linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] hrtimer: annotate lockless access to timer->base
@ 2019-10-08 17:32 Eric Dumazet
  2019-10-14  4:10 ` Eric Dumazet
  2019-10-14 13:58 ` [tip: timers/urgent] hrtimer: Annotate " tip-bot2 for Eric Dumazet
  0 siblings, 2 replies; 3+ messages in thread
From: Eric Dumazet @ 2019-10-08 17:32 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: linux-kernel, Eric Dumazet, Eric Dumazet, Julien Grall

Followup to commit dd2261ed45aa ("hrtimer: Protect lockless access
to timer->base")

lock_hrtimer_base() fetches timer->base without lock exclusion.

Compiler is allowed to read timer->base twice (even if considered dumb)
and we could end up trying to lock migration_base and
return &migration_base.

  base = timer->base;
  if (likely(base != &migration_base)) {

       /* compiler reads timer->base again, and now (base == &migration_base)

       raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
       if (likely(base == timer->base))
            return base; /* == &migration_base ! */

Similarly the write sides should use WRITE_ONCE() to avoid
store tearing.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Julien Grall <julien.grall@arm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
---
 kernel/time/hrtimer.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 0d4dc241c0fb498036c91a571e65cb00f5d19ba6..65605530ee349c9682690c4fccb43aa9284d4287 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -164,7 +164,7 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer,
 	struct hrtimer_clock_base *base;
 
 	for (;;) {
-		base = timer->base;
+		base = READ_ONCE(timer->base);
 		if (likely(base != &migration_base)) {
 			raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
 			if (likely(base == timer->base))
@@ -244,7 +244,7 @@ switch_hrtimer_base(struct hrtimer *timer, struct hrtimer_clock_base *base,
 			return base;
 
 		/* See the comment in lock_hrtimer_base() */
-		timer->base = &migration_base;
+		WRITE_ONCE(timer->base, &migration_base);
 		raw_spin_unlock(&base->cpu_base->lock);
 		raw_spin_lock(&new_base->cpu_base->lock);
 
@@ -253,10 +253,10 @@ switch_hrtimer_base(struct hrtimer *timer, struct hrtimer_clock_base *base,
 			raw_spin_unlock(&new_base->cpu_base->lock);
 			raw_spin_lock(&base->cpu_base->lock);
 			new_cpu_base = this_cpu_base;
-			timer->base = base;
+			WRITE_ONCE(timer->base, base);
 			goto again;
 		}
-		timer->base = new_base;
+		WRITE_ONCE(timer->base, new_base);
 	} else {
 		if (new_cpu_base != this_cpu_base &&
 		    hrtimer_check_target(timer, new_base)) {
-- 
2.23.0.581.g78d2f28ef7-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] hrtimer: annotate lockless access to timer->base
  2019-10-08 17:32 [PATCH] hrtimer: annotate lockless access to timer->base Eric Dumazet
@ 2019-10-14  4:10 ` Eric Dumazet
  2019-10-14 13:58 ` [tip: timers/urgent] hrtimer: Annotate " tip-bot2 for Eric Dumazet
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2019-10-14  4:10 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: linux-kernel, Eric Dumazet, Julien Grall

On Tue, Oct 8, 2019 at 10:32 AM Eric Dumazet <edumazet@google.com> wrote:
>
> Followup to commit dd2261ed45aa ("hrtimer: Protect lockless access
> to timer->base")
>
> lock_hrtimer_base() fetches timer->base without lock exclusion.
>
> Compiler is allowed to read timer->base twice (even if considered dumb)
> and we could end up trying to lock migration_base and
> return &migration_base.
>
>   base = timer->base;
>   if (likely(base != &migration_base)) {
>
>        /* compiler reads timer->base again, and now (base == &migration_base)
>
>        raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
>        if (likely(base == timer->base))
>             return base; /* == &migration_base ! */
>
> Similarly the write sides should use WRITE_ONCE() to avoid
> store tearing.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> ---
>  kernel/time/hrtimer.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
> index 0d4dc241c0fb498036c91a571e65cb00f5d19ba6..65605530ee349c9682690c4fccb43aa9284d4287 100644
> --- a/kernel/time/hrtimer.c
> +++ b/kernel/time/hrtimer.c
> @@ -164,7 +164,7 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer,
>         struct hrtimer_clock_base *base;
>
>         for (;;) {
> -               base = timer->base;
> +               base = READ_ONCE(timer->base);
>                 if (likely(base != &migration_base)) {
>                         raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
>                         if (likely(base == timer->base))
> @@ -244,7 +244,7 @@ switch_hrtimer_base(struct hrtimer *timer, struct hrtimer_clock_base *base,
>                         return base;
>
>                 /* See the comment in lock_hrtimer_base() */
> -               timer->base = &migration_base;
> +               WRITE_ONCE(timer->base, &migration_base);
>                 raw_spin_unlock(&base->cpu_base->lock);
>                 raw_spin_lock(&new_base->cpu_base->lock);
>
> @@ -253,10 +253,10 @@ switch_hrtimer_base(struct hrtimer *timer, struct hrtimer_clock_base *base,
>                         raw_spin_unlock(&new_base->cpu_base->lock);
>                         raw_spin_lock(&base->cpu_base->lock);
>                         new_cpu_base = this_cpu_base;
> -                       timer->base = base;
> +                       WRITE_ONCE(timer->base, base);
>                         goto again;
>                 }
> -               timer->base = new_base;
> +               WRITE_ONCE(timer->base, new_base);
>         } else {
>                 if (new_cpu_base != this_cpu_base &&
>                     hrtimer_check_target(timer, new_base)) {
> --
> 2.23.0.581.g78d2f28ef7-goog
>

