tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[AF_IUCV/IUCV]: smp_call_function deadlock

Calling smp_call_function can lead to a deadlock if it is called
from tasklet context.
Fixing this deadlock requires to move the smp_call_function from the
tasklet context to a work queue. To do that queue the path pending
interrupts to a separate list and move the path cleanup out of
iucv_path_sever to iucv_path_connect and iucv_path_pending.
This creates a new requirement for iucv_path_connect: it may not be
called from tasklet context anymore.
Also fixed compile problem for CONFIG_HOTPLUG_CPU=n and
another one when walking the cpu_online mask. When doing this,
we must disable cpu hotplug.

Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Martin Schwidefsky and committed by
David S. Miller 04b090d5 d0772b70

+133 -74
+1 -1
include/net/iucv/iucv.h
··· 16 16 * completed a register, it can exploit the other functions. 17 17 * For furthur reference on all IUCV functionality, refer to the 18 18 * CP Programming Services book, also available on the web thru 19 - * www.ibm.com/s390/vm/pubs, manual # SC24-5760 19 + * www.vm.ibm.com/pubs, manual # SC24-6084 20 20 * 21 21 * Definition of Return Codes 22 22 * - All positive return codes including zero are reflected back
+132 -73
net/iucv/iucv.c
··· 90 90 u32 res2[8]; 91 91 }; 92 92 93 - struct iucv_work { 93 + struct iucv_irq_list { 94 94 struct list_head list; 95 95 struct iucv_irq_data data; 96 96 }; 97 - 98 - static LIST_HEAD(iucv_work_queue); 99 - static DEFINE_SPINLOCK(iucv_work_lock); 100 97 101 98 static struct iucv_irq_data *iucv_irq_data; 102 99 static cpumask_t iucv_buffer_cpumask = CPU_MASK_NONE; 103 100 static cpumask_t iucv_irq_cpumask = CPU_MASK_NONE; 104 101 105 - static void iucv_tasklet_handler(unsigned long); 106 - static DECLARE_TASKLET(iucv_tasklet, iucv_tasklet_handler,0); 102 + /* 103 + * Queue of interrupt buffers lock for delivery via the tasklet 104 + * (fast but can't call smp_call_function). 105 + */ 106 + static LIST_HEAD(iucv_task_queue); 107 + 108 + /* 109 + * The tasklet for fast delivery of iucv interrupts. 110 + */ 111 + static void iucv_tasklet_fn(unsigned long); 112 + static DECLARE_TASKLET(iucv_tasklet, iucv_tasklet_fn,0); 113 + 114 + /* 115 + * Queue of interrupt buffers for delivery via a work queue 116 + * (slower but can call smp_call_function). 117 + */ 118 + static LIST_HEAD(iucv_work_queue); 119 + 120 + /* 121 + * The work element to deliver path pending interrupts. 122 + */ 123 + static void iucv_work_fn(struct work_struct *work); 124 + static DECLARE_WORK(iucv_work, iucv_work_fn); 125 + 126 + /* 127 + * Spinlock protecting task and work queue. 128 + */ 129 + static DEFINE_SPINLOCK(iucv_queue_lock); 107 130 108 131 enum iucv_command_codes { 109 132 IUCV_QUERY = 0, ··· 170 147 static DEFINE_SPINLOCK(iucv_table_lock); 171 148 172 149 /* 173 - * iucv_tasklet_cpu: contains the number of the cpu executing the tasklet. 174 - * Needed for iucv_path_sever called from tasklet. 150 + * iucv_active_cpu: contains the number of the cpu executing the tasklet 151 + * or the work handler. Needed for iucv_path_sever called from tasklet. 