On Mon, 16 Oct 2006 01:54:39 -0700
Ravikiran G Thirumalai <[email protected]> wrote:
> Fix a cpu hotplug race condition while tuning slab cpu caches.
>
> CPU online (cpu_up) and tuning slab caches (do_tune_cpucache)
> can race and can lead to a situation where we do not have an
> arraycache allocated for a newly onlined cpu.
lock_cpu_hotplug() is a noxious thing which should be removed.
> The race can be explained as follows:
>
> cpu_online_map 00000111
> cpu_up(3)
> cpuup_callback CPU_UP_PREPARE:
> mutex_lock(&cache_chain_mutex);
> ...
> allocate_array_cache for cpu 3
> ...
> mutex_unlock(&cache_chain_mutex);
> ... slabinfo_write
> ... mutex_lock(&cache_chain_mutex);
> ... do_tune_cpucache
> ... allocate new arraycache for cpu0,1,2, NULL rest
> ... ...
> mutex_lock(&cpu_bitmask_lock); ...
> cpu_online_map 00001111
> mutex_unlock(&cpu_bitmask_lock); ...
> on_each_cpu swap the new array_cache with old
> ^^^^
> CPU 3 gets assigned with a NULL array cache
The problem is obvious: we have some data (the array caches) and we have a
data structure which is used to look up that data (cpu_online_map). But
we're releasing the lock while these two things are in an inconsistent
state.
So you could have fixed this by taking cache_chain_mutex in CPU_UP_PREPARE
and releasing it in CPU_ONLINE and CPU_UP_CANCELED.
> Hence, when do_ccupdate_local is run on CPU 3, CPU 3 gets a NULL array_cache,
> and caused badness thereon.
>
> So don't allow cpus to come and go while in do_tune_cpucache.
> The other code path of do_tune_cpucache through kmem_cache_create
> is already protected through lock_cpu_hotplug.
>
> Signed-off-by: Alok N Kataria <[email protected]>
> Signed-off-by: Ravikiran Thirumalai <[email protected]>
> Signed-off-by: Shai Fultheim <[email protected]>
>
> Index: linux-2.6.19-rc1slab/mm/slab.c
> ===================================================================
> --- linux-2.6.19-rc1slab.orig/mm/slab.c 2006-10-13 12:35:02.578841000 -0700
> +++ linux-2.6.19-rc1slab/mm/slab.c 2006-10-13 12:35:46.848841000 -0700
> @@ -4072,6 +4072,7 @@ ssize_t slabinfo_write(struct file *file
> return -EINVAL;
>
> /* Find the cache in the chain of caches. */
> + lock_cpu_hotplug();
> mutex_lock(&cache_chain_mutex);
> res = -EINVAL;
> list_for_each_entry(cachep, &cache_chain, next) {
> @@ -4087,6 +4088,7 @@ ssize_t slabinfo_write(struct file *file
> }
> }
> mutex_unlock(&cache_chain_mutex);
> + unlock_cpu_hotplug();
> if (res >= 0)
> res = count;
> return res;
Given that this lock_cpu_hotplug() happens at a high level I guess it'll
avoid the usual lock_cpu_hotplug() horrors and we can live with it. I
assume lockdep was enabled when you were testing this?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]