I'm writing a kernel module which creates a substantial amount of kernel threads. After dropping the real stuff, the module skeleton is:
#include <linux/kernel.h> #include <linux/sched.h> #include <linux/kthread.h> #include <linux/module.h> #include <linux/slab.h> #include <linux/ktime.h>
MODULE_LICENSE("GPL");
static int nrthreads = 128; module_param(nrthreads, int, 0644);
static int loopcount = 1024; module_param(loopcount, int, 0644);
static struct task_struct **threads; static struct completion done; static atomic_t nrunning;
static int test(void *unused) { int i; ktime_t expires = ktime_set(0, NSEC_PER_MSEC);
for (i = 0; !kthread_should_stop() && i < loopcount; i++) schedule_hrtimeout_range(&expires, 50000, HRTIMER_MODE_REL);
if (atomic_dec_and_test(&nrunning)) complete(&done); return 0; }
static int __init testmod_init(void) { int i, j, err = 0;
atomic_set(&nrunning, 0); init_completion(&done);
threads = kmalloc(nrthreads * sizeof(struct task_struct *), GFP_KERNEL); if (!threads) return -ENOMEM;
for (i = 0; i < nrthreads; i++) { threads[i] = kthread_run(test, NULL, "test/%d", i); if (IS_ERR(threads[i])) { err = PTR_ERR(threads[i]); for (j = 0; j < i; j++) kthread_stop(threads[j]); kfree(threads); return err; } atomic_inc(&nrunning); } return 0; }
static void __exit testmod_exit(void) { wait_for_completion(&done); kfree(threads); }
module_init(testmod_init); module_exit(testmod_exit);
For the most of the cases, it works as expected, at least from 8 to 128 threads. But if I try 'insmod testmod.ko && rmmod testmod', it's possible to catch a very rare crash:
Unable to handle kernel paging request at virtual address 7f18c034 pgd = 80004000 [7f18c034] *pgd=bf232811, *pte=00000000, *ppte=00000000 Internal error: Oops: 80000007 [#1] PREEMPT SMP Modules linked in: [last unloaded: testmod] CPU: 1 Tainted: G O (3.3.0-rc2 #1) PC is at 0x7f18c034 LR is at get_parent_ip+0x10/0x2c pc : [<7f18c034>] lr : [<80053f78>] psr: 600f0113 sp : bf169f90 ip : 00000000 fp : 00000000 r10: 00000000 r9 : 00000000 r8 : 00000000 r7 : 00000013 r6 : 7f18c134 r5 : bf169f90 r4 : 00000366 r3 : 271aee1c r2 : 271aee1c r1 : bf169f18 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: bef2404a DAC: 00000015 Process test/126 (pid: 10915, stack limit = 0xbf1682f8) Stack: (0xbf169f90 to 0xbf16a000) 9f80: 000f4240 00000000 bfbb1e4c 00000000 9fa0: 7f18c000 800496e4 00000000 00000000 00000000 00000000 00000000 00000000 9fc0: dead4ead ffffffff ffffffff 805443f8 00000000 00000000 80418f56 bf169fdc 9fe0: bf169fdc 271aee1c bfbb1e4c 80049658 8000eabc 8000eabc 00000000 00000000 Code: bad PC value
Note the PC is bad, and stack is just a nonsense. IIUC, this happens if the kernel calls testmod_exit() and frees module memory _before_ all test/X threads are really dead - i.e. the module memory is freed when at least one of the test/X threads is somewhere in do_exit() or nearby. Is that possible? If yes, what's the better way to ensure that all test/X threads are really gone at some point of testmod_exit()?
Thanks in advance, Dmitry
On 02/01/2012 12:28 PM, Dmitry Antipov wrote:
I'm writing a kernel module which creates a substantial amount of kernel threads. After dropping the real stuff, the module skeleton is:
#include <linux/kernel.h> #include <linux/sched.h> #include <linux/kthread.h> #include <linux/module.h> #include <linux/slab.h> #include <linux/ktime.h>
MODULE_LICENSE("GPL");
static int nrthreads = 128; module_param(nrthreads, int, 0644);
static int loopcount = 1024; module_param(loopcount, int, 0644);
static struct task_struct **threads; static struct completion done; static atomic_t nrunning;
static int test(void *unused) { int i; ktime_t expires = ktime_set(0, NSEC_PER_MSEC);
for (i = 0; !kthread_should_stop() && i < loopcount; i++) schedule_hrtimeout_range(&expires, 50000, HRTIMER_MODE_REL);
if (atomic_dec_and_test(&nrunning)) complete(&done); return 0; }
static int __init testmod_init(void) { int i, j, err = 0;
atomic_set(&nrunning, 0); init_completion(&done);
threads = kmalloc(nrthreads * sizeof(struct task_struct *), GFP_KERNEL); if (!threads) return -ENOMEM;
for (i = 0; i < nrthreads; i++) { threads[i] = kthread_run(test, NULL, "test/%d", i); if (IS_ERR(threads[i])) { err = PTR_ERR(threads[i]); for (j = 0; j < i; j++) kthread_stop(threads[j]); kfree(threads); return err; } atomic_inc(&nrunning); } return 0; }
static void __exit testmod_exit(void) { wait_for_completion(&done); kfree(threads); }
module_init(testmod_init); module_exit(testmod_exit);
For the most of the cases, it works as expected, at least from 8 to 128 threads. But if I try 'insmod testmod.ko && rmmod testmod', it's possible to catch a very rare crash:
IMO, you have a race condition with nrunning. What guarantee do you have atomic_dec_and_test is called after atomic_inc ?
