From 4cf0b18c7f5ff90fe395f38030f8df8fbedc6033 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 27 Nov 2023 19:37:47 +0800
Subject: [PATCH 1/2] hrtimers: Push pending hrtimers away from outgoing CPU
 earlier

mainline inclusion
from mainline-v6.7-rc2
commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8JEVI
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94

--------------------------------

2b8272ff4a70 ("cpu/hotplug: Prevent self deadlock on CPU hot-unplug")
solved the straight forward CPU hotplug deadlock vs. the scheduler
bandwidth timer. Yu discovered a more involved variant where a task which
has a bandwidth timer started on the outgoing CPU holds a lock and then
gets throttled. If the lock required by one of the CPU hotplug callbacks
the hotplug operation deadlocks because the unthrottling timer event is not
handled on the dying CPU and can only be recovered once the control CPU
reaches the hotplug state which pulls the pending hrtimers from the dead
CPU.

Solve this by pushing the hrtimers away from the dying CPU in the dying
callbacks. Nothing can queue a hrtimer on the dying CPU at that point because
all other CPUs spin in stop_machine() with interrupts disabled and once the
operation is finished the CPU is marked offline.

Reported-by: Yu Liao <liaoyu15@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Liu Tie <liutie4@huawei.com>
Link: https://lore.kernel.org/r/87a5rphara.ffs@tglx
Signed-off-by: Yu Liao <liaoyu15@huawei.com>
---
 include/linux/cpuhotplug.h |  1 +
 include/linux/hrtimer.h    |  4 ++--
 kernel/cpu.c               |  8 +++++++-
 kernel/time/hrtimer.c      | 33 ++++++++++++---------------------
 4 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index d67c0035165c..a17bb2c393d4 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -137,6 +137,7 @@ enum cpuhp_state {
 	CPUHP_AP_ARM_CORESIGHT_STARTING,
 	CPUHP_AP_ARM64_ISNDEP_STARTING,
 	CPUHP_AP_SMPCFD_DYING,
+	CPUHP_AP_HRTIMERS_DYING,
 	CPUHP_AP_X86_TBOOT_DYING,
 	CPUHP_AP_ARM_CACHE_B15_RAC_DYING,
 	CPUHP_AP_ONLINE,
diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
index 542b4fa2cda9..3bdaa92a2cab 100644
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -508,9 +508,9 @@ extern void sysrq_timer_list_show(void);
 
 int hrtimers_prepare_cpu(unsigned int cpu);
 #ifdef CONFIG_HOTPLUG_CPU
-int hrtimers_dead_cpu(unsigned int cpu);
+int hrtimers_cpu_dying(unsigned int cpu);
 #else
-#define hrtimers_dead_cpu	NULL
+#define hrtimers_cpu_dying	NULL
 #endif
 
 #endif
diff --git a/kernel/cpu.c b/kernel/cpu.c
index c943454b748e..83f6cc6f6c61 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1390,7 +1390,7 @@ static struct cpuhp_step cpuhp_hp_states[] = {
 	[CPUHP_HRTIMERS_PREPARE] = {
 		.name			= "hrtimers:prepare",
 		.startup.single		= hrtimers_prepare_cpu,
-		.teardown.single	= hrtimers_dead_cpu,
+		.teardown.single	= NULL,
 	},
 	[CPUHP_SMPCFD_PREPARE] = {
 		.name			= "smpcfd:prepare",
@@ -1457,6 +1457,12 @@ static struct cpuhp_step cpuhp_hp_states[] = {
 		.startup.single		= NULL,
 		.teardown.single	= smpcfd_dying_cpu,
 	},
+	[CPUHP_AP_HRTIMERS_DYING] = {
+		.name			= "hrtimers:dying",
+		.startup.single		= NULL,
+		.teardown.single	= hrtimers_cpu_dying,
+	},
+
 	/* Entry state on starting. Interrupts enabled from here on. Transient
 	 * state for synchronsization */
 	[CPUHP_AP_ONLINE] = {
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 8512f06f0ebe..bf74f43e42af 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1922,29 +1922,22 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
 	}
 }
 
-int hrtimers_dead_cpu(unsigned int scpu)
+int hrtimers_cpu_dying(unsigned int dying_cpu)
 {
 	struct hrtimer_cpu_base *old_base, *new_base;
-	int i;
+	int i, ncpu = cpumask_first(cpu_active_mask);
 
-	BUG_ON(cpu_online(scpu));
-	tick_cancel_sched_timer(scpu);
+	tick_cancel_sched_timer(dying_cpu);
+
+	old_base = this_cpu_ptr(&hrtimer_bases);
+	new_base = &per_cpu(hrtimer_bases, ncpu);
 
-	/*
-	 * this BH disable ensures that raise_softirq_irqoff() does
-	 * not wakeup ksoftirqd (and acquire the pi-lock) while
-	 * holding the cpu_base lock
-	 */
-	local_bh_disable();
-	local_irq_disable();
-	old_base = &per_cpu(hrtimer_bases, scpu);
-	new_base = this_cpu_ptr(&hrtimer_bases);
 	/*
 	 * The caller is globally serialized and nobody else
 	 * takes two locks at once, deadlock is not possible.
 	 */
-	raw_spin_lock(&new_base->lock);
-	raw_spin_lock_nested(&old_base->lock, SINGLE_DEPTH_NESTING);
+	raw_spin_lock(&old_base->lock);
+	raw_spin_lock_nested(&new_base->lock, SINGLE_DEPTH_NESTING);
 
 	for (i = 0; i < HRTIMER_MAX_CLOCK_BASES; i++) {
 		migrate_hrtimer_list(&old_base->clock_base[i],
@@ -1955,15 +1948,13 @@ int hrtimers_dead_cpu(unsigned int scpu)
 	 * The migration might have changed the first expiring softirq
 	 * timer on this CPU. Update it.
 	 */
-	hrtimer_update_softirq_timer(new_base, false);
+	__hrtimer_get_next_event(new_base, HRTIMER_ACTIVE_SOFT);
+	/* Tell the other CPU to retrigger the next event */
+	smp_call_function_single(ncpu, retrigger_next_event, NULL, 0);
 
