lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJhGHyDHVFto=UNrVQ5bjc11yGCnNmLKAkPPimtwF-Qa+1g==Q@mail.gmail.com>
Date:   Thu, 4 Aug 2022 16:57:01 +0800
From:   Lai Jiangshan <jiangshanlai@...il.com>
To:     Petr Mladek <pmladek@...e.com>
Cc:     Tejun Heo <tj@...nel.org>, Michal Hocko <mhocko@...e.com>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] workqueue: Make create_worker() safe against spurious wakeups

On Wed, Jun 22, 2022 at 10:10 PM Petr Mladek <pmladek@...e.com> wrote:
>
> A system crashed with the following BUG() report:
>
>   [115147.050484] BUG: kernel NULL pointer dereference, address: 0000000000000000
>   [115147.050488] #PF: supervisor write access in kernel mode
>   [115147.050489] #PF: error_code(0x0002) - not-present page
>   [115147.050490] PGD 0 P4D 0
>   [115147.050494] Oops: 0002 [#1] PREEMPT_RT SMP NOPTI
>   [115147.050498] CPU: 1 PID: 16213 Comm: kthreadd Kdump: loaded Tainted: G           O   X    5.3.18-2-rt #1 SLE15-SP2 (unreleased)
>   [115147.050510] RIP: 0010:_raw_spin_lock_irq+0x14/0x30
>   [115147.050513] Code: 89 c6 e8 5f 7a 9b ff 66 90 c3 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 fa 65 ff 05 fb 53 6c 55 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 01 c3 89 c6 e8 2e 7a 9b ff 66 90 c3 90 90 90 90 90
>   [115147.050514] RSP: 0018:ffffb0f68822fed8 EFLAGS: 00010046
>   [115147.050515] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>   [115147.050516] RDX: 0000000000000001 RSI: 0000000000000002 RDI: 0000000000000000
>   [115147.050517] RBP: ffff9ca73af40a40 R08: 0000000000000001 R09: 0000000000027340
>   [115147.050519] R10: ffffb0f68822fe70 R11: 00000000000000a9 R12: ffffb0f688067dc0
>   [115147.050520] R13: ffff9ca77e9a8000 R14: ffff9ca7634ca780 R15: ffff9ca7634ca780
>   [115147.050521] FS:  0000000000000000(0000) GS:ffff9ca77fb00000(0000) knlGS:0000000000000000
>   [115147.050523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   [115147.050524] CR2: 00000000000000b8 CR3: 000000004472e000 CR4: 00000000003406e0
>   [115147.050524] Call Trace:
>   [115147.050533]  worker_thread+0xb4/0x3c0
>   [115147.050538]  ? process_one_work+0x4a0/0x4a0
>   [115147.050540]  kthread+0x152/0x170
>   [115147.050542]  ? kthread_park+0xa0/0xa0
>   [115147.050544]  ret_from_fork+0x35/0x40
>
> Further debugging shown that the worker thread was woken
> before worker_attach_to_pool() finished in create_worker().
>
> Any kthread is supposed to stay in TASK_UNINTERRUPTIBLE sleep
> until it is explicitly woken. But a spurious wakeup might
> break this expectation.
>
> As a result, worker_thread() might read worker->pool before
> it was set in worker create_worker() by worker_attach_to_pool().
> Also manage_workers() might want to create yet another worker
> before worker->pool->nr_workers is updated. It is a kind off
> a chicken & egg problem.
>
> Synchronize these operations using a completion API.
>
> Note that worker->pool might be then read without wq_pool_attach_mutex.
> Normal worker always belongs to the same pool.
>
> Also note that rescuer_thread() does not need this because all
> needed values are set before the kthreads is created. It is
> connected with a particular workqueue. It is attached to different
> pools when needed.
>
> Signed-off-by: Petr Mladek <pmladek@...e.com>
> ---
>  kernel/workqueue.c          | 13 ++++++++++++-
>  kernel/workqueue_internal.h |  1 +
>  2 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/workqueue.c b/kernel/workqueue.c
> index 1ea50f6be843..9586b0797145 100644
> --- a/kernel/workqueue.c
> +++ b/kernel/workqueue.c
> @@ -1939,6 +1939,7 @@ static struct worker *create_worker(struct worker_pool *pool)
>                 goto fail;
>
>         worker->id = id;
> +       init_completion(&worker->ready_to_start);
>
>         if (pool->cpu >= 0)
>                 snprintf(id_buf, sizeof(id_buf), "%d:%d%s", pool->cpu, id,
> @@ -1961,6 +1962,7 @@ static struct worker *create_worker(struct worker_pool *pool)
>         raw_spin_lock_irq(&pool->lock);
>         worker->pool->nr_workers++;
>         worker_enter_idle(worker);
> +       complete(&worker->ready_to_start);
>         wake_up_process(worker->task);
>         raw_spin_unlock_irq(&pool->lock);
>
> @@ -2378,10 +2380,19 @@ static void set_pf_worker(bool val)
>  static int worker_thread(void *__worker)
>  {
>         struct worker *worker = __worker;
> -       struct worker_pool *pool = worker->pool;
> +       struct worker_pool *pool;
>
>         /* tell the scheduler that this is a workqueue worker */
>         set_pf_worker(true);
> +
> +       /*
> +        * Wait until the worker is ready to get started. It must be attached
> +        * to a pool first. This is needed because of spurious wakeups.
> +        */
> +       while (wait_for_completion_interruptible(&worker->ready_to_start))
> +               ;

There might be some wakeups from wake_up_worker() since it is in
the idle list.  These wakeups will be "spurious wakeups" in the view
of the completion subsystem.

> +       pool = worker->pool;
> +
>  woke_up:
>         raw_spin_lock_irq(&pool->lock);
>
> diff --git a/kernel/workqueue_internal.h b/kernel/workqueue_internal.h
> index e00b1204a8e9..ffca2783c8bf 100644
> --- a/kernel/workqueue_internal.h
> +++ b/kernel/workqueue_internal.h
> @@ -41,6 +41,7 @@ struct worker {
>                                                 /* L: for rescuers */
>         struct list_head        node;           /* A: anchored at pool->workers */
>                                                 /* A: runs through worker->node */
> +       struct completion       ready_to_start; /* None: handle spurious wakeup */
>
>         unsigned long           last_active;    /* L: last active timestamp */
>         unsigned int            flags;          /* X: flags */
> --
> 2.35.3
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