Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S941267AbcJXQIo (ORCPT ); Mon, 24 Oct 2016 12:08:44 -0400 Received: from mail-wm0-f41.google.com ([74.125.82.41]:36828 "EHLO mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S938729AbcJXQIj (ORCPT ); Mon, 24 Oct 2016 12:08:39 -0400 From: Roman Pen Cc: Roman Pen , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Tejun Heo , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/2] workqueue: ignore dead tasks in a workqueue sleep hook Date: Mon, 24 Oct 2016 18:08:14 +0200 Message-Id: <20161024160814.3126-2-roman.penyaev@profitbricks.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20161024160814.3126-1-roman.penyaev@profitbricks.com> References: <20161024160814.3126-1-roman.penyaev@profitbricks.com> To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3429 Lines: 98 If panic_on_oops is not set and oops happens inside workqueue kthread, kernel kills this kthread. Current patch fixes recursive GPF which happens when wq_worker_sleeping() function unconditionally accesses the NULL kthread->vfork_done ptr trhu kthread_data() -> to_kthread(). The stack is the following: [] dump_stack+0x68/0x93 [] ? do_exit+0x7ab/0xc10 [] __schedule_bug+0x83/0xe0 [] __schedule+0x7ea/0xba0 [] ? vprintk_default+0x1f/0x30 [] ? printk+0x48/0x50 [] schedule+0x40/0x90 [] do_exit+0x9ca/0xc10 [] ? kmsg_dump+0x11d/0x190 [] ? kmsg_dump+0x17/0x190 [] oops_end+0x99/0xd0 [] no_context+0x185/0x3e0 [] __bad_area_nosemaphore+0x83/0x1c0 [] ? vprintk_emit+0x25e/0x530 [] bad_area_nosemaphore+0x14/0x20 [] __do_page_fault+0xac/0x570 [] ? console_trylock+0x1e/0xe0 [] ? trace_hardirqs_off_thunk+0x1a/0x1c [] do_page_fault+0xc/0x10 [] page_fault+0x22/0x30 [] ? kthread_data+0x33/0x40 [] ? wq_worker_sleeping+0xe/0x80 [] __schedule+0x47b/0xba0 [] schedule+0x40/0x90 [] do_exit+0x7dd/0xc10 [] oops_end+0x99/0xd0 kthread->vfork_done is zeroed out on the following path: do_exit() exit_mm() mm_release() complete_vfork_done() In order to fix a bug dead tasks must be ignored. Signed-off-by: Roman Pen Cc: Andy Lutomirski Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Tejun Heo Cc: linux-kernel@vger.kernel.org --- v2: o put a task->state check directly into a wq_worker_sleeping() function instead of changing the __schedule(). kernel/workqueue.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 9dc7ac5..b19dcb6 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -875,9 +875,31 @@ void wq_worker_waking_up(struct task_struct *task, int cpu) */ struct task_struct *wq_worker_sleeping(struct task_struct *task) { - struct worker *worker = kthread_data(task), *to_wakeup = NULL; + struct worker *worker, *to_wakeup = NULL; struct worker_pool *pool; + + if (task->state == TASK_DEAD) + /* Here we try to catch the following path before + * accessing NULL kthread->vfork_done ptr thru + * kthread_data(): + * + * oops_end() + * do_exit() + * schedule() + * + * If panic_on_oops is not set and oops happens on + * a workqueue execution path, thread will be killed. + * That is definitly sad, but not to make the situation + * even worse we have to ignore dead tasks in order not + * to step on zeroed out members (e.g. t->vfork_done is + * already NULL on that path, since we were called by + * do_exit())). + */ + return NULL; + + worker = kthread_data(task); + /* * Rescuers, which may not have all the fields set up like normal * workers, also reach here, let's not access anything before -- 2.9.3