From patchwork Fri Jan 27 20:59:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Douglas Miller <dougmill@linux.vnet.ibm.com>
X-Patchwork-Id: 9542657
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	BE40A601D7 for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 27 Jan 2017 20:59:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B0AD228111
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 27 Jan 2017 20:59:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A58CC2824F; Fri, 27 Jan 2017 20:59:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4A7B228111
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 27 Jan 2017 20:59:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751336AbdA0U7R (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Fri, 27 Jan 2017 15:59:17 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34660 "EHLO
	mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1751315AbdA0U7Q (ORCPT
	<rfc822;linux-block@vger.kernel.org>);
	Fri, 27 Jan 2017 15:59:16 -0500
Received: from pps.filterd (m0098414.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id
	v0RKwmFY004353
	for <linux-block@vger.kernel.org>; Fri, 27 Jan 2017 15:59:15 -0500
Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154])
	by mx0b-001b2d01.pphosted.com with ESMTP id 2888fvbrsx-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <linux-block@vger.kernel.org>; Fri, 27 Jan 2017 15:59:15 -0500
Received: from localhost
	by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-block@vger.kernel.org> from <dougmill@linux.vnet.ibm.com>;
	Fri, 27 Jan 2017 13:59:14 -0700
Received: from d03dlp03.boulder.ibm.com (9.17.202.179)
	by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Fri, 27 Jan 2017 13:59:12 -0700
Received: from b03cxnp08026.gho.boulder.ibm.com
	(b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 26C4419D801C;
	Fri, 27 Jan 2017 13:58:27 -0700 (MST)
Received: from b03ledav001.gho.boulder.ibm.com
	(b03ledav001.gho.boulder.ibm.com [9.17.130.232])
	by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id v0RKxC9f11403730; Fri, 27 Jan 2017 13:59:12 -0700
Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 019236E03D;
	Fri, 27 Jan 2017 13:59:12 -0700 (MST)
Received: from oc5780617838.ibm.com (unknown [9.80.98.47])
	by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP id 0B26E6E038;
	Fri, 27 Jan 2017 13:59:10 -0700 (MST)
From: Douglas Miller <dougmill@linux.vnet.ibm.com>
To: linux-kernel@vger.kernel.org, Christoph Lameter <cl@linux.com>,
	Tejun Heo <tj@kernel.org>
Cc: linux-block@vger.kernel.org,
	Douglas Miller <dougmill@linux.vnet.ibm.com>,
	Guilherme Piccoli <gpiccoli@br.ibm.com>
Subject: [PATCH 1/1] percpu-refcount: fix reference leak during
	percpu-atomic transition
Date: Fri, 27 Jan 2017 14:59:08 -0600
X-Mailer: git-send-email 1.7.1
X-TM-AS-GCONF: 00
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 17012720-0020-0000-0000-00000B338057
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00006508; HX=3.00000240; KW=3.00000007;
	PH=3.00000004; SC=3.00000201; SDB=6.00813603; UDB=6.00396918;
	IPR=6.00591018;
	BA=6.00005093; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;
	ZB=6.00000000;
	ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014078;
	XFM=3.00000011; UTC=2017-01-27 20:59:14
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17012720-0021-0000-0000-00005998297C
Message-Id: <1485550748-28075-1-git-send-email-dougmill@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-01-27_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	spamscore=0 suspectscore=0
	malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
	adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000
	definitions=main-1701270203
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

percpu_ref_tryget() and percpu_ref_tryget_live() should return
"true" IFF they acquire a reference. But the return value from
atomic_long_inc_not_zero() is a long and may have high bits set,
e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines
is bool so the reference may actually be acquired but the routines
return "false" which results in a reference leak since the caller
assumes it does not need to do a corresponding percpu_ref_put().

This was seen when performing CPU hotplug during I/O, as hangs in
blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start)
raced with percpu_ref_tryget (blk_mq_timeout_work).
Sample stack trace:

__switch_to+0x2c0/0x450
__schedule+0x2f8/0x970
schedule+0x48/0xc0
blk_mq_freeze_queue_wait+0x94/0x120
blk_mq_queue_reinit_work+0xb8/0x180
blk_mq_queue_reinit_prepare+0x84/0xa0
cpuhp_invoke_callback+0x17c/0x600
cpuhp_up_callbacks+0x58/0x150
_cpu_up+0xf0/0x1c0
do_cpu_up+0x120/0x150
cpu_subsys_online+0x64/0xe0
device_online+0xb4/0x120
online_store+0xb4/0xc0
dev_attr_store+0x68/0xa0
sysfs_kf_write+0x80/0xb0
kernfs_fop_write+0x17c/0x250
__vfs_write+0x6c/0x1e0
vfs_write+0xd0/0x270
SyS_write+0x6c/0x110
system_call+0x38/0xe0

Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS,
and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests.
However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0
and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set.

The fix is to make the tryget routines return an actual boolean instead
of the atomic long result truncated to a bool.

Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints
Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751
Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
Reviewed-by: Jens Axboe <axboe@fb.com>
---
 include/linux/percpu-refcount.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/percpu-refcount.h b/include/linux/percpu-refcount.h
index 1c7eec0..88dc96b 100644
--- a/include/linux/percpu-refcount.h
+++ b/include/linux/percpu-refcount.h
@@ -212,7 +212,7 @@ static inline bool percpu_ref_tryget(struct percpu_ref *ref)
 		this_cpu_inc(*percpu_count);
 		ret = true;
 	} else {
-		ret = atomic_long_inc_not_zero(&ref->count);
+		ret = (atomic_long_inc_not_zero(&ref->count) != 0);
 	}
 
 	rcu_read_unlock_sched();
@@ -246,7 +246,7 @@ static inline bool percpu_ref_tryget_live(struct percpu_ref *ref)
 		this_cpu_inc(*percpu_count);
 		ret = true;
 	} else if (!(ref->percpu_count_ptr & __PERCPU_REF_DEAD)) {
-		ret = atomic_long_inc_not_zero(&ref->count);
+		ret = (atomic_long_inc_not_zero(&ref->count) != 0);
 	}
 
 	rcu_read_unlock_sched();