mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-04 20:19:47 +08:00
bb7262b295
syzbot reported KCSAN data races vs. timer_base::timer_running being set to
NULL without holding base::lock in expire_timers().
This looks innocent and most reads are clearly not problematic, but
Frederic identified an issue which is:
int data = 0;
void timer_func(struct timer_list *t)
{
data = 1;
}
CPU 0 CPU 1
------------------------------ --------------------------
base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock);
if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk);
ret = detach_if_pending(timer, base, true); base->running_timer = NULL;
raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock);
x = data;
If the timer has previously executed on CPU 1 and then CPU 0 can observe
base->running_timer == NULL and returns, assuming the timer has completed,
but it's not guaranteed on all architectures. The comment for
del_timer_sync() makes that guarantee. Moving the assignment under
base->lock prevents this.
For non-RT kernel it's performance wise completely irrelevant whether the
store happens before or after taking the lock. For an RT kernel moving the
store under the lock requires an extra unlock/lock pair in the case that
there is a waiter for the timer, but that's not the end of the world.
Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com
Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com
Fixes:
|
||
|---|---|---|
| .. | ||
| alarmtimer.c | ||
| clockevents.c | ||
| clocksource-wdtest.c | ||
| clocksource.c | ||
| hrtimer.c | ||
| itimer.c | ||
| jiffies.c | ||
| Kconfig | ||
| Makefile | ||
| namespace.c | ||
| ntp_internal.h | ||
| ntp.c | ||
| posix-clock.c | ||
| posix-cpu-timers.c | ||
| posix-stubs.c | ||
| posix-timers.c | ||
| posix-timers.h | ||
| sched_clock.c | ||
| test_udelay.c | ||
| tick-broadcast-hrtimer.c | ||
| tick-broadcast.c | ||
| tick-common.c | ||
| tick-internal.h | ||
| tick-legacy.c | ||
| tick-oneshot.c | ||
| tick-sched.c | ||
| tick-sched.h | ||
| time_test.c | ||
| time.c | ||
| timeconst.bc | ||
| timeconv.c | ||
| timecounter.c | ||
| timekeeping_debug.c | ||
| timekeeping_internal.h | ||
| timekeeping.c | ||
| timekeeping.h | ||
| timer_list.c | ||
| timer.c | ||
| vsyscall.c | ||