From patchwork Thu Nov 3 07:55:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Wagner X-Patchwork-Id: 621314 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0969C4332F for ; Thu, 3 Nov 2022 07:56:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229771AbiKCH4n (ORCPT ); Thu, 3 Nov 2022 03:56:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231514AbiKCH4S (ORCPT ); Thu, 3 Nov 2022 03:56:18 -0400 Received: from mail.nearlyone.de (mail.nearlyone.de [46.163.114.145]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A4CDAE4E; Thu, 3 Nov 2022 00:55:54 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id E204261E1F; Thu, 3 Nov 2022 08:55:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monom.org; s=dkim; t=1667462153; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=5LucOqU2x9EBByrXZ+ibDrA1kTOF1CUG460+GIlO/2E=; b=In7q2bsUyStHQIy7MjdnWi169beCyyeRVrKjb+nbN+jyP7QYFDtKqanyFYVYOHrl3CW4Y9 8esQfBTuTIE/4KMOPEVM1rjzPHZZMLHXclWo2TDQEQTagQy6HtvF8+1Be3xAu5ZzxtKtp3 vUbrA8Bu0IUdGbzxD7bx0zwxEnqxHdkh7eeSp1zmDbanq0+P39En6gTQqWsCq54hgvXAQL lVXu7ubfs4tf5CRjtdZblDIkRypbm3eVJNnuLhmOtSvpL8EfT9pwBg2o2CAkYthF3ZDa7s jj9JEurMdA8uYdl3vSMJ05+0fuYYuWF815pOn5tnywQXq10iCyTfpTSS/o5dlA== From: Daniel Wagner To: LKML , linux-rt-users , Steven Rostedt , Thomas Gleixner , Carsten Emde , John Kacur , Sebastian Andrzej Siewior , Tom Zanussi , Clark Williams , Pavel Machek Cc: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com, syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com, stable@vger.kernel.org, Daniel Wagner Subject: [PATCH RT 2/4] timers: Move clearing of base::timer_running under base:: Lock Date: Thu, 3 Nov 2022 08:55:46 +0100 Message-Id: <20221103075548.6477-3-wagi@monom.org> In-Reply-To: <20221103075548.6477-1-wagi@monom.org> References: <20221103075548.6477-1-wagi@monom.org> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 Precedence: bulk List-ID: X-Mailing-List: linux-rt-users@vger.kernel.org From: Thomas Gleixner v4.19.255-rt114-rc2 stable review patch. If anyone has any objections, please let me know. ----------- Upstream commit bb7262b295472eb6858b5c49893954794027cd84 syzbot reported KCSAN data races vs. timer_base::timer_running being set to NULL without holding base::lock in expire_timers(). This looks innocent and most reads are clearly not problematic, but Frederic identified an issue which is: int data = 0; void timer_func(struct timer_list *t) { data = 1; } CPU 0 CPU 1 ------------------------------ -------------------------- base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock); if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk); ret = detach_if_pending(timer, base, true); base->running_timer = NULL; raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock); x = data; If the timer has previously executed on CPU 1 and then CPU 0 can observe base->running_timer == NULL and returns, assuming the timer has completed, but it's not guaranteed on all architectures. The comment for del_timer_sync() makes that guarantee. Moving the assignment under base->lock prevents this. For non-RT kernel it's performance wise completely irrelevant whether the store happens before or after taking the lock. For an RT kernel moving the store under the lock requires an extra unlock/lock pair in the case that there is a waiter for the timer, but that's not the end of the world. Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com Fixes: 030dcdd197d7 ("timers: Prepare support for PREEMPT_RT") Signed-off-by: Thomas Gleixner Tested-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/87lfea7gw8.fsf@nanos.tec.linutronix.de Cc: stable@vger.kernel.org Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Daniel Wagner --- kernel/time/timer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/time/timer.c b/kernel/time/timer.c index b859ecf6424b..603985720f54 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1282,8 +1282,10 @@ static inline void timer_base_unlock_expiry(struct timer_base *base) static void timer_sync_wait_running(struct timer_base *base) { if (atomic_read(&base->timer_waiters)) { + raw_spin_unlock_irq(&base->lock); spin_unlock(&base->expiry_lock); spin_lock(&base->expiry_lock); + raw_spin_lock_irq(&base->lock); } } @@ -1458,14 +1460,14 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head) if (timer->flags & TIMER_IRQSAFE) { raw_spin_unlock(&base->lock); call_timer_fn(timer, fn); - base->running_timer = NULL; raw_spin_lock(&base->lock); + base->running_timer = NULL; } else { raw_spin_unlock_irq(&base->lock); call_timer_fn(timer, fn); + raw_spin_lock_irq(&base->lock); base->running_timer = NULL; timer_sync_wait_running(base); - raw_spin_lock_irq(&base->lock); } } }