linux

History

Tejun Heo 22b886dd10 timers: Use proper base migration in add_timer_on() Regardless of the previous CPU a timer was on, add_timer_on() currently simply sets timer->flags to the new CPU. As the caller must be seeing the timer as idle, this is locally fine, but the timer leaving the old base while unlocked can lead to race conditions as follows. Let's say timer was on cpu 0. cpu 0 cpu 1 ----------------------------------------------------------------------------- del_timer(timer) succeeds del_timer(timer) lock_timer_base(timer) locks cpu_0_base add_timer_on(timer, 1) spin_lock(&cpu_1_base->lock) timer->flags set to cpu_1_base operates on @timer operates on @timer This triggered with mod_delayed_work_on() which contains "if (del_timer()) add_timer_on()" sequence eventually leading to the following oops. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0 ... Workqueue: wqthrash wqthrash_workfunc [wqthrash] task: ffff8800172ca680 ti: ffff8800172d0000 task.ti: ffff8800172d0000 RIP: 0010:[<ffffffff810ca6e9>] [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0 ... Call Trace: [<ffffffff810cb0b4>] del_timer+0x44/0x60 [<ffffffff8106e836>] try_to_grab_pending+0xb6/0x160 [<ffffffff8106e913>] mod_delayed_work_on+0x33/0x80 [<ffffffffa0000081>] wqthrash_workfunc+0x61/0x90 [wqthrash] [<ffffffff8106dba8>] process_one_work+0x1e8/0x650 [<ffffffff8106e05e>] worker_thread+0x4e/0x450 [<ffffffff810746af>] kthread+0xef/0x110 [<ffffffff8185980f>] ret_from_fork+0x3f/0x70 Fix it by updating add_timer_on() to perform proper migration as __mod_timer() does. Reported-and-tested-by: Jeff Layton <jlayton@poochiereds.net> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Chris Worley <chris.worley@primarydata.com> Cc: bfields@fieldses.org Cc: Michael Skralivetsky <michael.skralivetsky@primarydata.com> Cc: Trond Myklebust <trond.myklebust@primarydata.com> Cc: Shaohua Li <shli@fb.com> Cc: Jeff Layton <jlayton@poochiereds.net> Cc: kernel-team@fb.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20151029103113.2f893924@tlielax.poochiereds.net Link: http://lkml.kernel.org/r/20151104171533.GI5749@mtj.duckdns.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de>		2015-11-04 20:23:19 +01:00
..
bpf	bpf: fix out of bounds access in verifier log	2015-09-09 14:11:55 -07:00
configs	kconfig: add xenconfig defconfig helper	2015-06-16 11:04:29 +01:00
debug
events	Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 17:38:09 -08:00
gcov	gcov: add support for GCC 5.1	2015-06-30 19:44:57 -07:00
irq	Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 14:40:01 -08:00
livepatch	livepatch: Improve error handling in klp_disable_func()	2015-07-14 22:48:06 +02:00
locking	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 18:03:50 -08:00
power	Merge branch 'for-4.3/core' of git://git.kernel.dk/linux-block	2015-09-02 13:10:25 -07:00
printk	kexec: split kexec_load syscall from kexec core code	2015-09-10 13:29:01 -07:00
rcu	Merge branches 'doc.2015.10.06a', 'percpu-rwsem.2015.10.06a' and 'torture.2015.10.06a' into HEAD	2015-10-07 16:06:25 -07:00
sched	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 18:03:50 -08:00
time	timers: Use proper base migration in add_timer_on()	2015-11-04 20:23:19 +01:00
trace	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 18:03:50 -08:00
.gitignore
acct.c
async.c
audit_fsnotify.c	audit: clean simple fsnotify implementation	2015-08-06 16:14:53 -04:00
audit_tree.c	Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit	2015-09-08 13:34:59 -07:00
audit_watch.c	Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit	2015-09-08 13:34:59 -07:00
audit.c	Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit	2015-09-08 13:34:59 -07:00
audit.h	Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit	2015-09-08 13:34:59 -07:00
auditfilter.c	audit: implement audit by executable	2015-08-06 16:17:25 -04:00
auditsc.c	Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit	2015-09-08 13:34:59 -07:00
backtracetest.c
bounds.c
capability.c	kernel: conditionally support non-root users, groups and capabilities	2015-04-15 16:35:22 -07:00
cgroup_freezer.c	cgroup: allow a cgroup subsystem to reject a fork	2015-07-14 17:29:23 -04:00
cgroup_pids.c	cgroup: pids: fix invalid get/put usage	2015-08-25 14:19:25 -04:00
cgroup.c	Revert "sched, cgroup: replace signal_struct->group_rwsem with a global percpu_rwsem"	2015-09-16 11:51:12 -04:00
compat.c	compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap()	2015-06-04 23:57:18 +02:00
configs.c
context_tracking.c	context_tracking: Inherit TIF_NOHZ through forks instead of context switches	2015-05-07 12:02:51 +02:00
cpu_pm.c	kernel/cpu_pm: fix cpu_cluster_pm_exit comment	2015-09-03 02:42:20 +02:00