-	raw_spin_unlock(&old_base->lock);
 	raw_spin_unlock(&new_base->lock);
+	raw_spin_unlock(&old_base->lock);
 
-	/* Check, if we got expired work to do */
-	__hrtimer_peek_ahead_timers();
-	local_irq_enable();
-	local_bh_enable();
 	return 0;
 }
 
-- 
Gitee


From 48725c8f5d6e2457ef00f3bc46b5fb38c9389d50 Mon Sep 17 00:00:00 2001
From: Yu Liao <liaoyu15@huawei.com>
Date: Mon, 27 Nov 2023 19:37:48 +0800
Subject: [PATCH 2/2] cpu/hotplug: fix kabi breakage in enum cpuhp_state

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8JEVI
CVE: NA

--------------------------------

Commit baecdf2dbe73 ("hrtimers: Push pending hrtimers away from outgoing
CPU earlier") add a new step in enum cpuhp_state breaks kabi.

In order to fix the kabi breakage, we had to move the hrtimers:dying
step into smpcfd:dying and create a new function smpcfd_and_hrtimer_dying_cpu().

Signed-off-by: Yu Liao <liaoyu15@huawei.com>
---
 include/linux/cpuhotplug.h |  1 -
 include/linux/hrtimer.h    |  2 +-
 include/linux/smp.h        |  1 +
 kernel/cpu.c               | 19 +++++++++++++------
 kernel/smp.c               |  8 ++++++++
 5 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index a17bb2c393d4..d67c0035165c 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -137,7 +137,6 @@ enum cpuhp_state {
 	CPUHP_AP_ARM_CORESIGHT_STARTING,
 	CPUHP_AP_ARM64_ISNDEP_STARTING,
 	CPUHP_AP_SMPCFD_DYING,
-	CPUHP_AP_HRTIMERS_DYING,
 	CPUHP_AP_X86_TBOOT_DYING,
 	CPUHP_AP_ARM_CACHE_B15_RAC_DYING,
 	CPUHP_AP_ONLINE,
diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
index 3bdaa92a2cab..290345a0b605 100644
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -510,7 +510,7 @@ int hrtimers_prepare_cpu(unsigned int cpu);
 #ifdef CONFIG_HOTPLUG_CPU
 int hrtimers_cpu_dying(unsigned int cpu);
 #else
-#define hrtimers_cpu_dying	NULL
+static inline int hrtimers_cpu_dying(unsigned int cpu) { return 0; }
 #endif
 
 #endif
diff --git a/include/linux/smp.h b/include/linux/smp.h
index 9fb239e12b82..634659d48a5f 100644
--- a/include/linux/smp.h
+++ b/include/linux/smp.h
@@ -220,5 +220,6 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par,
 int smpcfd_prepare_cpu(unsigned int cpu);
 int smpcfd_dead_cpu(unsigned int cpu);
 int smpcfd_dying_cpu(unsigned int cpu);
+int smpcfd_and_hrtimer_dying_cpu(unsigned int cpu);
 
 #endif /* __LINUX_SMP_H */
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 83f6cc6f6c61..cfed9b994e62 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1452,17 +1452,24 @@ static struct cpuhp_step cpuhp_hp_states[] = {
 		.startup.single		= NULL,
 		.teardown.single	= rcutree_dying_cpu,
 	},
+	/*
+	 * In order to fix the kabi breakage, we had to move the hrtimers:dying
+	 * step into smpcfd:dying and create a new function smpcfd_and_hrtimer_dying_cpu().
+	 * Please ensure that there are no other steps with teardown handler
+	 * between smpcfd:dying and cpu:teardown.
+	 */
 	[CPUHP_AP_SMPCFD_DYING] = {
 		.name			= "smpcfd:dying",
 		.startup.single		= NULL,
-		.teardown.single	= smpcfd_dying_cpu,
-	},
-	[CPUHP_AP_HRTIMERS_DYING] = {
-		.name			= "hrtimers:dying",
-		.startup.single		= NULL,
-		.teardown.single	= hrtimers_cpu_dying,
+		.teardown.single	= smpcfd_and_hrtimer_dying_cpu,
 	},
 
+	/*
+	 * Attention: Please do not add steps between smpcfd:dying
+	 * and ap:online. Please refer to the above for specific
+	 * reasons.
+	 */
+
 	/* Entry state on starting. Interrupts enabled from here on. Transient
 	 * state for synchronsization */
 	[CPUHP_AP_ONLINE] = {
diff --git a/kernel/smp.c b/kernel/smp.c
index be15d3a57954..979b3b13e741 100644
--- a/kernel/smp.c
+++ b/kernel/smp.c
@@ -71,6 +71,14 @@ int smpcfd_dead_cpu(unsigned int cpu)
 	return 0;
 }
 
+int smpcfd_and_hrtimer_dying_cpu(unsigned int cpu)
+{
+	hrtimers_cpu_dying(cpu);
+	smpcfd_dying_cpu(cpu);
+
+	return 0;
+}
+
 int smpcfd_dying_cpu(unsigned int cpu)
 {
 	/*
-- 
Gitee