: from e06smtp10.uk.ibm.com ([195.75.94.106]:45707 "EHLO
	e06smtp10.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751927AbaLJN01 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 10 Dec 2014 08:26:27 -0500
Date: Wed, 10 Dec 2014 14:26:19 +0100
From: David Hildenbrand <dahi@linux.vnet.ibm.com>
To: linux-kernel@vger.kernel.org
Cc: heiko.carstens@de.ibm.com, borntraeger@de.ibm.com,
        rafael.j.wysocki@intel.com, paulmck@linux.vnet.ibm.com,
        peterz@infradead.org, oleg@redhat.com, bp@suse.de, jkosina@suse.cz
Subject: Re: [PATCH v4] CPU hotplug: active_writer not woken up in some
 cases - deadlock
Message-ID: <20141210142619.790e3b38@thinkpad-w530>
In-Reply-To: <1418217721-42919-1-git-send-email-dahi@linux.vnet.ibm.com>
References: <1418217721-42919-1-git-send-email-dahi@linux.vnet.ibm.com>
Organization: IBM Deutschland GmbH
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.24; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14121013-0041-0000-0000-0000026DF5AF
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> Commit b2c4623dcd07 ("rcu: More on deadlock between CPU hotplug and expedited
> grace periods") introduced another problem that can easily be reproduced by
> starting/stopping cpus in a loop.
> 
> E.g.:
>   for i in `seq 5000`; do
>       echo 1 > /sys/devices/system/cpu/cpu1/online
>       echo 0 > /sys/devices/system/cpu/cpu1/online
>   done
> 
> Will result in:
>   INFO: task /cpu_start_stop:1 blocked for more than 120 seconds.
>   Call Trace:
>   ([<00000000006a028e>] __schedule+0x406/0x91c)
>    [<0000000000130f60>] cpu_hotplug_begin+0xd0/0xd4
>    [<0000000000130ff6>] _cpu_up+0x3e/0x1c4
>    [<0000000000131232>] cpu_up+0xb6/0xd4
>    [<00000000004a5720>] device_online+0x80/0xc0
>    [<00000000004a57f0>] online_store+0x90/0xb0
>   ...
> 
> And a deadlock.
> 
> Problem is that if the last ref in put_online_cpus() can't get the
> cpu_hotplug.lock the puts_pending count is incremented, but a sleeping
> active_writer might never be woken up, therefore never exiting the loop in
> cpu_hotplug_begin().
> 
> This fix removes puts_pending and turns refcount into an atomic variable. We
> also introduce a wait queue for the active_writer, to avoid possible races and
> use-after-free. There is no need to take the lock in put_online_cpus() anymore.
> 
> Also rearrange the lockdep anotations so we won't get false positives.
> 
> Can't reproduce it with this fix.
> 
> Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> ---
>  kernel/cpu.c | 60 ++++++++++++++++++++++++++----------------------------------
>  1 file changed, 26 insertions(+), 34 deletions(-)
> 
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index 5d22023..3f1d5ba 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -58,22 +58,23 @@ static int cpu_hotplug_disabled;
> 
>  static struct {
>  	struct task_struct *active_writer;
> -	struct mutex lock; /* Synchronizes accesses to refcount, */
> +	/* wait queue to wake up the active_writer */
> +	wait_queue_head_t wq;
> +	/* verifies that no writer will get active while readers are active */
> +	struct mutex lock;
>  	/*
>  	 * Also blocks the new readers during
>  	 * an ongoing cpu hotplug operation.
>  	 */
> -	int refcount;
> -	/* And allows lockless put_online_cpus(). */
> -	atomic_t puts_pending;
> +	atomic_t refcount;
> 
>  #ifdef CONFIG_DEBUG_LOCK_ALLOC
>  	struct lockdep_map dep_map;
>  #endif
>  } cpu_hotplug = {
>  	.active_writer = NULL,
> +	.wq = __WAIT_QUEUE_HEAD_INITIALIZER(cpu_hotplug.wq),
>  	.lock = __MUTEX_INITIALIZER(cpu_hotplug.lock),
> -	.refcount = 0,
>  #ifdef CONFIG_DEBUG_LOCK_ALLOC
>  	.dep_map = {.name = "cpu_hotplug.lock" },
>  #endif
> @@ -86,15 +87,6 @@ static struct {
>  #define cpuhp_lock_acquire()      lock_map_acquire(&cpu_hotplug.dep_map)
>  #define cpuhp_lock_release()      lock_map_release(&cpu_hotplug.dep_map)
> 
> -static void apply_puts_pending(int max)
> -{
> -	int delta;
> -
> -	if (atomic_read(&cpu_hotplug.puts_pending) >= max) {
> -		delta = atomic_xchg(&cpu_hotplug.puts_pending, 0);
> -		cpu_hotplug.refcount -= delta;
> -	}
> -}
> 
>  void get_online_cpus(void)
>  {
> @@ -103,9 +95,9 @@ void get_online_cpus(void)
>  		return;
>  	cpuhp_lock_acquire_read();
>  	mutex_lock(&cpu_hotplug.lock);
> -	apply_puts_pending(65536);
> -	cpu_hotplug.refcount++;
> +	atomic_inc(&cpu_hotplug.refcount);
>  	mutex_unlock(&cpu_hotplug.lock);
> +	cpuhp_lock_release();
>  }
>  EXPORT_SYMBOL_GPL(get_online_cpus);
> 
> @@ -116,9 +108,9 @@ bool try_get_online_cpus(void)
>  	if (!mutex_trylock(&cpu_hotplug.lock))
>  		return false;
>  	cpuhp_lock_acquire_tryread();
> -	apply_puts_pending(65536);
> -	cpu_hotplug.refcount++;
> +	atomic_inc(&cpu_hotplug.refcount);
>  	mutex_unlock(&cpu_hotplug.lock);
> +	cpuhp_lock_release();
>  	return true;
>  }
>  EXPORT_SYMBOL_GPL(try_get_online_cpus);
> @@ -127,20 +119,16 @@ void put_online_cpus(void)
>  {
>  	if (cpu_hotplug.active_writer == current)
>  		return;
> -	if (!mutex_trylock(&cpu_hotplug.lock)) {
> -		atomic_inc(&cpu_hotplug.puts_pending);
> -		cpuhp_lock_release();
> -		return;
> -	}
> -
> -	if (WARN_ON(!cpu_hotplug.refcount))
> -		cpu_hotplug.refcount++; /* try to fix things up */
> 
> -	if (!--cpu_hotplug.refcount && unlikely(cpu_hotplug.active_writer))
> -		wake_up_process(cpu_hotplug.active_writer);
> -	mutex_unlock(&cpu_hotplug.lock);
> -	cpuhp_lock_release();
> +	if (atomic_dec_and_test(&cpu_hotplug.refcount) &&
> +	    waitqueue_active(&cpu_hotplug.wq))
> +		wake_up(&cpu_hotplug.wq);
> 
> +	/* missing get - try to fix things up */

