sched/membarrier: Fix p->mm->membarrier_state racy load

The membarrier_state field is located within the mm_struct, which
is not guaranteed to exist when used from runqueue-lock-free iteration
on runqueues by the membarrier system call.

Copy the membarrier_state from the mm_struct into the scheduler runqueue
when the scheduler switches between mm.

When registering membarrier for mm, after setting the registration bit
in the mm membarrier state, issue a synchronize_rcu() to ensure the
scheduler observes the change. In order to take care of the case
where a runqueue keeps executing the target mm without swapping to
other mm, iterate over each runqueue and issue an IPI to copy the
membarrier_state from the mm_struct into each runqueue which have the
same mm which state has just been modified.

Move the mm membarrier_state field closer to pgd in mm_struct to use
a cache line already touched by the scheduler switch_mm.

The membarrier_execve() (now membarrier_exec_mmap) hook now needs to
clear the runqueue's membarrier state in addition to clear the mm
membarrier state, so move its implementation into the scheduler
membarrier code so it can access the runqueue structure.

Add memory barrier in membarrier_exec_mmap() prior to clearing
the membarrier state, ensuring memory accesses executed prior to exec
are not reordered with the stores clearing the membarrier state.

As suggested by Linus, move all membarrier.c RCU read-side locks outside
of the for each cpu loops.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Kirill Tkhai <tkhai@yandex.ru>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russell King - ARM Linux admin <linux@armlinux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190919173705.2181-5-mathieu.desnoyers@efficios.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>

3 files changed, 168 insertions, 45 deletions

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 84c71160beb1..2d9a3947bef4 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -3358,15 +3358,15 @@ context_switch(struct rq *rq, struct task_struct *prev,
                 else
                         prev->active_mm = NULL;
         } else {                                        // to user
+                membarrier_switch_mm(rq, prev->active_mm, next->mm);
                 /*
                  * sys_membarrier() requires an smp_mb() between setting
-                 * rq->curr and returning to userspace.
+                 * rq->curr / membarrier_switch_mm() and returning to userspace.
                  *
                  * The below provides this either through switch_mm(), or in
                  * case 'prev->active_mm == next->mm' through
                  * finish_task_switch()'s mmdrop().
                  */
-
                 switch_mm_irqs_off(prev->active_mm, next->mm, next);
 
                 if (!prev->mm) {                        // from kernel
diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c
index 7ccbd0e19626..070cf433bb9a 100644
--- a/kernel/sched/membarrier.c
+++ b/kernel/sched/membarrier.c
@@ -30,6 +30,39 @@ static void ipi_mb(void *info)
         smp_mb();       /* IPIs should be serializing but paranoid. */
 }
 
+static void ipi_sync_rq_state(void *info)
+{
+        struct mm_struct *mm = (struct mm_struct *) info;
+
+        if (current->mm != mm)
+                return;
+        this_cpu_write(runqueues.membarrier_state,
+                       atomic_read(&mm->membarrier_state));
+        /*
+         * Issue a memory barrier after setting
+         * MEMBARRIER_STATE_GLOBAL_EXPEDITED in the current runqueue to
+         * guarantee that no memory access following registration is reordered
+         * before registration.
+         */
+        smp_mb();
+}
+
+void membarrier_exec_mmap(struct mm_struct *mm)
+{
+        /*
+         * Issue a memory barrier before clearing membarrier_state to
+         * guarantee that no memory access prior to exec is reordered after
+         * clearing this state.
+         */
+        smp_mb();
+        atomic_set(&mm->membarrier_state, 0);
+        /*
+         * Keep the runqueue membarrier_state in sync with this mm
+         * membarrier_state.
+         */
+        this_cpu_write(runqueues.membarrier_state, 0);
+}
+
 static int membarrier_global_expedited(void)
 {
         int cpu;
@@ -56,6 +89,7 @@ static int membarrier_global_expedited(void)
         }
 
         cpus_read_lock();
+        rcu_read_lock();
         for_each_online_cpu(cpu) {
                 struct task_struct *p;
 
@@ -70,17 +104,25 @@ static int membarrier_global_expedited(void)
                 if (cpu == raw_smp_processor_id())
                         continue;
 