Any news on this patch ?

If more information is needed, let me know.

Maybe I need to point to :

commit b831275a3553c32091222ac619cfddd73a5553fb timers: Plug locking
race vs. timer migration

Thanks

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [tip: timers/urgent] hrtimer: Annotate lockless access to timer->base
  2019-10-08 17:32 [PATCH] hrtimer: annotate lockless access to timer->base Eric Dumazet
  2019-10-14  4:10 ` Eric Dumazet
@ 2019-10-14 13:58 ` tip-bot2 for Eric Dumazet
  1 sibling, 0 replies; 3+ messages in thread
From: tip-bot2 for Eric Dumazet @ 2019-10-14 13:58 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: Eric Dumazet, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	linux-kernel

The following commit has been merged into the timers/urgent branch of tip:

Commit-ID:     ff229eee3d897f52bd001c841f2d3cce8853ecdc
Gitweb:        https://git.kernel.org/tip/ff229eee3d897f52bd001c841f2d3cce8853ecdc
Author:        Eric Dumazet <edumazet@google.com>
AuthorDate:    Tue, 08 Oct 2019 10:32:04 -07:00
Committer:     Thomas Gleixner <tglx@linutronix.de>
CommitterDate: Mon, 14 Oct 2019 15:51:49 +02:00

hrtimer: Annotate lockless access to timer->base

Followup to commit dd2261ed45aa ("hrtimer: Protect lockless access
to timer->base")

lock_hrtimer_base() fetches timer->base without lock exclusion.

Compiler is allowed to read timer->base twice (even if considered dumb)
which could end up trying to lock migration_base and return
&migration_base.

  base = timer->base;
  if (likely(base != &migration_base)) {

       /* compiler reads timer->base again, and now (base == &migration_base)

       raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
       if (likely(base == timer->base))
            return base; /* == &migration_base ! */

Similarly the write sides must use WRITE_ONCE() to avoid store tearing.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008173204.180879-1-edumazet@google.com

---
 kernel/time/hrtimer.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 0d4dc24..6560553 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -164,7 +164,7 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer,
 	struct hrtimer_clock_base *base;
 
 	for (;;) {
-		base = timer->base;
+		base = READ_ONCE(timer->base);
 		if (likely(base != &migration_base)) {
 			raw_spin_lock_irqsave(&base->cpu_base->lock, *flags);
 			if (likely(base == timer->base))
@@ -244,7 +244,7 @@ again:
 			return base;
 
 		/* See the comment in lock_hrtimer_base() */
-		timer->base = &migration_base;
+		WRITE_ONCE(timer->base, &migration_base);
 		raw_spin_unlock(&base->cpu_base->lock);
 		raw_spin_lock(&new_base->cpu_base->lock);
 
@@ -253,10 +253,10 @@ again:
 			raw_spin_unlock(&new_base->cpu_base->lock);
 			raw_spin_lock(&base->cpu_base->lock);
 			new_cpu_base = this_cpu_base;
-			timer->base = base;
+			WRITE_ONCE(timer->base, base);
 			goto again;
 		}
-		timer->base = new_base;
+		WRITE_ONCE(timer->base, new_base);
 	} else {
 		if (new_cpu_base != this_cpu_base &&
 		    hrtimer_check_target(timer, new_base)) {

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-14 13:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-08 17:32 [PATCH] hrtimer: annotate lockless access to timer->base Eric Dumazet
2019-10-14  4:10 ` Eric Dumazet
2019-10-14 13:58 ` [tip: timers/urgent] hrtimer: Annotate " tip-bot2 for Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).