sched/rt.c: pick and check task if double_lock_balance() unlock the rq

hulk inclusion category: bugfix bugzilla: 47435 CVE: NA --------------------------- push_rt_task() pick the first pushable task and find an eligible lowest_rq, then double_lock_balance(rq, lowest_rq). So if double_lock_balance() unlock the rq (when double_lock_balance() return 1), we have to check if this task is still on the rq. The problem is that the check conditions are not sufficient: if (unlikely(task_rq(task) != rq || !cpumask_test_cpu(lowest_rq->cpu, &task->cpus_allowed) || task_running(rq, task) || !rt_task(task) || !task_on_rq_queued(task))) { cpu2 cpu1 cpu0 push_rt_task(rq1) pick task_A on rq1 find rq0 double_lock_balance(rq1, rq0) unlock(rq1) rq1 __schedule pick task_A run task_A sleep (dequeued) lock(rq0) lock(rq1) do_above_check(task_A) task_rq(task_A) == rq1 cpus_allowed unchanged task_running == false rt_task(task_A) == true try_to_wake_up(task_A) select_cpu = cpu3 enqueue(rq3, task_A) task_A->on_rq = 1 task_on_rq_queued(task_A) above_check passed, return rq0 ... migrate task_A from rq1 to rq0 So we can't rely on these checks of task_A to make sure the task_A is still on the rq1, even though we hold the rq1->lock. This patch will repick the first pushable task to be sure the task is still on the rq. Signed-off-by: N Zhou Chengming <zhouchengming1@huawei.com> Acked-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: N Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: N Li Bin <huawei.libin@huawei.com> Signed-off-by: N Zhen Lei <thunder.leizhen@huawei.com> [XQ: - backport to 4.4, adjusted context, - use tsk_cpus_allowed() instead of task->cpus_allowed] Link: https://lkml.org/lkml/2017/9/11/26 Link: https://lkml.org/lkml/2018/4/12/246Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N zhangyi (F) <yi.zhang@huawei.com> Reviewed-by: N Hanjun Guo <guohanjun@huawei.com> (cherry picked from commit 6e770352b482bc48c3393530ba36ce2c113c5086) Signed-off-by: N Li Ming <limingming.li@huawei.com> Conflicts: kernel/sched/rt.c Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

sched/rt.c: pick and check task if double_lock_balance() unlock the rq
hulk inclusion category: bugfix bugzilla: 47435 CVE: NA --------------------------- push_rt_task() pick the first pushable task and find an eligible lowest_rq, then double_lock_balance(rq, lowest_rq). So if double_lock_balance() unlock the rq (when double_lock_balance() return 1), we have to check if this task is still on the rq. The problem is that the check conditions are not sufficient: if (unlikely(task_rq(task) != rq || !cpumask_test_cpu(lowest_rq->cpu, &task->cpus_allowed) || task_running(rq, task) || !rt_task(task) || !task_on_rq_queued(task))) { cpu2 cpu1 cpu0 push_rt_task(rq1) pick task_A on rq1 find rq0 double_lock_balance(rq1, rq0) unlock(rq1) rq1 __schedule pick task_A run task_A sleep (dequeued) lock(rq0) lock(rq1) do_above_check(task_A) task_rq(task_A) == rq1 cpus_allowed unchanged task_running == false rt_task(task_A) == true try_to_wake_up(task_A) select_cpu = cpu3 enqueue(rq3, task_A) task_A->on_rq = 1 task_on_rq_queued(task_A) above_check passed, return rq0 ... migrate task_A from rq1 to rq0 So we can't rely on these checks of task_A to make sure the task_A is still on the rq1, even though we hold the rq1->lock. This patch will repick the first pushable task to be sure the task is still on the rq. Signed-off-by: N Zhou Chengming <zhouchengming1@huawei.com> Acked-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: N Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: N Li Bin <huawei.libin@huawei.com> Signed-off-by: N Zhen Lei <thunder.leizhen@huawei.com> [XQ: - backport to 4.4, adjusted context, - use tsk_cpus_allowed() instead of task->cpus_allowed] Link: https://lkml.org/lkml/2017/9/11/26 Link: https://lkml.org/lkml/2018/4/12/246Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N zhangyi (F) <yi.zhang@huawei.com> Reviewed-by: N Hanjun Guo <guohanjun@huawei.com> (cherry picked from commit 6e770352b482bc48c3393530ba36ce2c113c5086) Signed-off-by: N Li Ming <limingming.li@huawei.com> Conflicts: kernel/sched/rt.c Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
f419a4f3 · Zhou Chengming · Zheng Zengkai · 2d79abe4 · f419a4f3
显示空白变更内容
内联并排

Showing with 23 addition and 27 deletion

kernel/sched/rt.c kernel/sched/rt.c +23 -27

未找到文件。
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -1777,6 +1777,26 @@ static int find_lowest_rq(struct task_struct *task)
 	return -1;
 }

+static struct task_struct *pick_next_pushable_task(struct rq *rq)
+{
+	struct task_struct *p;
+
+	if (!has_pushable_tasks(rq))
+		return NULL;
+
+	p = plist_first_entry(&rq->rt.pushable_tasks,
+			      struct task_struct, pushable_tasks);
+
+	BUG_ON(rq->cpu != task_cpu(p));
+	BUG_ON(task_current(rq, p));
+	BUG_ON(p->nr_cpus_allowed <= 1);
+
+	BUG_ON(!task_on_rq_queued(p));
+	BUG_ON(!rt_task(p));
+
+	return p;
+}
+
 /* Will lock the rq it finds */
 static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq)
 {
@@ -1808,14 +1828,10 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq)
 			 * We had to unlock the run queue. In
 			 * the mean time, task could have
 			 * migrated already or had its affinity changed.
-			 * Also make sure that it wasn't scheduled on its rq.
 			 */
-			if (unlikely(task_rq(task) != rq ||
-				     !cpumask_test_cpu(lowest_rq->cpu, task->cpus_ptr) ||
-				     task_running(rq, task) ||
-				     !rt_task(task) ||
-				     !task_on_rq_queued(task))) {
-
+			struct task_struct *next_task = pick_next_pushable_task(rq);
+			if (unlikely(next_task != task ||
+				     !cpumask_test_cpu(lowest_rq->cpu, task->cpus_ptr))) {
 				double_unlock_balance(rq, lowest_rq);
 				lowest_rq = NULL;
 				break;
@@ -1834,26 +1850,6 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq)
 	return lowest_rq;
 }

-static struct task_struct *pick_next_pushable_task(struct rq *rq)
-{
-	struct task_struct *p;
-
-	if (!has_pushable_tasks(rq))
-		return NULL;
-
-	p = plist_first_entry(&rq->rt.pushable_tasks,
-			      struct task_struct, pushable_tasks);
-
-	BUG_ON(rq->cpu != task_cpu(p));
-	BUG_ON(task_current(rq, p));
-	BUG_ON(p->nr_cpus_allowed <= 1);
-
-	BUG_ON(!task_on_rq_queued(p));
-	BUG_ON(!rt_task(p));
-
-	return p;
-}
-
 /*
 * If the current CPU has more than one RT task, see if the non
 * running task can migrate over to a CPU that is running a task