Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp647575pxb; Tue, 5 Apr 2022 17:12:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyo0LIvPLIsSKeHMSXRjmA+1cCWtsny8W15SXtwS9ti79OMnO5VBeK8gtR2SQ7AtW8VLaI1 X-Received: by 2002:a17:902:c401:b0:154:3b8a:5e6e with SMTP id k1-20020a170902c40100b001543b8a5e6emr5913264plk.18.1649203971932; Tue, 05 Apr 2022 17:12:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649203971; cv=none; d=google.com; s=arc-20160816; b=OVjfrfSiXr5hfJOvs27jHORmekv6immmArXKFiqAwFk2xaZk8azL90670H+me/d7Ym iMYUaCg9O6O33/E1mkgdaqzEZzSuf3hPUd1PHE6Ob2dm0FYTcnGUxeFgGDL4UE7O58aN ty7nv6bWbrc0cQjAb2MQmMtWNKpDvFD0UdJtiEZ6ZKWJ4L7yBvcSIGBUxkAlf5VJIa63 1xYJKaqu9Aga7KGmTgv3RIhC92zv9hjMgNmGCRAQ4B2mMarTqXix70hZxn2vPxI0qX5C KiBUMiedDCWg2sBqO89KN8GJwQBVvzzS6qhlFI9eyy0ssQPtbDbLqmnU1Lso4PqJFPeo 6MGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Oku7dV1BUXpN2Mpdo4FzMUU5e4eynfOvRFD1rqTT0k0=; b=qyVcWd/Sn5c+lJ/xk8xZ9G7w63d3q/4AnVA9MhGfK0etikNipuqxbQaVPKFLco1JUC Ps1Ue++kCd+VxP/EwTJzfY3Qw2/T3vOQ0AgfEth4pTPBGAKMPQzQZxirDKRERLajYCEP K/MybuLt4ccrK5Ux0S6spLjgdbUFJ5c/34MSY0+xqhx0vJLjxVcfR0mO4nhNOHmw604d q00rH2DZhHh8iPHo8PJ70G1MuI9nXos+jOFVtFojb4Ta0JFRcwmBPZNJjeK8lTkcuOsT bEn9ZGX3f8rPPVEawRFCgLtUzFZnOP/Md5xHMlMj3SjrlD7VV5eJjzW480KcaOK7uGwh h8Uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jc2UUl+Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id o6-20020a056a0015c600b004fa3a8e0009si15290338pfu.192.2022.04.05.17.12.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 17:12:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jc2UUl+Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 74F111820DA; Tue, 5 Apr 2022 16:57:03 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379111AbiDELkV (ORCPT + 99 others); Tue, 5 Apr 2022 07:40:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244748AbiDEIwh (ORCPT ); Tue, 5 Apr 2022 04:52:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D81331CB00; Tue, 5 Apr 2022 01:43:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 73DBB60FFC; Tue, 5 Apr 2022 08:43:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86F95C385A0; Tue, 5 Apr 2022 08:43:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649148196; bh=3jM5yqIOb3WL2Na1v0+VlkoKC6eouOTM4+v6Y/kg5DA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jc2UUl+Q46Ve6cDFX+sC2EQ0YczdR32CLvokZHfddlbuzmw0bYtW2atZ6M84ypUmx AKLLFDcFxcFJbd+lkCDziLHE7QHcpaVO91E430Y/24uR6EmkebQ7I05/UXIQpyrGhz 8bsJ2aazC37xOzzi1l7+J9ezw9u0NWwqb+DO7NwU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, John Keeping , Valentin Schneider , "Peter Zijlstra (Intel)" , Dietmar Eggemann , Sasha Levin Subject: [PATCH 5.16 0270/1017] sched/rt: Plug rt_mutex_setprio() vs push_rt_task() race Date: Tue, 5 Apr 2022 09:19:43 +0200 Message-Id: <20220405070402.279932841@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Valentin Schneider [ Upstream commit 49bef33e4b87b743495627a529029156c6e09530 ] John reported that push_rt_task() can end up invoking find_lowest_rq(rq->curr) when curr is not an RT task (in this case a CFS one), which causes mayhem down convert_prio(). This can happen when current gets demoted to e.g. CFS when releasing an rt_mutex, and the local CPU gets hit with an rto_push_work irqwork before getting the chance to reschedule. Exactly who triggers this work isn't entirely clear to me - switched_from_rt() only invokes rt_queue_pull_task() if there are no RT tasks on the local RQ, which means the local CPU can't be in the rto_mask. My current suspected sequence is something along the lines of the below, with the demoted task