cpu.c	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 18:03:50 -08:00
cpuset.c	cpuset: use trialcs->mems_allowed as a temp variable	2015-08-10 11:18:41 -04:00
crash_dump.c
cred.c	kernel/cred.c: remove unnecessary kdebug atomic reads	2015-09-10 13:29:01 -07:00
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-11-03 18:03:50 -08:00
extable.c	kernel/extable.c: remove duplicated include	2015-09-10 13:29:01 -07:00
fork.c	posix_cpu_timer: Convert cputimer->running to bool	2015-10-15 11:23:41 +02:00
freezer.c
futex_compat.c
futex.c	futex: Force hot variables into a single cache line	2015-09-22 16:23:15 +02:00
groups.c	kernel: conditionally support non-root users, groups and capabilities	2015-04-15 16:35:22 -07:00
hung_task.c	kernel/hung_task.c: change hung_task.c to use for_each_process_thread()	2015-04-15 16:35:22 -07:00
irq_work.c
jump_label.c	locking/static_keys: Add selftest	2015-08-03 11:34:16 +02:00
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks	locking/qrwlock: Rename QUEUE_RWLOCK to QUEUED_RWLOCKS	2015-05-12 09:46:00 +02:00
Kconfig.preempt
kexec_core.c	kexec/crash: Say which char is the unrecognized	2015-10-21 11:10:57 +02:00
kexec_file.c	kexec: split kexec_file syscall code to kexec_file.c	2015-09-10 13:29:01 -07:00
kexec_internal.h	kexec: split kexec_file syscall code to kexec_file.c	2015-09-10 13:29:01 -07:00
kexec.c	kexec: split kexec_load syscall from kexec core code	2015-09-10 13:29:01 -07:00
kmod.c	kmod: don't run async usermode helper as a child of kworker thread	2015-10-23 17:55:10 +09:00
kprobes.c	perf/x86/hw_breakpoints: Disallow kernel breakpoints unless kprobe-safe	2015-08-04 10:16:54 +02:00
ksysfs.c	kexec: split kexec_load syscall from kexec core code	2015-09-10 13:29:01 -07:00
kthread.c	kernel/kthread.c:kthread_create_on_node(): clarify documentation	2015-09-04 16:54:41 -07:00
latencytop.c
Makefile	sys_membarrier(): system-wide memory barrier (generic, x86)	2015-09-11 15:21:34 -07:00
membarrier.c	sys_membarrier(): system-wide memory barrier (generic, x86)	2015-09-11 15:21:34 -07:00
memremap.c	memremap: fix highmem support	2015-10-26 16:55:56 -04:00
module_signing.c	PKCS#7: Appropriately restrict authenticated attributes and content type	2015-08-12 17:01:01 +01:00
module-internal.h
module.c	module: Fix locking in symbol_put_addr()	2015-08-24 10:37:01 +09:30
notifier.c	Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-09-01 08:40:25 -07:00
nsproxy.c
padata.c
panic.c	kernel/panic/kexec: fix "crash_kexec_post_notifiers" option issue in oops path	2015-06-30 19:44:57 -07:00
params.c	Minor merge needed, due to function move.	2015-07-01 10:49:25 -07:00
pid_namespace.c
pid.c	rcu: Rename rcu_lockdep_assert() to RCU_LOCKDEP_WARN()	2015-07-22 15:27:32 -07:00
profile.c	mm: rename alloc_pages_exact_node() to __alloc_pages_node()	2015-09-08 15:35:28 -07:00
ptrace.c	seccomp: add ptrace options for suspend/resume	2015-07-15 11:52:52 -07:00
range.c
reboot.c	kexec: split kexec_load syscall from kexec core code	2015-09-10 13:29:01 -07:00
relay.c	kernel/relay.c: use kvfree() in relay_free_page_array()	2015-06-30 19:44:59 -07:00
resource.c	mm: enhance region_is_ram() to region_intersects()	2015-08-10 23:07:05 -04:00
seccomp.c	Merge tag 'seccomp-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next	2015-07-20 17:19:19 +10:00
signal.c	signal: fix information leak in copy_siginfo_to_user	2015-08-07 04:39:40 +03:00
smp.c	smp: Fix error case handling in smp_call_function_*()	2015-04-19 13:19:23 -07:00
smpboot.c	stop_machine: Kill smp_hotplug_thread->pre_unpark, introduce stop_machine_unpark()	2015-10-20 10:23:55 +02:00
smpboot.h
softirq.c
stacktrace.c
stop_machine.c	sched: Move cpu_active() tests from stop_two_cpus() into migrate_swap_stop()	2015-10-20 10:25:56 +02:00
sys_ni.c	sys_membarrier(): system-wide memory barrier (generic, x86)	2015-09-11 15:21:34 -07:00
sys.c	vfs: Commit to never having exectuables on proc and sysfs.	2015-07-10 10:39:25 -05:00
sysctl_binary.c
sysctl.c	sysctl: fix int -> unsigned long assignments in INT_MIN case	2015-09-10 13:29:01 -07:00
task_work.c	task_work: remove fifo ordering guarantee	2015-09-05 13:46:58 -07:00
taskstats.c
test_kprobes.c
torture.c	torture: Consolidate cond_resched_rcu_qs() into stutter_wait()	2015-10-06 11:25:01 -07:00
tracepoint.c
tsacct.c
uid16.c
up.c
user_namespace.c	capabilities: ambient capabilities	2015-09-04 16:54:41 -07:00
user-return-notifier.c
user.c
utsname_sysctl.c
utsname.c
watchdog.c	watchdog: rename watchdog_suspend() and watchdog_resume()	2015-09-04 16:54:41 -07:00
workqueue_internal.h
workqueue.c	workqueue: make sure delayed work run in local cpu	2015-09-30 13:06:46 -04:00