Commit 611dcd14 authored Nov 07, 2024 by Greg Kroah-Hartman Committed by Xiangwei Li Nov 07, 2024

rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() deadlocks

mainline inclusion
from mainline-v6.9-rc1
commit 46faf9d8e1d52e4a91c382c6c72da6bd8e68297b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9E
CVE: CVE-2024-49926

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=46faf9d8e1d52e4a91c382c6c72da6bd8e68297b

--------------------------------

Holding a mutex across synchronize_rcu_tasks() and acquiring
that same mutex in code called from do_exit() after its call to
exit_tasks_rcu_start() but before its call to exit_tasks_rcu_stop()
results in deadlock.  This is by design, because tasks that are far
enough into do_exit() are no longer present on the tasks list, making
it a bit difficult for RCU Tasks to find them, let alone wait on them
to do a voluntary context switch.  However, such deadlocks are becoming
more frequent.  In addition, lockdep currently does not detect such
deadlocks and they can be difficult to reproduce.

In addition, if a task voluntarily context switches during that time
(for example, if it blocks acquiring a mutex), then this task is in an
RCU Tasks quiescent state.  And with some adjustments, RCU Tasks could
just as well take advantage of that fact.

This commit therefore initializes the data structures that will be needed
to rely on these quiescent states and to eliminate these deadlocks.

Link: https://lore.kernel.org/all/20240118021842.290665-1-chenzhongjin@huawei.com/



Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
Reported-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Tested-by: Yang Jihong <yangjihong1@huawei.com>
Tested-by: Chen Zhongjin <chenzhongjin@huawei.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Stable-dep-of: fd70e9f1d85f ("rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Xiangwei Li <liwei728@huawei.com>

parent 502789c7

init/init_task.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -156,6 +156,7 @@ struct task_struct init_task
		.rcu_tasks_holdout = false,
		.rcu_tasks_holdout_list = LIST_HEAD_INIT(init_task.rcu_tasks_holdout_list),
		.rcu_tasks_idle_cpu = -1,
		.rcu_tasks_exit_list = LIST_HEAD_INIT(init_task.rcu_tasks_exit_list),
		#endif
		#ifdef CONFIG_TASKS_TRACE_RCU
		.trc_reader_nesting = 0,

kernel/fork.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -2034,6 +2034,7 @@ static inline void rcu_copy_process(struct task_struct *p)
		p->rcu_tasks_holdout = false;
		INIT_LIST_HEAD(&p->rcu_tasks_holdout_list);
		p->rcu_tasks_idle_cpu = -1;
		INIT_LIST_HEAD(&p->rcu_tasks_exit_list);
		#endif /* #ifdef CONFIG_TASKS_RCU */
		#ifdef CONFIG_TASKS_TRACE_RCU
		p->trc_reader_nesting = 0;

kernel/rcu/tasks.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -277,6 +277,8 @@ static void cblist_init_generic(struct rcu_tasks *rtp)
		rtpcp->rtpp = rtp;
		if (!rtpcp->rtp_blkd_tasks.next)
		INIT_LIST_HEAD(&rtpcp->rtp_blkd_tasks);
		if (!rtpcp->rtp_exit_list.next)
		INIT_LIST_HEAD(&rtpcp->rtp_exit_list);
		}

		pr_info("%s: Setting shift to %d and lim to %d rcu_task_cb_adjust=%d.\n", rtp->name,