[PATCH] cpu hotplug: Prevent Page Fault in cpuhp_remove_callbacks()
From: Ethan Barnes
Date: Wed Jul 19 2017 - 18:36:55 EST
Hi,
There is a page fault in cpu hotplug when removing the callbacks for the
last dynamic state.
The last dynamic state will not be removed, causing a page fault when
hotplug thinks the callbacks still exists and calls it.
The problem is as follows:
- __cpuhp_remove_state() eventually calls cpuhp_store_callbacks() with
NULLs for most params.
- If state is the last state (i.e. CPUHP_AP_ONLINE_DYN or
CPUHP_BP_PREPARE_STATE) then cpuhp_store_callbacks() calls
cpuhp_reserve_state(), which returns the *next* available DYN state.
- The NULLs are stored in that *next* state (i.e. AP_ONLINE_DYN + 1 or
BP_PREPARE_DYN + 1) instead of in AP_ONLINE_DYN or BP_PREPARE_DYN. Thus,
the last state is never cleared. The callbacks now point to invalid memory.
- When the cpu is onlined again and/or offlined, then the invalid
callback is invoked, causing a page fault.
The patch above solves this by detecting when a state is being removed,
and not calling cpuhp_reserve_state().
I have brought this up before, but hoping to get some traction on it
this time:
https://lkml.org/lkml/2017/7/5/574
Thx,
Ethan
Signed-off-by: Ethan Barnes <ethan.barnes@xxxxxxxxxxx>
---
diff --git a/kernel/cpu.c b/kernel/cpu.c
index eee0331..f7fda16 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1252,7 +1252,8 @@ static int cpuhp_store_callbacks(enum cpuhp_state
state, const char *name,
struct cpuhp_step *sp;
int ret = 0;
- if (state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN) {
+ if (name &&
+ (state == CPUHP_AP_ONLINE_DYN || state ==
CPUHP_BP_PREPARE_DYN)) {
ret = cpuhp_reserve_state(state);
if (ret < 0)
return ret;