1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * Regression1
4*4882a593Smuzhiyun * Description:
5*4882a593Smuzhiyun * Salman Qazi describes the following radix-tree bug:
6*4882a593Smuzhiyun *
7*4882a593Smuzhiyun * In the following case, we get can get a deadlock:
8*4882a593Smuzhiyun *
9*4882a593Smuzhiyun * 0. The radix tree contains two items, one has the index 0.
10*4882a593Smuzhiyun * 1. The reader (in this case find_get_pages) takes the rcu_read_lock.
11*4882a593Smuzhiyun * 2. The reader acquires slot(s) for item(s) including the index 0 item.
12*4882a593Smuzhiyun * 3. The non-zero index item is deleted, and as a consequence the other item
13*4882a593Smuzhiyun * is moved to the root of the tree. The place where it used to be is queued
14*4882a593Smuzhiyun * for deletion after the readers finish.
15*4882a593Smuzhiyun * 3b. The zero item is deleted, removing it from the direct slot, it remains in
16*4882a593Smuzhiyun * the rcu-delayed indirect node.
17*4882a593Smuzhiyun * 4. The reader looks at the index 0 slot, and finds that the page has 0 ref
18*4882a593Smuzhiyun * count
19*4882a593Smuzhiyun * 5. The reader looks at it again, hoping that the item will either be freed
20*4882a593Smuzhiyun * or the ref count will increase. This never happens, as the slot it is
21*4882a593Smuzhiyun * looking at will never be updated. Also, this slot can never be reclaimed
22*4882a593Smuzhiyun * because the reader is holding rcu_read_lock and is in an infinite loop.
23*4882a593Smuzhiyun *
24*4882a593Smuzhiyun * The fix is to re-use the same "indirect" pointer case that requires a slot
25*4882a593Smuzhiyun * lookup retry into a general "retry the lookup" bit.
26*4882a593Smuzhiyun *
27*4882a593Smuzhiyun * Running:
28*4882a593Smuzhiyun * This test should run to completion in a few seconds. The above bug would
29*4882a593Smuzhiyun * cause it to hang indefinitely.
30*4882a593Smuzhiyun *
31*4882a593Smuzhiyun * Upstream commit:
32*4882a593Smuzhiyun * Not yet
33*4882a593Smuzhiyun */
34*4882a593Smuzhiyun #include <linux/kernel.h>
35*4882a593Smuzhiyun #include <linux/gfp.h>
36*4882a593Smuzhiyun #include <linux/slab.h>
37*4882a593Smuzhiyun #include <linux/radix-tree.h>
38*4882a593Smuzhiyun #include <linux/rcupdate.h>
39*4882a593Smuzhiyun #include <stdlib.h>
40*4882a593Smuzhiyun #include <pthread.h>
41*4882a593Smuzhiyun #include <stdio.h>
42*4882a593Smuzhiyun #include <assert.h>
43*4882a593Smuzhiyun
44*4882a593Smuzhiyun #include "regression.h"
45*4882a593Smuzhiyun
46*4882a593Smuzhiyun static RADIX_TREE(mt_tree, GFP_KERNEL);
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun struct page {
49*4882a593Smuzhiyun pthread_mutex_t lock;
50*4882a593Smuzhiyun struct rcu_head rcu;
51*4882a593Smuzhiyun int count;
52*4882a593Smuzhiyun unsigned long index;
53*4882a593Smuzhiyun };
54*4882a593Smuzhiyun
page_alloc(int index)55*4882a593Smuzhiyun static struct page *page_alloc(int index)
56*4882a593Smuzhiyun {