175 152 */ 176 - static int iucv_tasklet_cpu = -1; 153 + static int iucv_active_cpu = -1; 177 154 178 155 /* 179 156 * Mutex and wait queue for iucv_register/iucv_unregister. ··· 472 449 { 473 450 int cpu; 474 451 452 + preempt_disable(); 475 453 for_each_online_cpu(cpu) 476 454 /* Enable all cpus with a declared buffer. */ 477 455 if (cpu_isset(cpu, iucv_buffer_cpumask) && 478 456 !cpu_isset(cpu, iucv_irq_cpumask)) 479 457 smp_call_function_on(iucv_allow_cpu, NULL, 0, 1, cpu); 458 + preempt_enable(); 480 459 } 481 460 482 461 /** 483 462 * iucv_setmask_up 484 463 * 485 - * Allow iucv interrupts on a single cpus. 464 + * Allow iucv interrupts on a single cpu. 486 465 */ 487 466 static void iucv_setmask_up(void) 488 467 { ··· 518 493 goto out; 519 494 /* Declare per cpu buffers. */ 520 495 rc = -EIO; 496 + preempt_disable(); 521 497 for_each_online_cpu(cpu) 522 498 smp_call_function_on(iucv_declare_cpu, NULL, 0, 1, cpu); 499 + preempt_enable(); 523 500 if (cpus_empty(iucv_buffer_cpumask)) 524 501 /* No cpu could declare an iucv buffer. */ 525 502 goto out_path; ··· 611 584 return iucv_call_b2f0(IUCV_SEVER, parm); 612 585 } 613 586 587 + #ifdef CONFIG_SMP 614 588 /** 615 - * __iucv_cleanup_pathid 589 + * __iucv_cleanup_queue 616 590 * @dummy: unused dummy argument 617 591 * 618 592 * Nop function called via smp_call_function to force work items from 619 593 * pending external iucv interrupts to the work queue. 620 594 */ 621 - static void __iucv_cleanup_pathid(void *dummy) 595 + static void __iucv_cleanup_queue(void *dummy) 622 596 { 623 597 } 598 + #endif 624 599 625 600 /** 626 - * iucv_cleanup_pathid 627 - * @pathid: 16 bit pathid 601 + * iucv_cleanup_queue 628 602 * 629 603 * Function called after a path has been severed to find all remaining 630 604 * work items for the now stale pathid. The caller needs to hold the 631 605 * iucv_table_lock. 632 606 */ 633 - static void iucv_cleanup_pathid(u16 pathid) 607 + static void iucv_cleanup_queue(void) 634 608 { 635 - struct iucv_work *p, *n; 609 + struct iucv_irq_list *p, *n; 636 610 637 611 /* 638 - * Path is severed, the pathid can be reused immediatly on 639 - * a iucv connect or a connection pending interrupt. 640 - * iucv_path_connect and connection pending interrupt will 641 - * wait until the iucv_table_lock is released before the 642 - * recycled pathid enters the system. 643 - * Force remaining interrupts to the work queue, then 644 - * scan the work queue for items of this path. 612 + * When a path is severed, the pathid can be reused immediatly 613 + * on a iucv connect or a connection pending interrupt. Remove 614 + * all entries from the task queue that refer to a stale pathid 615 + * (iucv_path_table[ix] == NULL). Only then do the iucv connect 616 + * or deliver the connection pending interrupt. To get all the 617 + * pending interrupts force them to the work queue by calling 618 + * an empty function on all cpus. 645 619 */ 646 - smp_call_function(__iucv_cleanup_pathid, NULL, 0, 1); 647 - spin_lock_irq(&iucv_work_lock); 648 - list_for_each_entry_safe(p, n, &iucv_work_queue, list) { 649 - /* Remove work items for pathid except connection pending */ 650 - if (p->data.ippathid == pathid && p->data.iptype != 0x01) { 620 + smp_call_function(__iucv_cleanup_queue, NULL, 0, 1); 621 + spin_lock_irq(&iucv_queue_lock); 622 + list_for_each_entry_safe(p, n, &iucv_task_queue, list) { 623 + /* Remove stale work items from the task queue. */ 624 + if (iucv_path_table[p->data.ippathid] == NULL) { 651 625 list_del(&p->list); 652 626 kfree(p); 653 627 } 654 628 } 655 - spin_unlock_irq(&iucv_work_lock); 629 + spin_unlock_irq(&iucv_queue_lock); 656 630 } 657 631 658 632 /** ··· 712 684 iucv_sever_pathid(p->pathid, NULL); 713 685 iucv_path_table[p->pathid] = NULL; 714 686 list_del(&p->list); 715 - iucv_cleanup_pathid(p->pathid); 716 687 iucv_path_free(p); 717 688 } 718 689 spin_unlock_bh(&iucv_table_lock); ··· 784 757 union iucv_param *parm; 785 758 int rc; 786 759 787 - preempt_disable(); 788 - if (iucv_tasklet_cpu != smp_processor_id()) 789 - spin_lock_bh(&iucv_table_lock); 760 + BUG_ON(in_atomic()); 761 + spin_lock_bh(&iucv_table_lock); 762 + iucv_cleanup_queue(); 790 763 parm = percpu_ptr(iucv_param, smp_processor_id()); 791 764 memset(parm, 0, sizeof(union iucv_param)); 792 765 parm->ctrl.ipmsglim = path->msglim; ··· 821 794 rc = -EIO; 822 795 } 823 796 } 824 - if (iucv_tasklet_cpu != smp_processor_id()) 825 - spin_unlock_bh(&iucv_table_lock); 826 - preempt_enable(); 797 + spin_unlock_bh(&iucv_table_lock); 827 798 return rc; 828 799 } 829 800 ··· 892 867 893 868 894 869 preempt_disable(); 895 - if (iucv_tasklet_cpu != smp_processor_id()) 870 + if (iucv_active_cpu != smp_processor_id()) 896 871 spin_lock_bh(&iucv_table_lock); 897 872 rc = iucv_sever_pathid(path->pathid, userdata); 898 873 if (!rc) { 899 874 iucv_path_table[path->pathid] = NULL; 900 875 list_del_init(&path->list); 901 - iucv_cleanup_pathid(path->pathid); 902 876 } 903 - if (iucv_tasklet_cpu != smp_processor_id()) 877 + if (iucv_active_cpu != smp_processor_id()) 904 878 spin_unlock_bh(&iucv_table_lock); 905 879 preempt_enable(); 906 880 return rc; ··· 1268 1244 struct iucv_path_complete *ipc = (void *) data; 1269 1245 struct iucv_path *path = iucv_path_table[ipc->ippathid]; 1270 1246 1271 - BUG_ON(!path || !path->handler); 1272 - if (path->handler->path_complete) 1247 + if (path && path->handler && path->handler->path_complete) 1273 1248 path->handler->path_complete(path, ipc->ipuser); 1274 1249 } 1275 1250 ··· 1296 1273 struct iucv_path_severed *ips = (void *) data; 1297 1274 struct iucv_path *path = iucv_path_table[ips->ippathid]; 1298 1275 1299 - BUG_ON(!path || !path->handler); 1276 + if (!path || !path->handler) /* Already severed */ 1277 + return; 1300 1278 if (path->handler->path_severed) 1301 1279 path->handler->path_severed(path, ips->ipuser); 1302 1280 else { 1303 1281 iucv_sever_pathid(path->pathid, NULL); 1304 1282 iucv_path_table[path->pathid] = NULL; 1305 1283 list_del_init(&path->list); 1306 - iucv_cleanup_pathid(path->pathid); 1307 1284 iucv_path_free(path); 1308 1285 } 1309 1286 } ··· 1332 1309 struct iucv_path_quiesced *ipq = (void *) data; 1333 1310 struct iucv_path *path = iucv_path_table[ipq->ippathid]; 1334 1311 1335 - BUG_ON(!path || !path->handler); 1336 - if (path->handler->path_quiesced) 1312 + if (path && path->handler && path->handler->path_quiesced) 1337 1313 path->handler->path_quiesced(path, ipq->ipuser); 1338 1314 } 1339 1315 ··· 1360 1338 struct iucv_path_resumed *ipr = (void *) data; 1361 1339 struct iucv_path *path = iucv_path_table[ipr->ippathid]; 1362 1340 1363 - BUG_ON(!path || !path->handler); 1364 - if (path->handler->path_resumed) 1341 + if (path && path->handler && path->handler->path_resumed) 1365 1342 path->handler->path_resumed(path, ipr->ipuser); 1366 1343 } 1367 1344 ··· 1392 1371 struct iucv_path *path = iucv_path_table[imc->ippathid]; 1393 1372 struct iucv_message msg; 1394 1373 1395 - BUG_ON(!path || !path->handler); 1396 - if (path->handler->message_complete) { 1374 + if (path && path->handler && path->handler->message_complete) { 1397 1375 msg.flags = imc->ipflags1; 1398 1376 msg.id = imc->ipmsgid; 1399 1377 msg.audit = imc->ipaudit; ··· 1437 1417 struct iucv_path *path = iucv_path_table[imp->ippathid]; 1438 1418 struct iucv_message msg; 1439 1419 1440 - BUG_ON(!path || !path->handler); 1441 - if (path->handler->message_pending) { 1420 + if (path && path->handler && path->handler->message_pending) { 1442 1421 msg.flags = imp->ipflags1; 1443 1422 msg.id = imp->ipmsgid; 1444 1423 msg.class = imp->iptrgcls; ··· 1452 1433 } 1453 1434 1454 1435 /** 1455 - * iucv_tasklet_handler: 1436 + * iucv_tasklet_fn: 1456 1437 * 1457 1438 * This tasklet loops over the queue of irq buffers created by 1458 1439 * iucv_external_interrupt, calls the appropriate action handler 1459 1440 * and then frees the buffer. 1460 1441 */ 1461 - static void iucv_tasklet_handler(unsigned long ignored) 1442 + static void iucv_tasklet_fn(unsigned long ignored) 1462 1443 { 1463 1444 typedef void iucv_irq_fn(struct iucv_irq_data *); 1464 1445 static iucv_irq_fn *irq_fn[] = { 1465 - [0x01] = iucv_path_pending, 1466 1446 [0x02] = iucv_path_complete, 1467 1447 [0x03] = iucv_path_severed, 1468 1448 [0x04] = iucv_path_quiesced, ··· 1471 1453 [0x08] = iucv_message_pending, 1472 1454 [0x09] = iucv_message_pending, 1473 1455 }; 1474 - struct iucv_work *p; 1456 + struct list_head task_queue = LIST_HEAD_INIT(task_queue); 1457 + struct iucv_irq_list *p, *n; 1475 1458 1476 1459 /* Serialize tasklet, iucv_path_sever and iucv_path_connect. */ 1477 1460 spin_lock(&iucv_table_lock); 1478 - iucv_tasklet_cpu = smp_processor_id(); 1461 + iucv_active_cpu = smp_processor_id(); 1479 1462 1480 - spin_lock_irq(&iucv_work_lock); 1481 - while (!list_empty(&iucv_work_queue)) { 1482 - p = list_entry(iucv_work_queue.next, struct iucv_work, list); 1463 + spin_lock_irq(&iucv_queue_lock); 1464 + list_splice_init(&iucv_task_queue, &task_queue); 1465 + spin_unlock_irq(&iucv_queue_lock); 1466 + 1467 + list_for_each_entry_safe(p, n, &task_queue, list) { 1483 1468 list_del_init(&p->list); 1484 - spin_unlock_irq(&iucv_work_lock); 1485 1469 irq_fn[p->data.iptype](&p->data); 1486 1470 kfree(p); 1487 - spin_lock_irq(&iucv_work_lock); 1488 1471 } 1489 - spin_unlock_irq(&iucv_work_lock); 1490 1472 1491 - iucv_tasklet_cpu = -1; 1473 + iucv_active_cpu = -1; 1492 1474 spin_unlock(&iucv_table_lock); 1475 + } 1476 + 1477 + /** 1478 + * iucv_work_fn: 1479 + * 1480 + * This work function loops over the queue of path pending irq blocks 1481 + * created by iucv_external_interrupt, calls the appropriate action 1482 + * handler and then frees the buffer. 