Re: [PATCH RFC v3 2/3] sbitmap: fix invalid wakeup on the wrong waitqueue

From: Yu Kuai
Date: Tue Jul 12 2022 - 09:26:53 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH 0/5] Add support for Xiaomi Poco F1 EBBG variant"
Previous message: Andy Shevchenko: "Re: [PATCH] serial: 8250_dw: Avoid pslverr on reading empty receiver fifo"
In reply to: Jan Kara: "Re: [PATCH RFC v3 2/3] sbitmap: fix invalid wakeup on the wrong waitqueue"
Next in thread: Yu Kuai: "[PATCH RFC v3 3/3] sbitmap: fix that 'wait_cnt' can be decreased while waitqueue is empty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

在 2022/07/11 22:26, Jan Kara 写道:

On Sun 10-07-22 12:21:59, Yu Kuai wrote:

From: Yu Kuai <yukuai3@xxxxxxxxxx>

For example, 2 * wake_batch tags are put, while only wake_batch threads
are woken:

__sbq_wake_up
atomic_cmpxchg -> reset wait_cnt
__sbq_wake_up -> decrease wait_cnt
...
__sbq_wake_up -> wait_cnt is decreased to 0 again
atomic_cmpxchg
sbq_index_atomic_inc -> increase wake_index
wake_up_nr -> wake up and waitqueue might be empty
sbq_index_atomic_inc -> increase again, one waitqueue is skipped
wake_up_nr -> invalid wake up because old wakequeue might be empty

To fix the problem, increasing 'wake_index' before resetting 'wait_cnt'.

Fixes: 88459642cba4 ("blk-mq: abstract tag allocation out into sbitmap library")
Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx>

This patch and the following one look sane to me but please merge them to a
single patch. They fix the same race of two concurrent wakers just with a
slightly different timing so there isn't a point in having two patches for
this (in particular changes in this patch are difficult to reason about
when we know the result is still buggy).

Ok, I'll merge them.

Thanks,
Kuai

Honza

---
lib/sbitmap.c | 45 +++++++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/lib/sbitmap.c b/lib/sbitmap.c
index b46fce1beb3a..57095dd88a33 100644
--- a/lib/sbitmap.c
+++ b/lib/sbitmap.c
@@ -616,32 +616,33 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
return false;
wait_cnt = atomic_dec_return(&ws->wait_cnt);
- if (wait_cnt <= 0) {
- int ret;
+ if (wait_cnt > 0)
+ return false;
- wake_batch = READ_ONCE(sbq->wake_batch);
+ /*
+ * For concurrent callers of this, callers should call this function
+ * again to wakeup a new batch on a different 'ws'.
+ */
+ if (wait_cnt < 0)
+ return true;
- /*
- * Pairs with the memory barrier in sbitmap_queue_resize() to
- * ensure that we see the batch size update before the wait
- * count is reset.
- */
- smp_mb__before_atomic();
+ wake_batch = READ_ONCE(sbq->wake_batch);
- /*
- * For concurrent callers of this, the one that failed the
- * atomic_cmpxhcg() race should call this function again
- * to wakeup a new batch on a different 'ws'.
- */
- ret = atomic_cmpxchg(&ws->wait_cnt, wait_cnt, wake_batch);
- if (ret == wait_cnt) {
- sbq_index_atomic_inc(&sbq->wake_index);
- wake_up_nr(&ws->wait, wake_batch);
- return false;
- }
+ /*
+ * Pairs with the memory barrier in sbitmap_queue_resize() to
+ * ensure that we see the batch size update before the wait
+ * count is reset.
+ */
+ smp_mb__before_atomic();
- return true;
- }
+ /*
+ * Increase wake_index before updating wait_cnt, otherwise concurrent
+ * callers can see valid wait_cnt in old waitqueue, which can cause
+ * invalid wakeup on the old waitqueue.
+ */
+ sbq_index_atomic_inc(&sbq->wake_index);
+ atomic_set(&ws->wait_cnt, wake_batch);
+ wake_up_nr(&ws->wait, wake_batch);
return false;
}
--
2.31.1

Next message: Krzysztof Kozlowski: "Re: [PATCH 0/5] Add support for Xiaomi Poco F1 EBBG variant"
Previous message: Andy Shevchenko: "Re: [PATCH] serial: 8250_dw: Avoid pslverr on reading empty receiver fifo"
In reply to: Jan Kara: "Re: [PATCH RFC v3 2/3] sbitmap: fix invalid wakeup on the wrong waitqueue"
Next in thread: Yu Kuai: "[PATCH RFC v3 3/3] sbitmap: fix that 'wait_cnt' can be decreased while waitqueue is empty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]