Re: [PATCH 2/2] timer: use hlist_unhashed_lockless() in timer_pending()

From: "Paul E. McKenney" <paulmck@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH 2/2] timer: use hlist_unhashed_lockless() in timer_pending()
Date: Fri, 8 Nov 2019 11:27:21 -0800	[thread overview]
Message-ID: <20191108192721.GC20975@paulmck-ThinkPad-P72> (raw)
In-Reply-To: <20191107193738.195914-2-edumazet@google.com>

On Thu, Nov 07, 2019 at 11:37:38AM -0800, Eric Dumazet wrote:
> timer_pending() is mostly used in lockless contexts.
> 
> Without proper annotations, KCSAN might detect a data-race [1]
> 
> Using hlist_unhashed_lockless() instead of hand-coding it
> seems appropriate (as suggested by Paul E. McKenney).
> 
> [1]
> 
> BUG: KCSAN: data-race in del_timer / detach_if_pending
> 
> write to 0xffff88808697d870 of 8 bytes by task 10 on cpu 0:
>  __hlist_del include/linux/list.h:764 [inline]
>  detach_timer kernel/time/timer.c:815 [inline]
>  detach_if_pending+0xcd/0x2d0 kernel/time/timer.c:832
>  try_to_del_timer_sync+0x60/0xb0 kernel/time/timer.c:1226
>  del_timer_sync+0x6b/0xa0 kernel/time/timer.c:1365
>  schedule_timeout+0x2d2/0x6e0 kernel/time/timer.c:1896
>  rcu_gp_fqs_loop+0x37c/0x580 kernel/rcu/tree.c:1639
>  rcu_gp_kthread+0x143/0x230 kernel/rcu/tree.c:1799
>  kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
> 
> read to 0xffff88808697d870 of 8 bytes by task 12060 on cpu 1:
>  del_timer+0x3b/0xb0 kernel/time/timer.c:1198
>  sk_stop_timer+0x25/0x60 net/core/sock.c:2845
>  inet_csk_clear_xmit_timers+0x69/0xa0 net/ipv4/inet_connection_sock.c:523
>  tcp_clear_xmit_timers include/net/tcp.h:606 [inline]
>  tcp_v4_destroy_sock+0xa3/0x3f0 net/ipv4/tcp_ipv4.c:2096
>  inet_csk_destroy_sock+0xf4/0x250 net/ipv4/inet_connection_sock.c:836
>  tcp_close+0x6f3/0x970 net/ipv4/tcp.c:2497
>  inet_release+0x86/0x100 net/ipv4/af_inet.c:427
>  __sock_release+0x85/0x160 net/socket.c:590
>  sock_close+0x24/0x30 net/socket.c:1268
>  __fput+0x1e1/0x520 fs/file_table.c:280
>  ____fput+0x1f/0x30 fs/file_table.c:313
>  task_work_run+0xf6/0x130 kernel/task_work.c:113
>  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
>  exit_to_usermode_loop+0x2b4/0x2c0 arch/x86/entry/common.c:163
> 
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 12060 Comm: syz-executor.5 Not tainted 5.4.0-rc3+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: "Paul E. McKenney" <paulmck@kernel.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>

And I queued this one as well, but again if you would prefer it go
up elsewhere, for whatever it is worth:

Acked-by: Paul E. McKenney <paulmck@kernel.org>

> ---
>  include/linux/timer.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/timer.h b/include/linux/timer.h
> index 1e6650ed066d5d28251b0bd385fc37ef94c96532..0dc19a8c39c9e49a7cde3d34bfa4be8871cbc1c2 100644
> --- a/include/linux/timer.h
> +++ b/include/linux/timer.h
> @@ -164,7 +164,7 @@ static inline void destroy_timer_on_stack(struct timer_list *timer) { }
>   */
>  static inline int timer_pending(const struct timer_list * timer)
>  {
> -	return timer->entry.pprev != NULL;
> +	return !hlist_unhashed_lockless(&timer->entry);
>  }
>  
>  extern void add_timer_on(struct timer_list *timer, int cpu);
> -- 
> 2.24.0.432.g9d3f5f5b63-goog
> 