1483 + */ 1484 + static void iucv_work_fn(struct work_struct *work) 1485 + { 1486 + typedef void iucv_irq_fn(struct iucv_irq_data *); 1487 + struct list_head work_queue = LIST_HEAD_INIT(work_queue); 1488 + struct iucv_irq_list *p, *n; 1489 + 1490 + /* Serialize tasklet, iucv_path_sever and iucv_path_connect. */ 1491 + spin_lock_bh(&iucv_table_lock); 1492 + iucv_active_cpu = smp_processor_id(); 1493 + 1494 + spin_lock_irq(&iucv_queue_lock); 1495 + list_splice_init(&iucv_work_queue, &work_queue); 1496 + spin_unlock_irq(&iucv_queue_lock); 1497 + 1498 + iucv_cleanup_queue(); 1499 + list_for_each_entry_safe(p, n, &work_queue, list) { 1500 + list_del_init(&p->list); 1501 + iucv_path_pending(&p->data); 1502 + kfree(p); 1503 + } 1504 + 1505 + iucv_active_cpu = -1; 1506 + spin_unlock_bh(&iucv_table_lock); 1493 1507 } 1494 1508 1495 1509 /** ··· 1529 1479 * @code: irq code 1530 1480 * 1531 1481 * Handles external interrupts coming in from CP. 1532 - * Places the interrupt buffer on a queue and schedules iucv_tasklet_handler(). 1482 + * Places the interrupt buffer on a queue and schedules iucv_tasklet_fn(). 1533 1483 */ 1534 1484 static void iucv_external_interrupt(u16 code) 1535 1485 { 1536 1486 struct iucv_irq_data *p; 1537 - struct iucv_work *work; 1487 + struct iucv_irq_list *work; 1538 1488 1539 1489 p = percpu_ptr(iucv_irq_data, smp_processor_id()); 1540 1490 if (p->ippathid >= iucv_max_pathid) { ··· 1548 1498 printk(KERN_ERR "iucv_do_int: unknown iucv interrupt\n"); 1549 1499 return; 1550 1500 } 1551 - work = kmalloc(sizeof(struct iucv_work), GFP_ATOMIC); 1501 + work = kmalloc(sizeof(struct iucv_irq_list), GFP_ATOMIC); 1552 1502 if (!work) { 1553 1503 printk(KERN_WARNING "iucv_external_interrupt: out of memory\n"); 1554 1504 return; 1555 1505 } 1556 1506 memcpy(&work->data, p, sizeof(work->data)); 1557 - spin_lock(&iucv_work_lock); 1558 - list_add_tail(&work->list, &iucv_work_queue); 1559 - spin_unlock(&iucv_work_lock); 1560 - tasklet_schedule(&iucv_tasklet); 1507 + spin_lock(&iucv_queue_lock); 1508 + if (p->iptype == 0x01) { 1509 + /* Path pending interrupt. */ 1510 + list_add_tail(&work->list, &iucv_work_queue); 1511 + schedule_work(&iucv_work); 1512 + } else { 1513 + /* The other interrupts. */ 1514 + list_add_tail(&work->list, &iucv_task_queue); 1515 + tasklet_schedule(&iucv_tasklet); 1516 + } 1517 + spin_unlock(&iucv_queue_lock); 1561 1518 } 1562 1519 1563 1520 /** ··· 1634 1577 */ 1635 1578 static void iucv_exit(void) 1636 1579 { 1637 - struct iucv_work *p, *n; 1580 + struct iucv_irq_list *p, *n; 1638 1581 1639 - spin_lock_irq(&iucv_work_lock); 1582 + spin_lock_irq(&iucv_queue_lock); 1583 + list_for_each_entry_safe(p, n, &iucv_task_queue, list) 1584 + kfree(p); 1640 1585 list_for_each_entry_safe(p, n, &iucv_work_queue, list) 1641 1586 kfree(p); 1642 - spin_unlock_irq(&iucv_work_lock); 1587 + spin_unlock_irq(&iucv_queue_lock); 1643 1588 unregister_hotcpu_notifier(&iucv_cpu_notifier); 1644 1589 percpu_free(iucv_param); 1645 1590 percpu_free(iucv_irq_data);