| Message ID | 20221122173648.793640919@linutronix.de (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | timers: Provide timer_shutdown[_sync]() | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
On Tue, 22 Nov 2022, Thomas Gleixner wrote: > Tearing down timers which have circular dependencies to other > functionality, e.g. workqueues, where the timer can schedule work and work > can arm timers is not trivial. NIT (comma is missing): can arm timer, is not trivial. > In those cases it is desired to shutdown the timer in a way which prevents > rearming of the timer. The mechanism to do so it to set timer->function to s/to do so it/to do so is/ > NULL and use this as an indicator for the timer arming functions to ignore > the (re)arm request. > > In preparation for that replace the warnings in the relevant code pathes > with checks for timer->function == NULL and discard the rearm request > silently. Here is a verb missing that this is a grammatically correct (and understandable) sentence. > Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function) > checks so that debug objects can warn about non-initialized timers. > > If developers fail to enable debug objects and then waste lots of time to > figure out why their non-initialized timer is not firing, they deserve it. > > Co-developed-by: Steven Rostedt <rostedt@goodmis.org> > Signed-off-by: Steven Rostedt <rostedt@goodmis.org> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Tested-by: Guenter Roeck <linux@roeck-us.net> > Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home > Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org > --- > V2: Use continue instead of return and amend the return value docs (Steven) > --- > kernel/time/timer.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 55 insertions(+), 5 deletions(-) > > --- a/kernel/time/timer.c > +++ b/kernel/time/timer.c > @@ -1128,8 +1144,12 @@ static inline int > * mod_timer_pending() is the same for pending timers as mod_timer(), but > * will not activate inactive timers. > * > + * If @timer->function == NULL then the start operation is silently > + * discarded. > + * > * Return: > - * * %0 - The timer was inactive and not modified > + * * %0 - The timer was inactive and not modified or was is in > + * shutdown state and the operation was discarded Do you mean "was" or "is"? Please have also a look at the places where you use the same phrase. > * * %1 - The timer was active and requeued to expire at @expires > */ > int mod_timer_pending(struct timer_list *timer, unsigned long expires) > @@ -1155,8 +1175,12 @@ EXPORT_SYMBOL(mod_timer_pending); > * same timer, then mod_timer() is the only safe way to modify the timeout, > * since add_timer() cannot modify an already running timer. > * > + * If @timer->function == NULL then the start operation is silently > + * discarded, the return value is 0 and meaningless. It's easier to read, if you make a dot instead of comma. Thanks, Anna-Maria
On Tue, 22 Nov 2022, Thomas Gleixner wrote: > Tearing down timers which have circular dependencies to other > functionality, e.g. workqueues, where the timer can schedule work and work > can arm timers is not trivial. > > In those cases it is desired to shutdown the timer in a way which prevents > rearming of the timer. The mechanism to do so it to set timer->function to > NULL and use this as an indicator for the timer arming functions to ignore > the (re)arm request. > > In preparation for that replace the warnings in the relevant code pathes > with checks for timer->function == NULL and discard the rearm request > silently. > > Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function) > checks so that debug objects can warn about non-initialized timers. > > If developers fail to enable debug objects and then waste lots of time to > figure out why their non-initialized timer is not firing, they deserve it. > > Co-developed-by: Steven Rostedt <rostedt@goodmis.org> > Signed-off-by: Steven Rostedt <rostedt@goodmis.org> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Tested-by: Guenter Roeck <linux@roeck-us.net> > Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home > Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org > --- > V2: Use continue instead of return and amend the return value docs (Steven) > --- > kernel/time/timer.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 55 insertions(+), 5 deletions(-) > > --- a/kernel/time/timer.c > +++ b/kernel/time/timer.c > @@ -1202,6 +1230,9 @@ EXPORT_SYMBOL(timer_reduce); > * > * If @timer->expires is already in the past @timer will be queued to > * expire at the next timer tick. > + * > + * If @timer->function == NULL then the start operation is silently > + * discarded. > */ > void add_timer(struct timer_list *timer) > { Could you move the new paragraph after the paragraph where is is mentioned, that timer->function has to be set prior calling add_timer()? Thanks, Anna-Maria
On Tue, 22 Nov 2022, Thomas Gleixner wrote: > Tearing down timers which have circular dependencies to other > functionality, e.g. workqueues, where the timer can schedule work and work > can arm timers is not trivial. > > In those cases it is desired to shutdown the timer in a way which prevents > rearming of the timer. The mechanism to do so it to set timer->function to > NULL and use this as an indicator for the timer arming functions to ignore > the (re)arm request. > > In preparation for that replace the warnings in the relevant code pathes > with checks for timer->function == NULL and discard the rearm request > silently. > > Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function) > checks so that debug objects can warn about non-initialized timers. Could you expand this paragraph, so that is is not missleading when a reader is not aware of the details of debug objects? Otherwise it seems to the reader that debug objects will warn when timer->function == NULL. The warning of debug objects does not cover the original WARN_ON_ONCE(!timer->function). It warns when timer was not initialized using timer_setup[_on_stack]() or via DEFINE_TIMER(). > If developers fail to enable debug objects and then waste lots of time to > figure out why their non-initialized timer is not firing, they deserve it. Thanks, Anna-Maria
On Wed, Nov 23 2022 at 12:06, Anna-Maria Behnsen wrote: > On Tue, 22 Nov 2022, Thomas Gleixner wrote: >> Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function) >> checks so that debug objects can warn about non-initialized timers. > > Could you expand this paragraph, so that is is not missleading when a > reader is not aware of the details of debug objects? Otherwise it seems to > the reader that debug objects will warn when timer->function == NULL. > > The warning of debug objects does not cover the original > WARN_ON_ONCE(!timer->function). It warns when timer was not initialized > using timer_setup[_on_stack]() or via DEFINE_TIMER(). Good point.
--- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1017,7 +1017,7 @@ static inline int unsigned int idx = UINT_MAX; int ret = 0; - BUG_ON(!timer->function); + debug_assert_init(timer); /* * This is a common optimization triggered by the networking code - if @@ -1044,6 +1044,14 @@ static inline int * dequeue/enqueue dance. */ base = lock_timer_base(timer, &flags); + /* + * Has @timer been shutdown? This needs to be evaluated + * while holding base lock to prevent a race against the + * shutdown code. + */ + if (!timer->function) + goto out_unlock; + forward_timer_base(base); if (timer_pending(timer) && (options & MOD_TIMER_REDUCE) && @@ -1070,6 +1078,14 @@ static inline int } } else { base = lock_timer_base(timer, &flags); + /* + * Has @timer been shutdown? This needs to be evaluated + * while holding base lock to prevent a race against the + * shutdown code. + */ + if (!timer->function) + goto out_unlock; + forward_timer_base(base); } @@ -1128,8 +1144,12 @@ static inline int * mod_timer_pending() is the same for pending timers as mod_timer(), but * will not activate inactive timers. * + * If @timer->function == NULL then the start operation is silently + * discarded. + * * Return: - * * %0 - The timer was inactive and not modified + * * %0 - The timer was inactive and not modified or was is in + * shutdown state and the operation was discarded * * %1 - The timer was active and requeued to expire at @expires */ int mod_timer_pending(struct timer_list *timer, unsigned long expires) @@ -1155,8 +1175,12 @@ EXPORT_SYMBOL(mod_timer_pending); * same timer, then mod_timer() is the only safe way to modify the timeout, * since add_timer() cannot modify an already running timer. * + * If @timer->function == NULL then the start operation is silently + * discarded, the return value is 0 and meaningless. + * * Return: - * * %0 - The timer was inactive and started + * * %0 - The timer was inactive and started or was is in shutdown + * state and the operation was discarded * * %1 - The timer was active and requeued to expire at @expires or * the timer was active and not modified because @expires did * not change the effective expiry time @@ -1176,8 +1200,12 @@ EXPORT_SYMBOL(mod_timer); * modify an enqueued timer if that would reduce the expiration time. If * @timer is not enqueued it starts the timer. * + * If @timer->function == NULL then the start operation is silently + * discarded. + * * Return: - * * %0 - The timer was inactive and started + * * %0 - The timer was inactive and started or was is in shutdown + * state and the operation was discarded * * %1 - The timer was active and requeued to expire at @expires or * the timer was active and not modified because @expires * did not change the effective expiry time such that the @@ -1202,6 +1230,9 @@ EXPORT_SYMBOL(timer_reduce); * * If @timer->expires is already in the past @timer will be queued to * expire at the next timer tick. + * + * If @timer->function == NULL then the start operation is silently + * discarded. */ void add_timer(struct timer_list *timer) { @@ -1218,13 +1249,18 @@ EXPORT_SYMBOL(add_timer); * * This can only operate on an inactive timer. Attempts to invoke this on * an active timer are rejected with a warning. + * + * If @timer->function == NULL then the start operation is silently + * discarded. */ void add_timer_on(struct timer_list *timer, int cpu) { struct timer_base *new_base, *base; unsigned long flags; - if (WARN_ON_ONCE(timer_pending(timer) || !timer->function)) + debug_assert_init(timer); + + if (WARN_ON_ONCE(timer_pending(timer))) return; new_base = get_timer_cpu_base(timer->flags, cpu); @@ -1235,6 +1271,13 @@ void add_timer_on(struct timer_list *tim * wrong base locked. See lock_timer_base(). */ base = lock_timer_base(timer, &flags); + /* + * Has @timer been shutdown? This needs to be evaluated while + * holding base lock to prevent a race against the shutdown code. + */ + if (!timer->function) + goto out_unlock; + if (base != new_base) { timer->flags |= TIMER_MIGRATING; @@ -1248,6 +1291,7 @@ void add_timer_on(struct timer_list *tim debug_timer_activate(timer); internal_add_timer(base, timer); +out_unlock: raw_spin_unlock_irqrestore(&base->lock, flags); } EXPORT_SYMBOL_GPL(add_timer_on); @@ -1537,6 +1581,12 @@ static void expire_timers(struct timer_b fn = timer->function; + if (WARN_ON_ONCE(!fn)) { + /* Should never happen. Emphasis on should! */ + base->running_timer = NULL; + continue; + } + if (timer->flags & TIMER_IRQSAFE) { raw_spin_unlock(&base->lock); call_timer_fn(timer, fn, baseclk);