The only thing that is bugging me is this part. Without the lock we can't
guarantee that another get_online_cpus() just arrived and bumped the refcount
to 0.

Of course this only applies to misuse of put/get_online_cpus.

We could hack some loop that tries to cmp_xchng with the old value until it
fits to work around this, but wouldn't make the code any better readable.

> +	if (WARN_ON(atomic_read(&cpu_hotplug.refcount) < 0))
> +		atomic_set(&cpu_hotplug.refcount, 0);
> +		if (waitqueue_active(&cpu_hotplug.wq))
> +			wake_up(&cpu_hotplug.wq);
>  }
>  EXPORT_SYMBOL_GPL(put_online_cpus);
> 
> @@ -168,18 +156,22 @@ EXPORT_SYMBOL_GPL(put_online_cpus);
>   */
>  void cpu_hotplug_begin(void)
>  {
> +	DEFINE_WAIT(wait);
> +
>  	cpu_hotplug.active_writer = current;
> 
> -	cpuhp_lock_acquire();
>  	for (;;) {
> +		cpuhp_lock_acquire();
>  		mutex_lock(&cpu_hotplug.lock);
> -		apply_puts_pending(1);
> -		if (likely(!cpu_hotplug.refcount))
> +		prepare_to_wait(&cpu_hotplug.wq, &wait, TASK_UNINTERRUPTIBLE);
> +		if (likely(!atomic_read(&cpu_hotplug.refcount)))
>  			break;
> -		__set_current_state(TASK_UNINTERRUPTIBLE);
>  		mutex_unlock(&cpu_hotplug.lock);
> +		cpuhp_lock_release();
>  		schedule();
>  	}
> +
> +	finish_wait(&cpu_hotplug.wq, &wait);
>  }
> 
>  void cpu_hotplug_done(void)



David

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/