-                rcu_read_lock();
+                if (!(READ_ONCE(cpu_rq(cpu)->membarrier_state) &
+                    MEMBARRIER_STATE_GLOBAL_EXPEDITED))
+                        continue;
+
+                /*
+                 * Skip the CPU if it runs a kernel thread. The scheduler
+                 * leaves the prior task mm in place as an optimization when
+                 * scheduling a kthread.
+                 */
                 p = rcu_dereference(cpu_rq(cpu)->curr);
-                if (p && p->mm && (atomic_read(&p->mm->membarrier_state) &
-                                   MEMBARRIER_STATE_GLOBAL_EXPEDITED)) {
-                        if (!fallback)
-                                __cpumask_set_cpu(cpu, tmpmask);
-                        else
-                                smp_call_function_single(cpu, ipi_mb, NULL, 1);
-                }
-                rcu_read_unlock();
+                if (p->flags & PF_KTHREAD)
+                        continue;
+
+                if (!fallback)
+                        __cpumask_set_cpu(cpu, tmpmask);
+                else
+                        smp_call_function_single(cpu, ipi_mb, NULL, 1);
         }
+        rcu_read_unlock();
         if (!fallback) {
                 preempt_disable();
                 smp_call_function_many(tmpmask, ipi_mb, NULL, 1);
@@ -136,6 +178,7 @@ static int membarrier_private_expedited(int flags)
         }
 
         cpus_read_lock();
+        rcu_read_lock();
         for_each_online_cpu(cpu) {
                 struct task_struct *p;
 
@@ -157,8 +200,8 @@ static int membarrier_private_expedited(int flags)
                         else
                                 smp_call_function_single(cpu, ipi_mb, NULL, 1);
                 }
-                rcu_read_unlock();
         }
+        rcu_read_unlock();
         if (!fallback) {
                 preempt_disable();
                 smp_call_function_many(tmpmask, ipi_mb, NULL, 1);
@@ -177,32 +220,78 @@ static int membarrier_private_expedited(int flags)
         return 0;
 }
 
+static int sync_runqueues_membarrier_state(struct mm_struct *mm)
+{
+        int membarrier_state = atomic_read(&mm->membarrier_state);
+        cpumask_var_t tmpmask;
+        int cpu;
+
+        if (atomic_read(&mm->mm_users) == 1 || num_online_cpus() == 1) {
+                this_cpu_write(runqueues.membarrier_state, membarrier_state);
+
+                /*
+                 * For single mm user, we can simply issue a memory barrier
+                 * after setting MEMBARRIER_STATE_GLOBAL_EXPEDITED in the
+                 * mm and in the current runqueue to guarantee that no memory
+                 * access following registration is reordered before
+                 * registration.
+                 */
+                smp_mb();
+                return 0;
+        }
+
+        if (!zalloc_cpumask_var(&tmpmask, GFP_KERNEL))
+                return -ENOMEM;
+
+        /*
+         * For mm with multiple users, we need to ensure all future
+         * scheduler executions will observe @mm's new membarrier
+         * state.
+         */
+        synchronize_rcu();
+
+        /*
+         * For each cpu runqueue, if the task's mm match @mm, ensure that all
+         * @mm's membarrier state set bits are also set in in the runqueue's
+         * membarrier state. This ensures that a runqueue scheduling
+         * between threads which are users of @mm has its membarrier state
+         * updated.
+         */
+        cpus_read_lock();
+        rcu_read_lock();
+        for_each_online_cpu(cpu) {
+                struct rq *rq = cpu_rq(cpu);
+                struct task_struct *p;
+
+                p = rcu_dereference(&rq->curr);
+                if (p && p->mm == mm)
+                        __cpumask_set_cpu(cpu, tmpmask);
+        }
+        rcu_read_unlock();
+
+        preempt_disable();
+        smp_call_function_many(tmpmask, ipi_sync_rq_state, mm, 1);
+        preempt_enable();
+
+        free_cpumask_var(tmpmask);
+        cpus_read_unlock();
+
+        return 0;
+}
+
 static int membarrier_register_global_expedited(void)
 {
         struct task_struct *p = current;
         struct mm_struct *mm = p->mm;
+        int ret;
 
         if (atomic_read(&mm->membarrier_state) &
             MEMBARRIER_STATE_GLOBAL_EXPEDITED_READY)
                 return 0;
         atomic_or(MEMBARRIER_STATE_GLOBAL_EXPEDITED, &mm->membarrier_state);
-        if (atomic_read(&mm->mm_users) == 1) {
-                /*
-                 * For single mm user, single threaded process, we can
-                 * simply issue a memory barrier after setting
-                 * MEMBARRIER_STATE_GLOBAL_EXPEDITED to guarantee that
-                 * no memory access following registration is reordered
-                 * before registration.
-                 */
-                smp_mb();
-        } else {
-                /*
-                 * For multi-mm user threads, we need to ensure all
-                 * future scheduler executions will observe the new
-                 * thread flag state for this mm.
-                 */
-                synchronize_rcu();
-        }
+        ret = sync_runqueues_membarrier_state(mm);
+        if (ret)
+                return ret;
         atomic_or(MEMBARRIER_STATE_GLOBAL_EXPEDITED_READY,
                   &mm->membarrier_state);
 
