forked from Minki/linux
bb7262b295
syzbot reported KCSAN data races vs. timer_base::timer_running being set to
NULL without holding base::lock in expire_timers().
This looks innocent and most reads are clearly not problematic, but
Frederic identified an issue which is:
int data = 0;
void timer_func(struct timer_list *t)
{
data = 1;
}
CPU 0 CPU 1
------------------------------ --------------------------
base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock);
if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk);
ret = detach_if_pending(timer, base, true); base->running_timer = NULL;
raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock);
x = data;
If the timer has previously executed on CPU 1 and then CPU 0 can observe
base->running_timer == NULL and returns, assuming the timer has completed,
but it's not guaranteed on all architectures. The comment for
del_timer_sync() makes that guarantee. Moving the assignment under
base->lock prevents this.
For non-RT kernel it's performance wise completely irrelevant whether the
store happens before or after taking the lock. For an RT kernel moving the
store under the lock requires an extra unlock/lock pair in the case that
there is a waiter for the timer, but that's not the end of the world.
Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com
Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com
Fixes:
|
||
---|---|---|
.. | ||
alarmtimer.c | ||
clockevents.c | ||
clocksource-wdtest.c | ||
clocksource.c | ||
hrtimer.c | ||
itimer.c | ||
jiffies.c | ||
Kconfig | ||
Makefile | ||
namespace.c | ||
ntp_internal.h | ||
ntp.c | ||
posix-clock.c | ||
posix-cpu-timers.c | ||
posix-stubs.c | ||
posix-timers.c | ||
posix-timers.h | ||
sched_clock.c | ||
test_udelay.c | ||
tick-broadcast-hrtimer.c | ||
tick-broadcast.c | ||
tick-common.c | ||
tick-internal.h | ||
tick-legacy.c | ||
tick-oneshot.c | ||
tick-sched.c | ||
tick-sched.h | ||
time_test.c | ||
time.c | ||
timeconst.bc | ||
timeconv.c | ||
timecounter.c | ||
timekeeping_debug.c | ||
timekeeping_internal.h | ||
timekeeping.c | ||
timekeeping.h | ||
timer_list.c | ||
timer.c | ||
vsyscall.c |