[PATCH 1/3] hrtimer: Fix race between hrtimer_start() and __run_hrtimer()

From: Peter Zijlstra
Date: Wed Apr 15 2015 - 05:55:41 EST

Next message: Peter Zijlstra: "[PATCH 3/3] perf: Fix mux_interval hrtimer wreckage"
Previous message: Peter Zijlstra: "[PATCH 2/3] sched: Cleanup bandwidth timers"
In reply to: Peter Zijlstra: "[PATCH 2/3] sched: Cleanup bandwidth timers"
Next in thread: Thomas Gleixner: "Re: [PATCH 1/3] hrtimer: Fix race between hrtimer_start() and __run_hrtimer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Because we drop cpu_base->lock around calling hrtimer::function, it is
possible for hrtimer_start() to come in between and enqueue the timer.

If hrtimer::function then returns HRTIMER_RESTART we'll hit the BUG_ON
because HRTIMER_STATE_ENQUEUED will be set.

Since the above is a perfectly valid scenario, remove the BUG_ON and
make the enqueue_hrtimer() call conditional on the timer not being
enqueued already.

NOTE: in that concurrent scenario its entirely common for both sites
to want to modify the hrtimer, since hrtimers don't provide
serialization themselves be sure to provide some such that the
hrtimer::function and the hrtimer_start() caller don't both try and
fudge the expiration state at the same time.

To that effect, add a WARN when someone tries to forward an already
enqueued timer.

Fixes: 2d44ae4d7135 ("hrtimer: clean up cpu->base locking tricks")
Cc: Ben Segall <bsegall@xxxxxxxxxx>
Cc: Roman Gushchin <klamm@xxxxxxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Paul Turner <pjt@xxxxxxxxxx>
Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
---
kernel/time/hrtimer.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -791,6 +791,9 @@ u64 hrtimer_forward(struct hrtimer *time
if (delta.tv64 < 0)
return 0;

+ if (WARN_ON(timer->state & HRTIMER_STATE_ENQUEUED))
+ return 0;
+
if (interval.tv64 < hrtimer_resolution)
interval.tv64 = hrtimer_resolution;

@@ -1131,11 +1134,14 @@ static void __run_hrtimer(struct hrtimer
* Note: We clear the CALLBACK bit after enqueue_hrtimer and
* we do not reprogramm the event hardware. Happens either in
* hrtimer_start_range_ns() or in hrtimer_interrupt()
+ *
+ * Note: Because we dropped the cpu_base->lock above,
+ * hrtimer_start_range_ns() can have popped in and enqueued the timer
+ * for us already.
*/
- if (restart != HRTIMER_NORESTART) {
- BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
+ if (restart != HRTIMER_NORESTART &&
+ !(timer->state & HRTIMER_STATE_ENQUEUED))
enqueue_hrtimer(timer, base);
- }

WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "[PATCH 3/3] perf: Fix mux_interval hrtimer wreckage"
Previous message: Peter Zijlstra: "[PATCH 2/3] sched: Cleanup bandwidth timers"
In reply to: Peter Zijlstra: "[PATCH 2/3] sched: Cleanup bandwidth timers"
Next in thread: Thomas Gleixner: "Re: [PATCH 1/3] hrtimer: Fix race between hrtimer_start() and __run_hrtimer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]