Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d82a1de authored by Peter Zijlstra's avatar Peter Zijlstra Committed by Tejun Heo
Browse files

lockdep: fix oops in processing workqueue 



Under memory load, on x86_64, with lockdep enabled, the workqueue's
process_one_work() has been seen to oops in __lock_acquire(), barfing
on a 0xffffffff00000000 pointer in the lockdep_map's class_cache[].

Because it's permissible to free a work_struct from its callout function,
the map used is an onstack copy of the map given in the work_struct: and
that copy is made without any locking.

Surprisingly, gcc (4.5.1 in Hugh's case) uses "rep movsl" rather than
"rep movsq" for that structure copy: which might race with a workqueue
user's wait_on_work() doing lock_map_acquire() on the source of the
copy, putting a pointer into the class_cache[], but only in time for
the top half of that pointer to be copied to the destination map.

Boom when process_one_work() subsequently does lock_map_acquire()
on its onstack copy of the lockdep_map.

Fix this, and a similar instance in call_timer_fn(), with a
lockdep_copy_map() function which additionally NULLs the class_cache[].

Note: this oops was actually seen on 3.4-next, where flush_work() newly
does the racing lock_map_acquire(); but Tejun points out that 3.4 and
earlier are already vulnerable to the same through wait_on_work().

* Patch orginally from Peter.  Hugh modified it a bit and wrote the
  description.

Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
Reported-by: default avatarHugh Dickins <hughd@google.com>
LKML-Reference: <alpine.LSU.2.00.1205070951170.1544@eggly.anvils>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
parent 544ecf31

include/linux/lockdep.h

+18 −0
Original line number Diff line number Diff line
@@ -157,6 +157,24 @@ struct lockdep_map { 
#endif

};



static inline void lockdep_copy_map(struct lockdep_map *to,

				    struct lockdep_map *from)

{

	int i;



	*to = *from;

	/*

	 * Since the class cache can be modified concurrently we could observe

	 * half pointers (64bit arch using 32bit copy insns). Therefore clear

	 * the caches and take the performance hit.

	 *

	 * XXX it doesn't work well with lockdep_set_class_and_subclass(), since

	 *     that relies on cache abuse.

	 */

	for (i = 0; i < NR_LOCKDEP_CACHING_CLASSES; i++)

		to->class_cache[i] = NULL;

}



/*

 * Every lock has a list of other locks that were taken after it.

 * We only grow the list, never remove from it:

kernel/timer.c

+3 −1
Original line number Diff line number Diff line
@@ -1102,7 +1102,9 @@ static void call_timer_fn(struct timer_list *timer, void (*fn)(unsigned long), 
	 * warnings as well as problems when looking into

	 * timer->lockdep_map, make a copy and use that here.

	 */

	struct lockdep_map lockdep_map = timer->lockdep_map;

	struct lockdep_map lockdep_map;



	lockdep_copy_map(&lockdep_map, &timer->lockdep_map);

#endif

	/*

	 * Couple the lock chain with the lock chain at

kernel/workqueue.c

+3 −1
Original line number Diff line number Diff line
@@ -1818,7 +1818,9 @@ __acquires(&gcwq->lock) 
	 * lock freed" warnings as well as problems when looking into

	 * work->lockdep_map, make a copy and use that here.

	 */

	struct lockdep_map lockdep_map = work->lockdep_map;

	struct lockdep_map lockdep_map;



	lockdep_copy_map(&lockdep_map, &work->lockdep_map);

#endif

	/*

	 * A single work shouldn't be executed concurrently by