d6a2946a88
msgctl10 of ltp triggers the following lockup When CONFIG_KASAN is enabled on large memory SMP systems, the pages initialization can take a long time, if msgctl10 requests a huge block memory, and it will block rcu scheduler, so release cpu actively. After adding schedule() in free_msg, free_msg can not be called when holding spinlock, so adding msg to a tmp list, and free it out of spinlock rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 16-31): P32505 rcu: Tasks blocked on level-1 rcu_node (CPUs 48-63): P34978 rcu: (detected by 11, t=35024 jiffies, g=44237529, q=16542267) msgctl10 R running task 21608 32505 2794 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:__is_insn_slot_addr+0xfb/0x250 Code: 82 1d 00 48 8b 9b 90 00 00 00 4c 89 f7 49 c1 ee 03 e8 59 83 1d 00 48 b8 00 00 00 00 00 fc ff df 4c 39 eb 48 89 9d 58 ff ff ff <41> c6 04 06 f8 74 66 4c 8d 75 98 4c 89 f1 48 c1 e9 03 48 01 c8 48 RSP: 0018:ffff88bce041f758 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffffffff8471bc50 RCX: ffffffff828a2a57 RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: ffff88bce041f780 RBP: ffff88bce041f828 R08: ffffed15f3f4c5b3 R09: ffffed15f3f4c5b3 R10: 0000000000000001 R11: ffffed15f3f4c5b2 R12: 000000318aee9b73 R13: ffffffff8471bc50 R14: 1ffff1179c083ef0 R15: 1ffff1179c083eec kernel_text_address+0xc1/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 create_object+0x380/0x650 __kmalloc+0x14c/0x2b0 load_msg+0x38/0x1a0 do_msgsnd+0x19e/0xcf0 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 0-15): P32170 rcu: (detected by 14, t=35016 jiffies, g=44237525, q=12423063) msgctl10 R running task 21608 32170 32155 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:lock_acquire+0x4d/0x340 Code: 48 81 ec c0 00 00 00 45 89 c6 4d 89 cf 48 8d 6c 24 20 48 89 3c 24 48 8d bb e4 0c 00 00 89 74 24 0c 48 c7 44 24 20 b3 8a b5 41 <48> c1 ed 03 48 c7 44 24 28 b4 25 18 84 48 c7 44 24 30 d0 54 7a 82 RSP: 0018:ffff88af83417738 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffff88bd335f3080 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88bd335f3d64 RBP: ffff88af83417758 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed13f3f745b2 R12: 0000000000000000 R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 is_bpf_text_address+0x32/0xe0 kernel_text_address+0xec/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 save_stack+0x32/0xb0 __kasan_slab_free+0x130/0x180 kfree+0xfa/0x2d0 free_msg+0x24/0x50 do_msgrcv+0x508/0xe60 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe Davidlohr said: "So after releasing the lock, the msg rbtree/list is empty and new calls will not see those in the newly populated tmp_msg list, and therefore they cannot access the delayed msg freeing pointers, which is good. Also the fact that the node_cache is now freed before the actual messages seems to be harmless as this is wanted for msg_insert() avoiding GFP_ATOMIC allocations, and after releasing the info->lock the thing is freed anyway so it should not change things" Link: http://lkml.kernel.org/r/1552029161-4957-1-git-send-email-lirongqing@baidu.com Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Zhang Yu <zhangyu31@baidu.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
189 lines
3.7 KiB
C
189 lines
3.7 KiB
C
/*
|
|
* linux/ipc/msgutil.c
|
|
* Copyright (C) 1999, 2004 Manfred Spraul
|
|
*
|
|
* This file is released under GNU General Public Licence version 2 or
|
|
* (at your option) any later version.
|
|
*
|
|
* See the file COPYING for more details.
|
|
*/
|
|
|
|
#include <linux/spinlock.h>
|
|
#include <linux/init.h>
|
|
#include <linux/security.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/ipc.h>
|
|
#include <linux/msg.h>
|
|
#include <linux/ipc_namespace.h>
|
|
#include <linux/utsname.h>
|
|
#include <linux/proc_ns.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/sched.h>
|
|
|
|
#include "util.h"
|
|
|
|
DEFINE_SPINLOCK(mq_lock);
|
|
|
|
/*
|
|
* The next 2 defines are here bc this is the only file
|
|
* compiled when either CONFIG_SYSVIPC and CONFIG_POSIX_MQUEUE
|
|
* and not CONFIG_IPC_NS.
