[RT,1/3] hrtimer: Use READ_ONCE to access timer->base in hrimer_grab_expiry_lock()

Message ID 20190821092409.13225-2-julien.grall@arm.com
State New
Headers show
Series
  • hrtimer: RT fixes for hrtimer_grab_expiry_lock()
Related show

Commit Message

Julien Grall Aug. 21, 2019, 9:24 a.m.
The update to timer->base is protected by the base->cpu_base->lock().
However, hrtimer_grab_expirty_lock() does not access it with the lock.

So it would theorically be possible to have timer->base changed under
our feet. We need to prevent the compiler to refetch timer->base so the
check and the access is performed on the same base.

Other access of timer->base are either done with a lock or protected
with READ_ONCE(). So use READ_ONCE() in hrtimer_grab_expirty_lock().

Signed-off-by: Julien Grall <julien.grall@arm.com>


---

This is rather theoritical so far as I don't have a reproducer for this.
---
 kernel/time/hrtimer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.11.0

Comments

Sebastian Andrzej Siewior Aug. 21, 2019, 1:44 p.m. | #1
On 2019-08-21 10:24:07 [+0100], Julien Grall wrote:
> The update to timer->base is protected by the base->cpu_base->lock().

> However, hrtimer_grab_expirty_lock() does not access it with the lock.

> 

> So it would theorically be possible to have timer->base changed under

> our feet. We need to prevent the compiler to refetch timer->base so the

> check and the access is performed on the same base.


It is not a problem if the timer's bases changes. We get here because we
want to help the timer to complete its callback.
The base can only change if the timer gets re-armed on another CPU which
means is completed callback. In every case we can cancel the timer on
the next iteration.

Sebastian
Sebastian Andrzej Siewior Aug. 21, 2019, 1:59 p.m. | #2
On 2019-08-21 15:50:33 [+0200], Thomas Gleixner wrote:
> On Wed, 21 Aug 2019, Sebastian Andrzej Siewior wrote:

> 

> > On 2019-08-21 10:24:07 [+0100], Julien Grall wrote:

> > > The update to timer->base is protected by the base->cpu_base->lock().

> > > However, hrtimer_grab_expirty_lock() does not access it with the lock.

> > > 

> > > So it would theorically be possible to have timer->base changed under

> > > our feet. We need to prevent the compiler to refetch timer->base so the

> > > check and the access is performed on the same base.

> > 

> > It is not a problem if the timer's bases changes. We get here because we

> > want to help the timer to complete its callback.

> > The base can only change if the timer gets re-armed on another CPU which

> > means is completed callback. In every case we can cancel the timer on

> > the next iteration.

> 

> It _IS_ a problem when the base changes and the compiler reloads

> 

>    CPU0	  	       	   	CPU1

>    base = timer->base;

> 

>    lock(base->....);

> 				switch base

> 

>    reload

> 	base = timer->base;

> 

>    unlock(base->....);

> 

> See?

so read_once() it is then.

Sebastian

Patch

diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 7d7db8802131..b869e816e96a 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -932,7 +932,7 @@  EXPORT_SYMBOL_GPL(hrtimer_forward);
 
 void hrtimer_grab_expiry_lock(const struct hrtimer *timer)
 {
-	struct hrtimer_clock_base *base = timer->base;
+	struct hrtimer_clock_base *base = READ_ONCE(timer->base);
 
 	if (base && base->cpu_base) {
 		spin_lock(&base->cpu_base->softirq_expiry_lock);