/* * Ptrace test for TAR, PPR, DSCR registers in the TM Suspend context * * Copyright (C) 2015 Anshuman Khandual, IBM Corporation. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ #include "ptrace.h" #include "tm.h" #include "ptrace-tar.h" int shm_id; int *cptr, *pptr; __attribute__((used)) void wait_parent(void) { cptr[2] = 1; while (!cptr[1]) asm volatile("" : : : "memory"); } void tm_spd_tar(void) { unsigned long result, texasr; unsigned long regs[3]; int ret; cptr = (int *)shmat(shm_id, NULL, 0); trans: cptr[2] = 0; asm __volatile__( "li 4, %[tar_1];" "mtspr %[sprn_tar], 4;" /* TAR_1 */ "li 4, %[dscr_1];" "mtspr %[sprn_dscr], 4;" /* DSCR_1 */ "or 31,31,31;" /* PPR_1*/ "1: ;" "tbegin.;" "beq 2f;" "li 4, %[tar_2];" "mtspr %[sprn_tar], 4;" /* TAR_2 */ "li 4, %[dscr_2];" "mtspr %[sprn_dscr], 4;" /* DSCR_2 */ "or 1,1,1;" /* PPR_2 */ "tsuspend.;" "li 4, %[tar_3];" "mtspr %[sprn_tar], 4;" /* TAR_3 */ "li 4, %[dscr_3];" "mtspr %[sprn_dscr], 4;" /* DSCR_3 */ "or 6,6,6;" /* PPR_3 */ "bl wait_parent;" "tresume.;" "tend.;" "li 0, 0;" "ori %[res], 0, 0;" "b 3f;" /* Transaction abort handler */ "2: ;" "li 0, 1;" "ori %[res], 0, 0;" "mfspr %[texasr], %[sprn_texasr];" "3: ;" : [res] "=r" (result), [texasr] "=r" (texasr) : [val] "r" (cptr[1]), [sprn_dscr]"i"(SPRN_DSCR), [sprn_tar]"i"(SPRN_TAR), [sprn_ppr]"i"(SPRN_PPR), [sprn_texasr]"i"(SPRN_TEXASR), [tar_1]"i"(TAR_1), [dscr_1]"i"(DSCR_1), [tar_2]"i"(TAR_2), [dscr_2]"i"(DSCR_2), [tar_3]"i"(TAR_3), [dscr_3]"i"(DSCR_3) : "memory", "r0", "r1", "r3", "r4", "r5", "r6" ); /* TM failed, analyse */ if (result) { if (!cptr[0]) goto trans; regs[0] = mfspr(SPRN_TAR); regs[1] = mfspr(SPRN_PPR); regs[2] = mfspr(SPRN_DSCR); shmdt(&cptr); printf("%-30s TAR: %lu PPR: %lx DSCR: %lu\n", user_read, regs[0], regs[1], regs[2]); ret = validate_tar_registers(regs, TAR_4, PPR_4, DSCR_4); if (ret) exit(1); exit(0); } shmdt(&cptr); exit(1); } int trace_tm_spd_tar(pid_t child) { unsigned long regs[3]; FAIL_IF(start_trace(child)); FAIL_IF(show_tar_registers(child, regs)); printf("%-30s TAR: %lu PPR: %lx DSCR: %lu\n", ptrace_read_running, regs[0], regs[1], regs[2]); FAIL_IF(validate_tar_registers(regs, TAR_3, PPR_3, DSCR_3)); FAIL_IF(show_tm_checkpointed_state(child, regs)); printf("%-30s TAR: %lu PPR: %lx DSCR: %lu\n", ptrace_read_ckpt, regs[0], regs[1], regs[2]); FAIL_IF(validate_tar_registers(regs, TAR_1, PPR_1, DSCR_1)); FAIL_IF(write_ckpt_tar_registers(child, TAR_4, PPR_4, DSCR_4)); printf("%-30s TAR: %u PPR: %lx DSCR: %u\n", ptrace_write_ckpt, TAR_4, PPR_4, DSCR_4); pptr[0] = 1; pptr[1] = 1; FAIL_IF(stop_trace(child)); return TEST_PASS; } int ptrace_tm_spd_tar(void) { pid_t pid; int ret, status; SKIP_IF(!have_htm()); shm_id = shmget(IPC_PRIVATE, sizeof(int) * 3, 0777|IPC_CREAT); pid = fork(); if (pid == 0) tm_spd_tar(); pptr = (int *)shmat(shm_id, NULL, 0); pptr[0] = 0; pptr[1] = 0; if (pid) { while (!pptr[2]) asm volatile("" : : : "memory"); ret = trace_tm_spd_tar(pid); if (ret) { kill(pid, SIGTERM); shmdt(&pptr); shmctl(shm_id, IPC_RMID, NULL); return TEST_FAIL; } shmdt(&pptr); ret = wait(&status); shmctl(shm_id, IPC_RMID, NULL); if (ret != pid) { printf("Child's exit status not captured\n"); return TEST_FAIL; } return (WIFEXITED(status) && WEXITSTATUS(status)) ? TEST_FAIL : TEST_PASS; } return TEST_PASS; } int main(int argc, char *argv[]) { return test_harness(ptrace_tm_spd_tar, "ptrace_tm_spd_tar"); } fec09e0144dc3341'/>
context:
space:
mode:
authorDouglas Miller <dougmill@linux.vnet.ibm.com>2017-01-28 06:42:20 -0600
committerTejun Heo <tj@kernel.org>2017-01-28 07:49:42 -0500
commit966d2b04e070bc040319aaebfec09e0144dc3341 (patch)
tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /include/uapi/rdma/mthca-abi.h
parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'include/uapi/rdma/mthca-abi.h')