Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751170AbWAYOX7 (ORCPT ); Wed, 25 Jan 2006 09:23:59 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751173AbWAYOX7 (ORCPT ); Wed, 25 Jan 2006 09:23:59 -0500 Received: from mx3.mail.elte.hu ([157.181.1.138]:58602 "EHLO mx3.mail.elte.hu") by vger.kernel.org with ESMTP id S1751170AbWAYOX6 (ORCPT ); Wed, 25 Jan 2006 09:23:58 -0500 Date: Wed, 25 Jan 2006 15:23:07 +0100 From: Ingo Molnar To: Linus Torvalds Cc: Andrew Morton , linux-kernel@vger.kernel.org, Arjan van de Ven , "Paul E. McKenney" Subject: [patch, lock validator] fix uidhash_lock <-> RCU deadlock Message-ID: <20060125142307.GA5427@elte.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-ELTE-SpamScore: 0.0 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=0.0 required=5.9 tests=AWL autolearn=no SpamAssassin version=3.0.3 0.0 AWL AWL: From: address is in the auto white-list X-ELTE-VirusStatus: clean Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4744 Lines: 150 RCU task-struct freeing can call free_uid(), which is taking uidhash_lock - while other users of uidhash_lock are softirq-unsafe. This bug was found by the lock validator i'm working on: ============================ [ BUG: illegal lock usage! ] ---------------------------- illegal {enabled-softirqs} -> {used-in-softirq} usage. swapper/0 [HC0[0]:SC1[2]:HE1:SE0] takes {uidhash_lock [u:25]}, at: [] _atomic_dec_and_lock+0x48/0x80 {enabled-softirqs} state was registered at: [] _write_unlock_bh+0xd/0x10 hardirqs last enabled at: [] kmem_cache_free+0x78/0xb0 softirqs last enabled at: [] copy_process+0x2ca/0xe80 other info that might help in debugging this: ------------------------------ | showing all locks held by: | (swapper/0 [c30d8790, 140]): ------------------------------ [] show_trace+0xd/0x10 [] dump_stack+0x17/0x20 [] print_usage_bug+0x1e1/0x200 [] mark_lock+0x259/0x290 [] debug_lock_chain_spin+0x465/0x10f0 [] _raw_spin_lock+0x2d/0x90 [] _spin_lock+0x8/0x10 [] _atomic_dec_and_lock+0x48/0x80 [] free_uid+0x14/0x70 [] __put_task_struct+0x38/0x130 [] __put_task_struct_cb+0xd/0x10 [] __rcu_process_callbacks+0x81/0x180 [] rcu_process_callbacks+0x30/0x60 [] tasklet_action+0x54/0xd0 [] __do_softirq+0x87/0x120 [] do_softirq+0x69/0xb0 ======================= [] irq_exit+0x39/0x50 [] smp_apic_timer_interrupt+0x4c/0x50 [] apic_timer_interrupt+0x27/0x2c [] cpu_idle+0x68/0x80 [] start_secondary+0x29e/0x480 [<00000000>] 0x0 [] 0xc30d9fb4 the fix is to always take the uidhash_spinlock in a softirq-safe manner. Signed-off-by: Ingo Molnar ---- Index: linux/kernel/user.c =================================================================== --- linux.orig/kernel/user.c +++ linux/kernel/user.c @@ -13,6 +13,7 @@ #include #include #include +#include /* * UID task count cache, to get fast user lookup in "alloc_uid" @@ -27,6 +28,12 @@ static kmem_cache_t *uid_cachep; static struct list_head uidhash_table[UIDHASH_SZ]; + +/* + * The uidhash_lock is mostly taken from process context, but it is + * occasionally also taken from softirq/tasklet context, when + * task-structs get RCU-freed. Hence all locking must be softirq-safe. + */ static DEFINE_SPINLOCK(uidhash_lock); struct user_struct root_user = { @@ -83,14 +90,15 @@ struct user_struct *find_user(uid_t uid) { struct user_struct *ret; - spin_lock(&uidhash_lock); + spin_lock_bh(&uidhash_lock); ret = uid_hash_find(uid, uidhashentry(uid)); - spin_unlock(&uidhash_lock); + spin_unlock_bh(&uidhash_lock); return ret; } void free_uid(struct user_struct *up) { + local_bh_disable(); if (up && atomic_dec_and_lock(&up->__count, &uidhash_lock)) { uid_hash_remove(up); key_put(up->uid_keyring); @@ -98,6 +106,7 @@ void free_uid(struct user_struct *up) kmem_cache_free(uid_cachep, up); spin_unlock(&uidhash_lock); } + local_bh_enable(); } struct user_struct * alloc_uid(uid_t uid) @@ -105,9 +114,9 @@ struct user_struct * alloc_uid(uid_t uid struct list_head *hashent = uidhashentry(uid); struct user_struct *up; - spin_lock(&uidhash_lock); + spin_lock_bh(&uidhash_lock); up = uid_hash_find(uid, hashent); - spin_unlock(&uidhash_lock); + spin_unlock_bh(&uidhash_lock); if (!up) { struct user_struct *new; @@ -137,7 +146,7 @@ struct user_struct * alloc_uid(uid_t uid * Before adding this, check whether we raced * on adding the same user already.. */ - spin_lock(&uidhash_lock); + spin_lock_bh(&uidhash_lock); up = uid_hash_find(uid, hashent); if (up) { key_put(new->uid_keyring); @@ -147,7 +156,7 @@ struct user_struct * alloc_uid(uid_t uid uid_hash_insert(new, hashent); up = new; } - spin_unlock(&uidhash_lock); + spin_unlock_bh(&uidhash_lock); } return up; @@ -183,9 +192,9 @@ static int __init uid_cache_init(void) INIT_LIST_HEAD(uidhash_table + n); /* Insert the root user immediately (init already runs as root) */ - spin_lock(&uidhash_lock); + spin_lock_bh(&uidhash_lock); uid_hash_insert(&root_user, uidhashentry(0)); - spin_unlock(&uidhash_lock); + spin_unlock_bh(&uidhash_lock); return 0; } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/