From nobody Tue Feb 10 16:18:40 2026 Received: from sg-1-102.ptr.blmpb.com (sg-1-102.ptr.blmpb.com [118.26.132.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C625527F749 for ; Tue, 3 Feb 2026 11:26:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=118.26.132.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770117984; cv=none; b=kOuvXtHoeKrRNJxp9gFXD6lWYwbWNrm4EVGjLXQlEbaAuePTshuSbCGJuJ4jRsH37g2EhPAVAURLfLZB6dgYJC2iWRiF+Mc59kU2sPTQAO39zpPqaKv+NmjuPNQgpT07YoA7SFLzGuhH2Jh7fBn48iEDLK4tBvnWMAmxcZUUs/4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770117984; c=relaxed/simple; bh=lhsNOCr9Hu01iLW57UWbSzzV4RpeS1vWjdP2R3ceaxc=; h=Content-Type:Message-Id:Date:Cc:From:Subject:In-Reply-To: References:To:Mime-Version; b=jsfEgfpnf93suxZ4Q4QDaUNndEC/fsvIaN1WvM/GYUSIXMzrNBXpSa6wNGhAHFaD3stmfzXqahxF+yz/2YX2bzv5hevtnNvgITTvNvVAZe86KblGo1M6jv6wQ566KsXBcVLMK927zCJVmWnwoBBMB9cRaWHFUO2VZ+u5k8+nscY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=kwfhZlxD; arc=none smtp.client-ip=118.26.132.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="kwfhZlxD" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=2212171451; d=bytedance.com; t=1770117976; h=from:subject: mime-version:from:date:message-id:subject:to:cc:reply-to:content-type: mime-version:in-reply-to:message-id; bh=WmuQeSAc6rDzd9MMPM8lYrbL4z7rQ6zPOQvFA6g+8Fo=; b=kwfhZlxDgKx1E0HZTwk4Vw30VMTYFnChBrLwIwmG9iyI9WNK8S+x98W8n78iDoipaW3wkk PhBw44c3eBtWcAtkCXL05+hAfizNGwffONPlNLov7fkG+4uCklsY9Qu3uk+zzUegE+lcBf tiNx1PwntH79nUh9UsomiuTEFdI9XzcbolbA7Xa1P+hkxiFB2EjQVybij7BcU0F7rnRpVx NjOJVL9grCL9FI0+sJVhlrRoOjnmh9YyLmK0s87ROCDtEyJTZpyEXe2G70uliT3/pcZ8ux lRXdx09xGB4j1SOOhSZKLN4RQokyI55dl0vxXEmvYXqeamv7N2Diq8A5QQEzew== X-Original-From: Chuyi Zhou X-Mailer: git-send-email 2.20.1 Message-Id: <20260203112401.3889029-6-zhouchuyi@bytedance.com> X-Lms-Return-Path: Date: Tue, 3 Feb 2026 19:23:55 +0800 Cc: , "Chuyi Zhou" From: "Chuyi Zhou" Subject: [PATCH 05/11] smp: Enable preemption early in smp_call_function_many_cond In-Reply-To: <20260203112401.3889029-1-zhouchuyi@bytedance.com> References: <20260203112401.3889029-1-zhouchuyi@bytedance.com> To: , , , , , , , Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Now smp_call_function_many_cond() disables preemption mainly for the following reasons: - To prevent the remote online CPU from going offline. Specifically, we want to ensure that no new csds are queued after smpcfd_dying_cpu() has finished. Therefore, preemption must be disabled until all necessary IPIs are sent. - To prevent migration to another CPU, which also implicitly prevents the current CPU from going offline (since stop_machine requires preempting the current task to execute offline callbacks). This can be achieved equally using migrate_disable(), as tasks must be migrated to other CPUs before takedown_cpu(). - To protect the per-cpu cfd_data from concurrent modification by other smp_call_*() on the current CPU. cfd_data contains cpumasks and per-cpu csds. Before enqueueing a csd, we block on the csd_lock() to ensure the previous asyc csd->func() has completed, and then initialize csd->func and csd->info. After sending the IPI, we spin-wait for the remote CPU to call csd_unlock(). Actually the csd_lock mechanism already guarantees csd serialization. If preemption occurs during csd_lock_wait, other concurrent smp_call_function_many_cond calls will simply block until the previous csd->func() completes: task A task B sd->func =3D fun_a send ipis preempted by B ---------------> csd_lock(csd); // block until last // fun_a finished csd->func =3D func_b; csd->info =3D info; ... send ipis switch back to A <--------------- csd_lock_wait(csd); // block until remote finish func_* This patch use migrate_disable() to protect the scope of smp_call_function_many_cond() and enables preemption before csd_lock_wait. This makes the potentially unpredictable csd_lock_wait preemptible. Using cpumask_stack can avoid concurrency modification issues, and we can fall back to the default logic if alloc_cpumask_var() fails. Signed-off-by: Chuyi Zhou --- kernel/smp.c | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/kernel/smp.c b/kernel/smp.c index 35948afced2e..af9cee7d4939 100644 --- a/kernel/smp.c +++ b/kernel/smp.c @@ -802,7 +802,7 @@ static void smp_call_function_many_cond(const struct cp= umask *mask, unsigned int scf_flags, smp_cond_func_t cond_func) { - int cpu, last_cpu, this_cpu =3D smp_processor_id(); + int cpu, last_cpu, this_cpu; struct call_function_data *cfd; bool wait =3D scf_flags & SCF_WAIT; bool preemptible_wait =3D true; @@ -811,11 +811,18 @@ static void smp_call_function_many_cond(const struct = cpumask *mask, int nr_cpus =3D 0; bool run_remote =3D false; =20 - lockdep_assert_preemption_disabled(); - - if (!alloc_cpumask_var(&cpumask_stack, GFP_ATOMIC)) + if (!wait || !alloc_cpumask_var(&cpumask_stack, GFP_ATOMIC)) preemptible_wait =3D false; =20 + /* + * Prevent the current CPU from going offline. + * Being migrated to another CPU and calling csd_lock_wait() may cause + * UAF due to smpcfd_dead_cpu() during the current CPU offline process. + */ + migrate_disable(); + + this_cpu =3D get_cpu(); + /* * Can deadlock when called with interrupts disabled. * We allow cpu's that are not yet online though, as no one else can @@ -898,6 +905,22 @@ static void smp_call_function_many_cond(const struct c= pumask *mask, local_irq_restore(flags); } =20 + /* + * We may block in csd_lock_wait() for a significant amount of time, espe= cially + * when interrupts are disabled or with a large number of remote CPUs. + * Try to enable preemption before csd_lock_wait(). + * + * - If @wait is true, we try to use the cpumask_stack instead of cfd->cp= umask to + * avoid concurrency modification from tasks on the same cpu. If alloc_cp= umask_var() + * return false, fallback to the default logic. + * + * - If preemption occurs during csd_lock_wait, other concurrent + * smp_call_function_many_cond() calls will simply block until the previo= us csd->func() + * complete. + */ + if (preemptible_wait) + put_cpu(); + if (run_remote && wait) { for_each_cpu(cpu, cpumask) { call_single_data_t *csd; @@ -907,8 +930,12 @@ static void smp_call_function_many_cond(const struct c= pumask *mask, } } =20 - if (preemptible_wait) + if (!preemptible_wait) + put_cpu(); + else free_cpumask_var(cpumask_stack); + + migrate_enable(); } =20 /** --=20 2.20.1