57*4882a593Smuzhiyun struct page *p;
58*4882a593Smuzhiyun p = malloc(sizeof(struct page));
59*4882a593Smuzhiyun p->count = 1;
60*4882a593Smuzhiyun p->index = index;
61*4882a593Smuzhiyun pthread_mutex_init(&p->lock, NULL);
62*4882a593Smuzhiyun
63*4882a593Smuzhiyun return p;
64*4882a593Smuzhiyun }
65*4882a593Smuzhiyun
page_rcu_free(struct rcu_head * rcu)66*4882a593Smuzhiyun static void page_rcu_free(struct rcu_head *rcu)
67*4882a593Smuzhiyun {
68*4882a593Smuzhiyun struct page *p = container_of(rcu, struct page, rcu);
69*4882a593Smuzhiyun assert(!p->count);
70*4882a593Smuzhiyun pthread_mutex_destroy(&p->lock);
71*4882a593Smuzhiyun free(p);
72*4882a593Smuzhiyun }
73*4882a593Smuzhiyun
page_free(struct page * p)74*4882a593Smuzhiyun static void page_free(struct page *p)
75*4882a593Smuzhiyun {
76*4882a593Smuzhiyun call_rcu(&p->rcu, page_rcu_free);
77*4882a593Smuzhiyun }
78*4882a593Smuzhiyun
find_get_pages(unsigned long start,unsigned int nr_pages,struct page ** pages)79*4882a593Smuzhiyun static unsigned find_get_pages(unsigned long start,
80*4882a593Smuzhiyun unsigned int nr_pages, struct page **pages)
81*4882a593Smuzhiyun {
82*4882a593Smuzhiyun XA_STATE(xas, &mt_tree, start);
83*4882a593Smuzhiyun struct page *page;
84*4882a593Smuzhiyun unsigned int ret = 0;
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun rcu_read_lock();
87*4882a593Smuzhiyun xas_for_each(&xas, page, ULONG_MAX) {
88*4882a593Smuzhiyun if (xas_retry(&xas, page))
89*4882a593Smuzhiyun continue;
90*4882a593Smuzhiyun
91*4882a593Smuzhiyun pthread_mutex_lock(&page->lock);
92*4882a593Smuzhiyun if (!page->count)
93*4882a593Smuzhiyun goto unlock;
94*4882a593Smuzhiyun
95*4882a593Smuzhiyun /* don't actually update page refcount */
96*4882a593Smuzhiyun pthread_mutex_unlock(&page->lock);
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun /* Has the page moved? */
99*4882a593Smuzhiyun if (unlikely(page != xas_reload(&xas)))
100*4882a593Smuzhiyun goto put_page;
101*4882a593Smuzhiyun
102*4882a593Smuzhiyun pages[ret] = page;
103*4882a593Smuzhiyun ret++;
104*4882a593Smuzhiyun continue;
105*4882a593Smuzhiyun unlock:
106*4882a593Smuzhiyun pthread_mutex_unlock(&page->lock);
107*4882a593Smuzhiyun put_page:
108*4882a593Smuzhiyun xas_reset(&xas);
109*4882a593Smuzhiyun }
110*4882a593Smuzhiyun rcu_read_unlock();
111*4882a593Smuzhiyun return ret;
112*4882a593Smuzhiyun }
113*4882a593Smuzhiyun
114*4882a593Smuzhiyun static pthread_barrier_t worker_barrier;
115*4882a593Smuzhiyun
regression1_fn(void * arg)116*4882a593Smuzhiyun static void *regression1_fn(void *arg)
117*4882a593Smuzhiyun {
118*4882a593Smuzhiyun rcu_register_thread();
119*4882a593Smuzhiyun
120*4882a593Smuzhiyun if (pthread_barrier_wait(&worker_barrier) ==
121*4882a593Smuzhiyun PTHREAD_BARRIER_SERIAL_THREAD) {
122*4882a593Smuzhiyun int j;
123*4882a593Smuzhiyun
124*4882a593Smuzhiyun for (j = 0; j < 1000000; j++) {
125*4882a593Smuzhiyun struct page *p;
126*4882a593Smuzhiyun
127*4882a593Smuzhiyun p = page_alloc(0);
