Hi, There is a page fault in cpu hotplug when removing the callbacks for the last dynamic state. The last dynamic state will not be removed, causing a page fault when hotplug thinks the callbacks still exists and calls it.
The problem is as follows: - __cpuhp_remove_state() eventually calls cpuhp_store_callbacks() with NULLs for most params. - If state is the last state (i.e. CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_STATE) then cpuhp_store_callbacks() calls cpuhp_reserve_state(), which returns the *next* available DYN state. - The NULLs are stored in that *next* state (i.e. AP_ONLINE_DYN + 1 or BP_PREPARE_DYN + 1) instead of in AP_ONLINE_DYN or BP_PREPARE_DYN. Thus, the last state is never cleared. The callbacks now point to invalid memory. - When the cpu is onlined again and/or offlined, then the invalid callback is invoked, causing a page fault. The patch above solves this by detecting when a state is being removed, and not calling cpuhp_reserve_state(). I have brought this up before, but hoping to get some traction on it this time: https://lkml.org/lkml/2017/7/5/574 Thx, Ethan Signed-off-by: Ethan Barnes <ethan.bar...@sandisk.com> --- diff --git a/kernel/cpu.c b/kernel/cpu.c index eee0331..f7fda16 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1252,7 +1252,8 @@ static int cpuhp_store_callbacks(enum cpuhp_state state, const char *name, struct cpuhp_step *sp; int ret = 0; - if (state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN) { + if (name && + (state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN)) { ret = cpuhp_reserve_state(state); if (ret < 0) return ret;
