tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

workqueue: Fix pwq->nr_in_flight corruption in try_to_grab_pending()

dd6c3c544126 ("workqueue: Move pwq_dec_nr_in_flight() to the end of work
item handling") relocated pwq_dec_nr_in_flight() after
set_work_pool_and_keep_pending(). However, the latter destroys information
contained in work->data that's needed by pwq_dec_nr_in_flight() including
the flush color. With flush color destroyed, flush_workqueue() can stall
easily when mixed with cancel_work*() usages.

This is easily triggered by running xfstests generic/001 test on xfs:

INFO: task umount:6305 blocked for more than 122 seconds.
...
task:umount state:D stack:13008 pid:6305 tgid:6305 ppid:6301 flags:0x00004000
Call Trace:
<TASK>
__schedule+0x2f6/0xa20
schedule+0x36/0xb0
schedule_timeout+0x20b/0x280
wait_for_completion+0x8a/0x140
__flush_workqueue+0x11a/0x3b0
xfs_inodegc_flush+0x24/0xf0
xfs_unmountfs+0x14/0x180
xfs_fs_put_super+0x3d/0x90
generic_shutdown_super+0x7c/0x160
kill_block_super+0x1b/0x40
xfs_kill_sb+0x12/0x30
deactivate_locked_super+0x35/0x90
deactivate_super+0x42/0x50
cleanup_mnt+0x109/0x170
__cleanup_mnt+0x12/0x20
task_work_run+0x60/0x90
syscall_exit_to_user_mode+0x146/0x150
do_syscall_64+0x5d/0x110
entry_SYSCALL_64_after_hwframe+0x6c/0x74

Fix it by stashing work_data before calling set_work_pool_and_keep_pending()
and using the stashed value for pwq_dec_nr_in_flight().

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Link: http://lkml.kernel.org/r/87o7cxeehy.fsf@debian-BULLSEYE-live-builder-AMD64
Fixes: dd6c3c544126 ("workqueue: Move pwq_dec_nr_in_flight() to the end of work item handling")

Tejun Heo c70e1779 3e0bc285

+8 -2
+8 -2
kernel/workqueue.c
··· 1999 1999 */ 2000 2000 pwq = get_work_pwq(work); 2001 2001 if (pwq && pwq->pool == pool) { 2002 + unsigned long work_data; 2003 + 2002 2004 debug_work_deactivate(work); 2003 2005 2004 2006 /* ··· 2018 2016 2019 2017 list_del_init(&work->entry); 2020 2018 2021 - /* work->data points to pwq iff queued, point to pool */ 2019 + /* 2020 + * work->data points to pwq iff queued. Let's point to pool. As 2021 + * this destroys work->data needed by the next step, stash it. 2022 + */ 2023 + work_data = *work_data_bits(work); 2022 2024 set_work_pool_and_keep_pending(work, pool->id); 2023 2025 2024 2026 /* must be the last step, see the function comment */ 2025 - pwq_dec_nr_in_flight(pwq, *work_data_bits(work)); 2027 + pwq_dec_nr_in_flight(pwq, work_data); 2026 2028 2027 2029 raw_spin_unlock(&pool->lock); 2028 2030 rcu_read_unlock();