Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3778633pxt; Tue, 10 Aug 2021 11:06:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfPz8ip0TH46cycSYj0AmeF2qyaZr1OzxkIGFDqtfSD8j5DpTJhl8FU7uATlepJ2zx1LDe X-Received: by 2002:a7b:c5d2:: with SMTP id n18mr5950923wmk.97.1628618810364; Tue, 10 Aug 2021 11:06:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628618810; cv=none; d=google.com; s=arc-20160816; b=prPVZfrxwdUkZhl0u0TCFFAnGUzqXSaYRVTawe3eeDdSH1NQH7SNamSIdU/p0PWCNt MaqNuNQcKPVhUOUITDmTi3enmIX3ztud9dq5xNuHNeCsAk2Ao9XZGSAwWkbLNDP3g2N6 dhlCfbdazynrg+S1uU23TVYnfHSvAwd7/eohr0BtURNRq9OQ+9y8RjoqzbqmqcjxF0Vq TjdD5LSHDWQS/a86IWr9FtdgZ/RjAZKDd0kWecRHKN9vUYlnJz/kgb9k58QDFMLoAvg0 omOYY/J4PBAfgHyDbxPWQzu4gurxHTlqgMupTbDGjNfrz8KHt1XQrzfjgpy6VsA5DR1e AEJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Y3mbCBxqkAtDFBCMdBlDAbSk4Pop+JZEh63d+t7aNqE=; b=TLT5e7VE1rZ6IQa5L9jMvMNtt+q377VmbHAyrZg6YboOrnBJ/SfVrGqRj1U+qT4jn+ uACsxvCQbaJvRi8XUlBkBGVkd0FNHOb6X9TbQK212dYFoc4pYIFDTsrcYFfdIbTebawf 9yVzpsvYSz7Sfld7YIwR0crw7a6QuEx9HVn4oWZ3WA8VNJOrC2dJuMcGONV+ihG2ItIQ lV2CwcR2c1kKsVxTkujz6OtVEozqS9tz0ebO2icmXlEq1W2jCMt6ZiotdZngyiBGg6UI NQUZ9z2KTPzJRq5ndbq6elmN05tIKyxueM0aLgBzdnj4hrYalYxOxG1Mp8StyIv3voUR dXaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fy0tWOry; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hs3si22148347ejc.368.2021.08.10.11.06.25; Tue, 10 Aug 2021 11:06:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fy0tWOry; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239007AbhHJSEk (ORCPT + 99 others); Tue, 10 Aug 2021 14:04:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:59496 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234851AbhHJSAF (ORCPT ); Tue, 10 Aug 2021 14:00:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 862976139F; Tue, 10 Aug 2021 17:46:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628617608; bh=e550DMyvd6Ig4dLJ8EyHUKjkfg7Ghj7WJ4I0ornA3Es=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Fy0tWOrywneIJc6h/xP172oitjbdvj16S7DQq0HIJrFNWvkK/eZ15noP+mWpJvMBn kZtgN9q2ATIKJIzQphZjAbu5NB4JdW4WP1H76WhB3JDlP6/ZauVD+Qs/VaBSotW6nG aNA1cLnF/3lP7nngsKEaRH8+DYPEMDQMZaY7ICgs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com, syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com, Thomas Gleixner , Sebastian Andrzej Siewior Subject: [PATCH 5.13 132/175] timers: Move clearing of base::timer_running under base:: Lock Date: Tue, 10 Aug 2021 19:30:40 +0200 Message-Id: <20210810173005.296442500@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210810173000.928681411@linuxfoundation.org> References: <20210810173000.928681411@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thomas Gleixner commit bb7262b295472eb6858b5c49893954794027cd84 upstream. syzbot reported KCSAN data races vs. timer_base::timer_running being set to NULL without holding base::lock in expire_timers(). This looks innocent and most reads are clearly not problematic, but Frederic identified an issue which is: int data = 0; void timer_func(struct timer_list *t) { data = 1; } CPU 0 CPU 1 ------------------------------ -------------------------- base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock); if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk); ret = detach_if_pending(timer, base, true); base->running_timer = NULL; raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock); x = data; If the timer has previously executed on CPU 1 and then CPU 0 can observe base->running_timer == NULL and returns, assuming the timer has completed, but it's not guaranteed on all architectures. The comment for del_timer_sync() makes that guarantee. Moving the assignment under base->lock prevents this. For non-RT kernel it's performance wise completely irrelevant whether the store happens before or after taking the lock. For an RT kernel moving the store under the lock requires an extra unlock/lock pair in the case that there is a waiter for the timer, but that's not the end of the world. Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com Fixes: 030dcdd197d7 ("timers: Prepare support for PREEMPT_RT") Signed-off-by: Thomas Gleixner Tested-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/87lfea7gw8.fsf@nanos.tec.linutronix.de Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- kernel/time/timer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1279,8 +1279,10 @@ static inline void timer_base_unlock_exp static void timer_sync_wait_running(struct timer_base *base) { if (atomic_read(&base->timer_waiters)) { + raw_spin_unlock_irq(&base->lock); spin_unlock(&base->expiry_lock); spin_lock(&base->expiry_lock); + raw_spin_lock_irq(&base->lock); } } @@ -1471,14 +1473,14 @@ static void expire_timers(struct timer_b if (timer->flags & TIMER_IRQSAFE) { raw_spin_unlock(&base->lock); call_timer_fn(timer, fn, baseclk); - base->running_timer = NULL; raw_spin_lock(&base->lock); + base->running_timer = NULL; } else { raw_spin_unlock_irq(&base->lock); call_timer_fn(timer, fn, baseclk); + raw_spin_lock_irq(&base->lock); base->running_timer = NULL; timer_sync_wait_running(base); - raw_spin_lock_irq(&base->lock); } } }