From: Corey Minyard <cminyard@xxxxxxxxxx>
The function call do_wait_for_common() has a race condition that
can result in lockups waiting for completions. Adding the thread
to (and removing the thread from) the wait queue for the completion
is done outside the do loop in that function. However, if the thread
is woken up, the swake_up_locked() function will delete the entry
from the wait queue. If that happens and another thread sneaks
in and decrements the done count in the completion to zero, the
loop will go around again, but the thread will no longer be in the
wait queue, so there is no way to wake it up.
Fix it by adding/removing the thread to/from the wait queue inside
the do loop.
Fixes: a04ff6b4ec4ee7e ("completion: Use simple wait queues")
Signed-off-by: Corey Minyard <cminyard@xxxxxxxxxx>
---
I sent the wrong version of this, I had spotted this before but didn't
fix it here. Adding the thread to the wait queue needs to come after
the signal check. Sorry about the noise.
kernel/sched/completion.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/sched/completion.c b/kernel/sched/completion.c
index 755a58084978..4f9b4cc0c95a 100644
--- a/kernel/sched/completion.c
+++ b/kernel/sched/completion.c
@@ -70,20 +70,20 @@ do_wait_for_common(struct completion *x,
long (*action)(long), long timeout, int state)
{
if (!x->done) {
- DECLARE_SWAITQUEUE(wait);
-
- __prepare_to_swait(&x->wait, &wait);
do {
+ DECLARE_SWAITQUEUE(wait);
+
if (signal_pending_state(state, current)) {
timeout = -ERESTARTSYS;
break;
}
+ __prepare_to_swait(&x->wait, &wait);
__set_current_state(state);
raw_spin_unlock_irq(&x->wait.lock);
timeout = action(timeout);
raw_spin_lock_irq(&x->wait.lock);
+ __finish_swait(&x->wait, &wait);
} while (!x->done && timeout);
- __finish_swait(&x->wait, &wait);
if (!x->done)
return timeout;
}
--
2.17.1
