From: Frederic Weisbecker <frederic@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
Anna-Maria Behnsen <anna-maria@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com,
Dmitry Vyukov <dvyukov@google.com>,
Sebastian Siewior <bigeasy@linutronix.de>,
Michael Kerrisk <mtk.manpages@gmail.com>
Subject: Re: [patch v2 02/20] posix-timers: Ensure timer ID search-loop limit is valid
Date: Mon, 5 Jun 2023 16:17:04 +0200 [thread overview]
Message-ID: <ZH3uYNznMXMbwjbM@2a01cb0980759691cfef005a85b365eb.ipv6.abo.wanadoo.fr> (raw)
In-Reply-To: <87bkhzdn6g.ffs@tglx>
Le Thu, Jun 01, 2023 at 08:58:47PM +0200, Thomas Gleixner a écrit :
> posix_timer_add() tries to allocate a posix timer ID by starting from the
> cached ID which was stored by the last successful allocation.
>
> This is done in a loop searching the ID space for a free slot one by
> one. The loop has to terminate when the search wrapped around to the
> starting point.
>
> But that's racy vs. establishing the starting point. That is read out
> lockless, which leads to the following problem:
>
> CPU0 CPU1
> posix_timer_add()
> start = sig->posix_timer_id;
> lock(hash_lock);
> ... posix_timer_add()
> if (++sig->posix_timer_id < 0)
> start = sig->posix_timer_id;
> sig->posix_timer_id = 0;
>
> So CPU1 can observe a negative start value, i.e. -1, and the loop break
> never happens because the condition can never be true:
>
> if (sig->posix_timer_id == start)
> break;
>
> While this is unlikely to ever turn into an endless loop as the ID space is
> huge (INT_MAX), the racy read of the start value caught the attention of
> KCSAN and Dmitry unearthed that incorrectness.
>
> Rewrite it so that all id operations are under the hash lock.
>
> Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
next prev parent reply other threads:[~2023-06-05 14:17 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-25 18:48 [patch 00/20] posix-timers: Fixes and cleanups Thomas Gleixner
2023-04-25 18:48 ` [patch 01/20] posix-timers: Prevent RT livelock in itimer_delete() Thomas Gleixner
2023-05-04 17:06 ` Frederic Weisbecker
2023-05-04 18:20 ` Thomas Gleixner
2023-05-05 7:57 ` Thomas Gleixner
2023-06-01 19:00 ` [patch v2 " Thomas Gleixner
2023-06-01 20:16 ` [patch v2a " Thomas Gleixner
2023-06-05 10:59 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:48 ` [patch 02/20] posix-timers: Ensure timer ID search-loop limit is valid Thomas Gleixner
2023-05-05 14:50 ` Frederic Weisbecker
2023-05-05 22:58 ` Thomas Gleixner
2023-05-05 23:36 ` Thomas Gleixner
2023-05-08 21:57 ` Thomas Gleixner
2023-05-09 9:30 ` Thomas Gleixner
2023-05-09 12:50 ` Thomas Gleixner
2023-05-09 21:42 ` [RFD] posix-timers: CRIU woes Thomas Gleixner
2023-05-10 4:36 ` Pavel Tikhomirov
2023-05-10 8:30 ` Thomas Gleixner
2023-05-11 4:12 ` Pavel Tikhomirov
2023-05-11 7:56 ` Peter Zijlstra
2023-05-11 9:32 ` Thomas Gleixner
2023-05-11 10:13 ` David Laight
2023-05-10 8:16 ` Andrey Vagin
2023-05-11 3:17 ` Pavel Tikhomirov
2023-05-11 9:36 ` Thomas Gleixner
2023-05-11 9:52 ` Pavel Tikhomirov
2023-05-11 13:42 ` Thomas Gleixner
2023-05-11 14:54 ` Pavel Tikhomirov
2023-05-11 15:25 ` Pavel Tikhomirov
2023-05-12 1:21 ` Andrey Vagin
2023-05-31 17:38 ` Thomas Gleixner
2023-05-11 7:49 ` Cyrill Gorcunov
2023-05-10 0:42 ` [patch 02/20] posix-timers: Ensure timer ID search-loop limit is valid Andrey Vagin
2023-05-09 9:42 ` Frederic Weisbecker
2023-05-09 12:04 ` Thomas Gleixner
2023-05-09 12:38 ` Thomas Gleixner
2023-05-09 14:18 ` Frederic Weisbecker
2023-06-01 18:58 ` [patch v2 " Thomas Gleixner
2023-06-05 14:17 ` Frederic Weisbecker [this message]
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 03/20] posix-timers: Clarify timer_wait_running() comment Thomas Gleixner