Maybe you can try by removing atomic_inc and do atomic_set(&nrunning, nrthreads) ?
On 02/01/2012 03:49 PM, Daniel Lezcano wrote:
IMO, you have a race condition with nrunning. What guarantee do you have atomic_dec_and_test is called after atomic_inc ?
Nothing (but I believe ~1s is pretty enough for the kernel thread to get woken up). I also tried to to atomic_inc() at the beginning of test(), like:
... static int test(void *unused) { int i; ktime_t expires = ktime_set(0, NSEC_PER_MSEC);
atomic_inc(&nrunning);
for (i = 0; !kthread_should_stop() && i < loopcount; i++) schedule_hrtimeout_range(&expires, 50000, HRTIMER_MODE_REL);
if (atomic_dec_and_test(&nrunning)) complete(&done); return 0; } ...
Results are the same.
Dmitry
On 02/01/2012 01:08 PM, Dmitry Antipov wrote:
On 02/01/2012 03:49 PM, Daniel Lezcano wrote:
IMO, you have a race condition with nrunning. What guarantee do you have atomic_dec_and_test is called after atomic_inc ?
Nothing (but I believe ~1s is pretty enough for the kernel thread to get woken up). I also tried to to atomic_inc() at the beginning of test(), like:
... static int test(void *unused) { int i; ktime_t expires = ktime_set(0, NSEC_PER_MSEC);
atomic_inc(&nrunning);
for (i = 0; !kthread_should_stop() && i < loopcount; i++) schedule_hrtimeout_range(&expires, 50000, HRTIMER_MODE_REL);
if (atomic_dec_and_test(&nrunning)) complete(&done); return 0; } ...
Results are the same.
Yes, but the problem is the same also. Did you try by removing atomic_inc and set nrunnings to nrkthread ?
On 02/01/2012 04:15 PM, Daniel Lezcano wrote:
Yes, but the problem is the same also. Did you try by removing atomic_inc and set nrunnings to nrkthread ?
Now I'm trying, and it looks better - but hurts the lockdep validator :-(:
BUG: MAX_LOCKDEP_KEYS too low! turning off the locking correctness validator. [<80014344>] (unwind_backtrace+0x0/0xe0) from [<8006c73c>] (__lock_acquire.isra.21+0x7b8/0x9c4) [<8006c73c>] (__lock_acquire.isra.21+0x7b8/0x9c4) from [<8006c99c>] (lock_acquire+0x54/0x64) [<8006c99c>] (lock_acquire+0x54/0x64) from [<8035c8ac>] (_raw_spin_lock_irqsave+0x3c/0x50) [<8035c8ac>] (_raw_spin_lock_irqsave+0x3c/0x50) from [<80050900>] (complete+0x1c/0x58) [<80050900>] (complete+0x1c/0x58) from [<7f00007c>] (test+0x7c/0x90 [testmod]) [<7f00007c>] (test+0x7c/0x90 [testmod]) from [<800496e4>] (kthread+0x8c/0x9c) [<800496e4>] (kthread+0x8c/0x9c) from [<8000eabc>] (kernel_thread_exit+0x0/0x8)
Dmitry
On 02/01/2012 04:15 PM, Daniel Lezcano wrote:
Yes, but the problem is the same also. Did you try by removing atomic_inc and set nrunnings to nrkthread ?
Unfortunately it's still here:
Unable to handle kernel paging request at virtual address 7f0a411c pgd = 80004000 [7f0a411c] *pgd=bf163811, *pte=00000000, *ppte=00000000 Internal error: Oops: 80000007 [#1] PREEMPT SMP Modules linked in: [last unloaded: testmod] CPU: 0 Tainted: G O (3.3.0-rc2+ #2) PC is at 0x7f0a411c LR is at __schedule+0x684/0x6e4 pc : [<7f0a411c>] lr : [<802c0bdc>] psr: 600f0113 sp : bf3b5f78 ip : 00000000 fp : 00000000 r10: 00000000 r9 : 00000000 r8 : 7f0a4538 r7 : 00000002 r6 : 00000400 r5 : 0000003c r4 : 00000001 r3 : 00000000 r2 : bf3b5eb0 r1 : bf219580 r0 : 00000001 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: bfbec04a DAC: 00000015 Process test/124 (pid: 6772, stack limit = 0xbf3b42f8) Stack: (0xbf3b5f78 to 0xbf3b6000) 5f60: 7b11940d 0000003c 5f80: 000f4240 00000000 00000001 000b07b6 bf8c9e44 00000000 7f0a4000 00000013 5fa0: 00000000 80049260 00000000 00000000 00000000 00000000 00000000 00000000 5fc0: dead4ead ffffffff ffffffff 8048b2b8 00000000 00000000 8036a4d9 bf3b5fdc 5fe0: bf3b5fdc 271aee1c bf8c9e44 800491d4 8000eabc 8000eabc bfefc811 bfefcc11 Code: bad PC value
If someone wants to look at it, I'm attaching everything. The patch is almost nothing beyond exporting irq_time_read() to modules.
Note it's quite rare - to reproduce it, I do
while true; do insmod testmod.ko usehrtime=1 && rmmod testmod.ko; sleep 1; done
and wait for a few minutes.
Dmitry
-
Daniel Lezcano -
Dmitry Antipov