being current. mark_wakeup_next_waiter() rt_mutex_adjust_prio() rt_mutex_setprio() // deboost originally-CFS task check_class_changed() switched_from_rt() // Only rt_queue_pull_task() if !rq->rt.rt_nr_running switched_to_fair() // Sets need_resched __balance_callbacks() // if pull_rt_task(), tell_cpu_to_push() can't select local CPU per the above raw_spin_rq_unlock(rq) // need_resched is set, so task_woken_rt() can't // invoke push_rt_tasks(). Best I can come up with is // local CPU has rt_nr_migratory >= 2 after the demotion, so stays // in the rto_mask, and then: push_rt_task() // breakage follows here as rq->curr is CFS Move an existing check to check rq->curr vs the next pushable task's priority before getting anywhere near find_lowest_rq(). While at it, add an explicit sched_class of rq->curr check prior to invoking find_lowest_rq(rq->curr). Align the DL logic to also reschedule regardless of next_task's migratability. Fixes: a7c81556ec4d ("sched: Fix migrate_disable() vs rt/dl balancing") Reported-by: John Keeping Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Tested-by: John Keeping Link: https://lore.kernel.org/r/20220127154059.974729-1-valentin.schneider@arm.com Signed-off-by: Sasha Levin --- kernel/sched/deadline.c | 12 ++++++------ kernel/sched/rt.c | 32 ++++++++++++++++++++++---------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c index d2c072b0ef01..62f0cf842277 100644 --- a/kernel/sched/deadline.c +++ b/kernel/sched/deadline.c @@ -2240,12 +2240,6 @@ static int push_dl_task(struct rq *rq) return 0; retry: - if (is_migration_disabled(next_task)) - return 0; - - if (WARN_ON(next_task == rq->curr)) - return 0; - /* * If next_task preempts rq->curr, and rq->curr * can move away, it makes sense to just reschedule @@ -2258,6 +2252,12 @@ static int push_dl_task(struct rq *rq) return 0; } + if (is_migration_disabled(next_task)) + return 0; + + if (WARN_ON(next_task == rq->curr)) + return 0; + /* We might release rq lock */ get_task_struct(next_task); diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c index 7b4f4fbbb404..14f273c29518 100644 --- a/kernel/sched/rt.c +++ b/kernel/sched/rt.c @@ -2026,6 +2026,16 @@ static int push_rt_task(struct rq *rq, bool pull) return 0; retry: + /* + * It's possible that the next_task slipped in of + * higher priority than current. If that's the case + * just reschedule current. + */ + if (unlikely(next_task->prio < rq->curr->prio)) { + resched_curr(rq); + return 0; + } + if (is_migration_disabled(next_task)) { struct task_struct *push_task = NULL; int cpu; @@ -2033,6 +2043,18 @@ static int push_rt_task(struct rq *rq, bool pull) if (!pull || rq->push_busy) return 0; + /* + * Invoking find_lowest_rq() on anything but an RT task doesn't + * make sense. Per the above priority check, curr has to + * be of higher priority than next_task, so no need to + * reschedule when bailing out. + * + * Note that the stoppers are masqueraded as SCHED_FIFO + * (cf. sched_set_stop_task()), so we can't rely on rt_task(). + */ + if (rq->curr->sched_class != &rt_sched_class) + return 0; + cpu = find_lowest_rq(rq->curr); if (cpu == -1 || cpu == rq->cpu) return 0; @@ -2057,16 +2079,6 @@ static int push_rt_task(struct rq *rq, bool pull) if (WARN_ON(next_task == rq->curr)) return 0; - /* - * It's possible that the next_task slipped in of - * higher priority than current. If that's the case - * just reschedule current. - */ - if (unlikely(next_task->prio < rq->curr->prio)) { - resched_curr(rq); - return 0; - } - /* We might release rq lock */ get_task_struct(next_task); -- 2.34.1