128*4882a593Smuzhiyun xa_lock(&mt_tree);
129*4882a593Smuzhiyun radix_tree_insert(&mt_tree, 0, p);
130*4882a593Smuzhiyun xa_unlock(&mt_tree);
131*4882a593Smuzhiyun
132*4882a593Smuzhiyun p = page_alloc(1);
133*4882a593Smuzhiyun xa_lock(&mt_tree);
134*4882a593Smuzhiyun radix_tree_insert(&mt_tree, 1, p);
135*4882a593Smuzhiyun xa_unlock(&mt_tree);
136*4882a593Smuzhiyun
137*4882a593Smuzhiyun xa_lock(&mt_tree);
138*4882a593Smuzhiyun p = radix_tree_delete(&mt_tree, 1);
139*4882a593Smuzhiyun pthread_mutex_lock(&p->lock);
140*4882a593Smuzhiyun p->count--;
141*4882a593Smuzhiyun pthread_mutex_unlock(&p->lock);
142*4882a593Smuzhiyun xa_unlock(&mt_tree);
143*4882a593Smuzhiyun page_free(p);
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun xa_lock(&mt_tree);
146*4882a593Smuzhiyun p = radix_tree_delete(&mt_tree, 0);
147*4882a593Smuzhiyun pthread_mutex_lock(&p->lock);
148*4882a593Smuzhiyun p->count--;
149*4882a593Smuzhiyun pthread_mutex_unlock(&p->lock);
150*4882a593Smuzhiyun xa_unlock(&mt_tree);
151*4882a593Smuzhiyun page_free(p);
152*4882a593Smuzhiyun }
153*4882a593Smuzhiyun } else {
154*4882a593Smuzhiyun int j;
155*4882a593Smuzhiyun
156*4882a593Smuzhiyun for (j = 0; j < 100000000; j++) {
157*4882a593Smuzhiyun struct page *pages[10];
158*4882a593Smuzhiyun
159*4882a593Smuzhiyun find_get_pages(0, 10, pages);
160*4882a593Smuzhiyun }
161*4882a593Smuzhiyun }
162*4882a593Smuzhiyun
163*4882a593Smuzhiyun rcu_unregister_thread();
164*4882a593Smuzhiyun
165*4882a593Smuzhiyun return NULL;
166*4882a593Smuzhiyun }
167*4882a593Smuzhiyun
168*4882a593Smuzhiyun static pthread_t *threads;
regression1_test(void)169*4882a593Smuzhiyun void regression1_test(void)
170*4882a593Smuzhiyun {
171*4882a593Smuzhiyun int nr_threads;
172*4882a593Smuzhiyun int i;
173*4882a593Smuzhiyun long arg;
174*4882a593Smuzhiyun
175*4882a593Smuzhiyun /* Regression #1 */
176*4882a593Smuzhiyun printv(1, "running regression test 1, should finish in under a minute\n");
177*4882a593Smuzhiyun nr_threads = 2;
178*4882a593Smuzhiyun pthread_barrier_init(&worker_barrier, NULL, nr_threads);
179*4882a593Smuzhiyun
180*4882a593Smuzhiyun threads = malloc(nr_threads * sizeof(pthread_t *));
181*4882a593Smuzhiyun
182*4882a593Smuzhiyun for (i = 0; i < nr_threads; i++) {
183*4882a593Smuzhiyun arg = i;
184*4882a593Smuzhiyun if (pthread_create(&threads[i], NULL, regression1_fn, (void *)arg)) {
185*4882a593Smuzhiyun perror("pthread_create");
186*4882a593Smuzhiyun exit(1);
187*4882a593Smuzhiyun }
188*4882a593Smuzhiyun }
189*4882a593Smuzhiyun
190*4882a593Smuzhiyun for (i = 0; i < nr_threads; i++) {
191*4882a593Smuzhiyun if (pthread_join(threads[i], NULL)) {
192*4882a593Smuzhiyun perror("pthread_join");
193*4882a593Smuzhiyun exit(1);
194*4882a593Smuzhiyun }
195*4882a593Smuzhiyun }
196*4882a593Smuzhiyun
197*4882a593Smuzhiyun free(threads);
198*4882a593Smuzhiyun
199*4882a593Smuzhiyun printv(1, "regression test 1, done\n");
200*4882a593Smuzhiyun }
201