|
|
*/
|
|
struct ipc_namespace init_ipc_ns = {
|
|
.count = REFCOUNT_INIT(1),
|
|
.user_ns = &init_user_ns,
|
|
.ns.inum = PROC_IPC_INIT_INO,
|
|
#ifdef CONFIG_IPC_NS
|
|
.ns.ops = &ipcns_operations,
|
|
#endif
|
|
};
|
|
|
|
struct msg_msgseg {
|
|
struct msg_msgseg *next;
|
|
/* the next part of the message follows immediately */
|
|
};
|
|
|
|
#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg))
|
|
#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg))
|
|
|
|
|
|
static struct msg_msg *alloc_msg(size_t len)
|
|
{
|
|
struct msg_msg *msg;
|
|
struct msg_msgseg **pseg;
|
|
size_t alen;
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT);
|
|
if (msg == NULL)
|
|
return NULL;
|
|
|
|
msg->next = NULL;
|
|
msg->security = NULL;
|
|
|
|
len -= alen;
|
|
pseg = &msg->next;
|
|
while (len > 0) {
|
|
struct msg_msgseg *seg;
|
|
|
|
cond_resched();
|
|
|
|
alen = min(len, DATALEN_SEG);
|
|
seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL_ACCOUNT);
|
|
if (seg == NULL)
|
|
goto out_err;
|
|
*pseg = seg;
|
|
seg->next = NULL;
|
|
pseg = &seg->next;
|
|
len -= alen;
|
|
}
|
|
|
|
return msg;
|
|
|
|
out_err:
|
|
free_msg(msg);
|
|
return NULL;
|
|
}
|
|
|
|
struct msg_msg *load_msg(const void __user *src, size_t len)
|
|
{
|
|
struct msg_msg *msg;
|
|
struct msg_msgseg *seg;
|
|
int err = -EFAULT;
|
|
size_t alen;
|
|
|
|
msg = alloc_msg(len);
|
|
if (msg == NULL)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
if (copy_from_user(msg + 1, src, alen))
|
|
goto out_err;
|
|
|
|
for (seg = msg->next; seg != NULL; seg = seg->next) {
|
|
len -= alen;
|
|
src = (char __user *)src + alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
if (copy_from_user(seg + 1, src, alen))
|
|
goto out_err;
|
|
}
|
|
|
|
err = security_msg_msg_alloc(msg);
|
|
if (err)
|
|
goto out_err;
|
|
|
|
return msg;
|
|
|
|
out_err:
|
|
free_msg(msg);
|
|
return ERR_PTR(err);
|
|
}
|
|
#ifdef CONFIG_CHECKPOINT_RESTORE
|
|
struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
|
|
{
|
|
struct msg_msgseg *dst_pseg, *src_pseg;
|
|
size_t len = src->m_ts;
|
|
size_t alen;
|
|
|
|
if (src->m_ts > dst->m_ts)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
memcpy(dst + 1, src + 1, alen);
|
|
|
|
for (dst_pseg = dst->next, src_pseg = src->next;
|
|
src_pseg != NULL;
|
|
dst_pseg = dst_pseg->next, src_pseg = src_pseg->next) {
|
|
|
|
len -= alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
memcpy(dst_pseg + 1, src_pseg + 1, alen);
|
|
}
|
|
|
|
dst->m_type = src->m_type;
|
|
dst->m_ts = src->m_ts;
|
|
|
|
return dst;
|
|
}
|
|
#else
|
|
struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
|
|
{
|
|
return ERR_PTR(-ENOSYS);
|
|
}
|
|
#endif
|
|
int store_msg(void __user *dest, struct msg_msg *msg, size_t len)
|
|
{
|
|
size_t alen;
|
|
struct msg_msgseg *seg;
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
if (copy_to_user(dest, msg + 1, alen))
|
|
return -1;
|
|
|
|
for (seg = msg->next; seg != NULL; seg = seg->next) {
|
|
len -= alen;
|
|
dest = (char __user *)dest + alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
if (copy_to_user(dest, seg + 1, alen))
|
|
return -1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void free_msg(struct msg_msg *msg)
|
|
{
|
|
struct msg_msgseg *seg;
|
|
|
|
security_msg_msg_free(msg);
|
|
|
|
seg = msg->next;
|
|
kfree(msg);
|
|
while (seg != NULL) {
|
|
struct msg_msgseg *tmp = seg->next;
|
|
|
|
cond_resched();
|
|
kfree(seg);
|
|
seg = tmp;
|
|
}
|
|
}
|