rp->rtort_pipe_count is modified concurrently by rcu_torture_writer(). To
prevent a data race, reuse i which is read using READ_ONCE before instead
of re-reading it.
Signed-off-by: linke li <[email protected]>
Reviewed-by: Joel Fernandes (Google) <[email protected]>
---
v1 -> v2: change the patch to focus on data race in rcu_torture_pipe_update_one ; update change log
kernel/rcu/rcutorture.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 7567ca8e743c..53415121be39 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -466,7 +466,7 @@ rcu_torture_pipe_update_one(struct rcu_torture *rp)
i = RCU_TORTURE_PIPE_LEN;
atomic_inc(&rcu_torture_wcount[i]);
WRITE_ONCE(rp->rtort_pipe_count, i + 1);
- if (rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
+ if (i + 1 >= RCU_TORTURE_PIPE_LEN) {
rp->rtort_mbtest = 0;
return true;
}
--
2.39.3 (Apple Git-145)
On Wed, Mar 06, 2024 at 10:05:20AM +0800, linke li wrote:
> rp->rtort_pipe_count is modified concurrently by rcu_torture_writer(). To
> prevent a data race, reuse i which is read using READ_ONCE before instead
> of re-reading it.
>
> Signed-off-by: linke li <[email protected]>
> Reviewed-by: Joel Fernandes (Google) <[email protected]>
> ---
Thank you both!
This topic got quite a bit of discussion [1], with the result that I
took your patch, but edited your commit log. Could you please take a
look below and let me know if I messed anything up?
Thanx, Paul
[1] https://lore.kernel.org/all/[email protected]/
------------------------------------------------------------------------
commit e3038bbf5d746fd4c72975b792abbb63fa3f3421
Author: linke li <[email protected]>
Date: Wed Mar 6 19:51:10 2024 -0800
rcutorture: Re-use value stored to ->rtort_pipe_count instead of re-reading
Currently, the rcu_torture_pipe_update_one() writes the value (i + 1)
to rp->rtort_pipe_count, then immediately re-reads it in order to compare
it to RCU_TORTURE_PIPE_LEN. This re-read is pointless because no other
update to rp->rtort_pipe_count can occur at this point. This commit
therefore instead re-uses the (i + 1) value stored in the comparison
instead of re-reading rp->rtort_pipe_count.
Signed-off-by: linke li <[email protected]>
Reviewed-by: Joel Fernandes (Google) <[email protected]>
Signed-off-by: Paul E. McKenney <[email protected]>
Cc: Linus Torvalds <[email protected]>
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 0cb5452ecd945..dd7d5ba457409 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -467,7 +467,7 @@ rcu_torture_pipe_update_one(struct rcu_torture *rp)
atomic_inc(&rcu_torture_wcount[i]);
WRITE_ONCE(rp->rtort_pipe_count, i + 1);
ASSERT_EXCLUSIVE_WRITER(rp->rtort_pipe_count);
- if (rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
+ if (i + 1 >= RCU_TORTURE_PIPE_LEN) {
rp->rtort_mbtest = 0;
return true;
}
Thank you for your work! This change log looks good to me.