2023-05-09 9:50 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 04/20] posix-timers: Cleanup comments about timer ID tracking Thomas Gleixner
2023-05-09 9:58 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 05/20] posix-timers: Add comments about timer lookup Thomas Gleixner
2023-05-09 10:58 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 06/20] posix-timers: Annotate concurrent access to k_itimer::it_signal Thomas Gleixner
2023-05-09 11:04 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] posix-timers: Annotate concurrent access to k_itimer:: It_signal tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 07/20] posix-timers: Set k_itimer::it_signal to NULL on exit() Thomas Gleixner
2023-06-01 10:09 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] posix-timers: Set k_itimer:: It_signal " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 08/20] posix-timers: Remove pointless irqsafe from hash_lock Thomas Gleixner
2023-06-01 10:12 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 09/20] posix-timers: Split release_posix_timers() Thomas Gleixner
2023-06-01 10:25 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 10/20] posix-timers: Document sys_clock_getres() correctly Thomas Gleixner
2023-06-01 10:44 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 11/20] posix-timers: Document common_clock_get() correctly Thomas Gleixner
2023-06-01 11:00 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 12/20] posix-timers: Document sys_clock_getoverrun() Thomas Gleixner
2023-06-01 11:06 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 13/20] posix-timers: Document sys_clock_settime() permissions in place Thomas Gleixner
2023-06-01 11:22 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:50 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 14/20] posix-timers: Document nanosleep() details Thomas Gleixner
2023-06-01 12:30 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 15/20] posix-timers: Add proper comments in do_timer_create() Thomas Gleixner
2023-06-01 12:43 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 16/20] posix-timers: Comment SIGEV_THREAD_ID properly Thomas Gleixner
2023-06-01 12:47 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 17/20] posix-timers: Clarify posix_timer_rearm() comment Thomas Gleixner
2023-06-01 12:52 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 18/20] posix-timers: Clarify posix_timer_fn() comments Thomas Gleixner
2023-06-01 13:21 ` Frederic Weisbecker
2023-06-01 18:43 ` Thomas Gleixner
2023-06-01 19:07 ` Thomas Gleixner
2023-06-05 14:26 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-05 22:17 ` tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 19/20] posix-timers: Remove pointless comments Thomas Gleixner
2023-06-01 13:48 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-05 22:17 ` tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-04-25 18:49 ` [patch 20/20] posix-timers: Polish coding style in a few places Thomas Gleixner
2023-06-01 13:50 ` Frederic Weisbecker
2023-06-05 15:08 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2023-06-05 22:17 ` tip-bot2 for Thomas Gleixner
2023-06-18 20:49 ` tip-bot2 for Thomas Gleixner
2023-06-05 14:32 ` [patch 00/20] posix-timers: Fixes and cleanups Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZH3uYNznMXMbwjbM@2a01cb0980759691cfef005a85b365eb.ipv6.abo.wanadoo.fr \
--to=frederic@kernel.org \
--cc=anna-maria@linutronix.de \
--cc=bigeasy@linutronix.de \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=peterz@infradead.org \
--cc=syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.