@@ -213,12 +302,15 @@ static int membarrier_register_private_expedited(int flags)
 {
         struct task_struct *p = current;
         struct mm_struct *mm = p->mm;
-        int state = MEMBARRIER_STATE_PRIVATE_EXPEDITED_READY;
+        int ready_state = MEMBARRIER_STATE_PRIVATE_EXPEDITED_READY,
+            set_state = MEMBARRIER_STATE_PRIVATE_EXPEDITED,
+            ret;
 
         if (flags & MEMBARRIER_FLAG_SYNC_CORE) {
                 if (!IS_ENABLED(CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE))
                         return -EINVAL;
-                state = MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE_READY;
+                ready_state =
+                        MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE_READY;
         }
 
         /*
@@ -226,20 +318,15 @@ static int membarrier_register_private_expedited(int flags)
          * groups, which use the same mm. (CLONE_VM but not
          * CLONE_THREAD).
          */
-        if ((atomic_read(&mm->membarrier_state) & state) == state)
+        if ((atomic_read(&mm->membarrier_state) & ready_state) == ready_state)
                 return 0;
-        atomic_or(MEMBARRIER_STATE_PRIVATE_EXPEDITED, &mm->membarrier_state);
         if (flags & MEMBARRIER_FLAG_SYNC_CORE)
-                atomic_or(MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE,
-                          &mm->membarrier_state);
-        if (atomic_read(&mm->mm_users) != 1) {
-                /*
-                 * Ensure all future scheduler executions will observe the
-                 * new thread flag state for this process.
-                 */
-                synchronize_rcu();
-        }
-        atomic_or(state, &mm->membarrier_state);
+                set_state |= MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE;
+        atomic_or(set_state, &mm->membarrier_state);
+        ret = sync_runqueues_membarrier_state(mm);
+        if (ret)
+                return ret;
+        atomic_or(ready_state, &mm->membarrier_state);
 
         return 0;
 }
@@ -253,8 +340,10 @@ static int membarrier_register_private_expedited(int flags)
  * command specified does not exist, not available on the running
  * kernel, or if the command argument is invalid, this system call
  * returns -EINVAL. For a given command, with flags argument set to 0,
- * this system call is guaranteed to always return the same value until
- * reboot.
+ * if this system call returns -ENOSYS or -EINVAL, it is guaranteed to
+ * always return the same value until reboot. In addition, it can return
+ * -ENOMEM if there is not enough memory available to perform the system
+ * call.
  *
  * All memory accesses performed in program order from each targeted thread
  * is guaranteed to be ordered with respect to sys_membarrier(). If we use
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index b3cb895d14a2..0db2c1b3361e 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -911,6 +911,10 @@ struct rq {
 
         atomic_t                nr_iowait;
 
+#ifdef CONFIG_MEMBARRIER
+        int membarrier_state;
+#endif
+
 #ifdef CONFIG_SMP
         struct root_domain              *rd;
         struct sched_domain __rcu       *sd;
@@ -2438,3 +2442,33 @@ static inline bool sched_energy_enabled(void)
 static inline bool sched_energy_enabled(void) { return false; }
 
 #endif /* CONFIG_ENERGY_MODEL && CONFIG_CPU_FREQ_GOV_SCHEDUTIL */
+
+#ifdef CONFIG_MEMBARRIER
+/*
+ * The scheduler provides memory barriers required by membarrier between:
+ * - prior user-space memory accesses and store to rq->membarrier_state,
+ * - store to rq->membarrier_state and following user-space memory accesses.
+ * In the same way it provides those guarantees around store to rq->curr.
+ */
+static inline void membarrier_switch_mm(struct rq *rq,
+                                        struct mm_struct *prev_mm,
+                                        struct mm_struct *next_mm)
+{
+        int membarrier_state;
+
+        if (prev_mm == next_mm)
+                return;
+
+        membarrier_state = atomic_read(&next_mm->membarrier_state);
+        if (READ_ONCE(rq->membarrier_state) == membarrier_state)
+                return;
+
+        WRITE_ONCE(rq->membarrier_state, membarrier_state);
+}
+#else
+static inline void membarrier_switch_mm(struct rq *rq,
+                                        struct mm_struct *prev_mm,
+                                        struct mm_struct *next_mm)
+{
+}
+#endif