Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2335053ybi; Thu, 18 Jul 2019 06:54:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqwk4O5q6uq8r6IkVe680DQk46Uj280rcTC0s2cyqsD4avPeW7NFH7YEP6gUh/WLcmwzamhU X-Received: by 2002:a17:90a:2486:: with SMTP id i6mr50682843pje.125.1563458060815; Thu, 18 Jul 2019 06:54:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563458060; cv=none; d=google.com; s=arc-20160816; b=UTHJLp/UJZ1ZscNuC9KLFN7jMKOnfDyqYgWF4t8PvTybyLwvQJ2d9uNF227og2ZwHy CyTmL4Oz7Nh2y27jZTH7moAPxl0W0ieFG3v3lxa5CAgLsDiUcUsxWr1LiWXYRPEwt6oq dqEIhf2145fQ+Df0Yo+KAyv3hn1Mo50lNWZUhCoikDuVb741zQ7oiglRFu0WoKKZCh9w CwloT33fbBdsiL5ZdRidy6SBHpUFAFq/CC+WWB4caX6ca1csUqvGsel6kfLqcfCyL1M2 863TxJzvHyLKpW+Ttj+FH77J+KyjwGlTQH8s2WX9iJgn3Qpt2AUra+5sp0fB9nCBv9hW f6lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:subject:cc:to :from:date:user-agent:message-id:dkim-signature; bh=nvBiFnv5cRW6rhCVluedIbBY8Hl/DjC3Uttl91M1iAE=; b=nK8sEh4PS4m5VatTZ1ycPkVSU4v2kuqPDzjQ8UwY4xyXRkmekiYmgC0pGs0o+FzXFS 6/1AAHw40JEKyXSuI+tyjDn7AcJJDRXmNlaf66kaB/cdPjtesCYoLia43WE140s5+mKo a7qBvnLWSdQ6lKB8GAZCNl8/ZCVLCPhrr4fANX0VysVFASPzlUHnVgBQwgPED6h1CInP CDYEc41nX5vOFM78FouV9+6Icekg+jA9g6A6qo5KttAxhRdg+g2knj0K6k2jCUwDPGRv RdsDBHITr+y9ulAqlKDqiiF9JpT5qR2OcVwZZgEAKs/h+zUQetGJdGBNDuGSDVOxW8K1 ulrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=OQRHNtWA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u4si980418pgb.218.2019.07.18.06.54.04; Thu, 18 Jul 2019 06:54:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=OQRHNtWA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390623AbfGRNxi (ORCPT + 99 others); Thu, 18 Jul 2019 09:53:38 -0400 Received: from merlin.infradead.org ([205.233.59.134]:43922 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390581AbfGRNxi (ORCPT ); Thu, 18 Jul 2019 09:53:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Type:MIME-Version:References: Subject:Cc:To:From:Date:Message-Id:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nvBiFnv5cRW6rhCVluedIbBY8Hl/DjC3Uttl91M1iAE=; b=OQRHNtWAPWYediKV/Q6pa6uFxK 9mMlesxee04ckJbpUo2miwGGdgZ7KpGLZBj/L1+OspRWrj5bGkqvqFIT3p4Jn5lMMUe850W2f+HbU OroS32fs1VNmbwyWpR9WnYrNAcOz2srDJi7EaMh4VtwPtx2T2edK4SoMePkk7BAFSxdJyTSmTZycO 6C4TZQYUWVY0xXamexag4cAGCITwe1kptB29wAaQL5hN43mQ4WBRT38YqxPzZ/gbRr26mcNA5CjET SMBlYe/6+/M+Ji+F6VyVSlr/+WMTiT205Yplro6hgeWEFpTlZ2D+AINc+4OfA+vg8Mm49bVgnscdO eGqTd9jg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92 #3 (Red Hat Linux)) id 1ho6qb-0003u5-GC; Thu, 18 Jul 2019 13:53:25 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0) id C3A30201C12E4; Thu, 18 Jul 2019 15:53:22 +0200 (CEST) Message-Id: <20190718135205.916241783@infradead.org> User-Agent: quilt/0.65 Date: Thu, 18 Jul 2019 15:49:55 +0200 From: Peter Zijlstra To: Will Deacon Cc: linux-kernel@vger.kernel.org, Peter Zijlstra , Jan Stancek , Waiman Long , dbueso@suse.de, mingo@redhat.com, jade.alglave@arm.com, paulmck@linux.vnet.ibm.com Subject: [PATCH 1/4] locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty References: <20190718134954.496297975@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Stancek LTP mtest06 has been observed to occasionally hit "still mapped when deleted" and following BUG_ON on arm64. The extra mapcount originated from pagefault handler, which handled pagefault for vma that has already been detached. vma is detached under mmap_sem write lock by detach_vmas_to_be_unmapped(), which also invalidates vmacache. When the pagefault handler (under mmap_sem read lock) calls find_vma(), vmacache_valid() wrongly reports vmacache as valid. After rwsem down_read() returns via 'queue empty' path (as of v5.2), it does so without an ACQUIRE on sem->count: down_read() __down_read() rwsem_down_read_failed() __rwsem_down_read_failed_common() raw_spin_lock_irq(&sem->wait_lock); if (list_empty(&sem->wait_list)) { if (atomic_long_read(&sem->count) >= 0) { raw_spin_unlock_irq(&sem->wait_lock); return sem; The problem can be reproduced by running LTP mtest06 in a loop and building the kernel (-j $NCPUS) in parallel. It does reproduces since v4.20 on arm64 HPE Apollo 70 (224 CPUs, 256GB RAM, 2 nodes). It triggers reliably in about an hour. The patched kernel ran fine for 10+ hours. Cc: dbueso@suse.de Cc: mingo@redhat.com Fixes: 4b486b535c33 ("locking/rwsem: Exit read lock slowpath if queue empty & no writer") Signed-off-by: Jan Stancek Reviewed-by: Will Deacon Acked-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/50b8914e20d1d62bb2dee42d342836c2c16ebee7.1563438048.git.jstancek@redhat.com --- kernel/locking/rwsem.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -1032,6 +1032,8 @@ rwsem_down_read_slowpath(struct rw_semap */ if (adjustment && !(atomic_long_read(&sem->count) & (RWSEM_WRITER_MASK | RWSEM_FLAG_HANDOFF))) { + /* Provide lock ACQUIRE */ + smp_acquire__after_ctrl_dep(); raw_spin_unlock_irq(&sem->wait_lock); rwsem_set_reader_owned(sem); lockevent_inc(rwsem_rlock_fast);