timers: Move clearing of base::timer_running under base:: Lock

KAGA-KOKO · KAGA-KOKO · commit bb7262b29547 · 2021-07-27T20:57:44.000+02:00
syzbot reported KCSAN data races vs. timer_base::timer_running being set to NULL without holding base::lock in expire_timers(). This looks innocent and most reads are clearly not problematic, but Frederic identified an issue which is: int data = 0; void timer_func(struct timer_list *t) { data = 1; } CPU 0 CPU 1 ------------------------------ -------------------------- base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock); if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk); ret = detach_if_pending(timer, base, true); base->running_timer = NULL; raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock); x = data; If the timer has previously executed on CPU 1 and then CPU 0 can observe base->running_timer == NULL and returns, assuming the timer has completed, but it's not guaranteed on all architectures. The comment for del_timer_sync() makes that guarantee. Moving the assignment under base->lock prevents this. For non-RT kernel it's performance wise completely irrelevant whether the store happens before or after taking the lock. For an RT kernel moving the store under the lock requires an extra unlock/lock pair in the case that there is a waiter for the timer, but that's not the end of the world. Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com Fixes: 030dcdd ("timers: Prepare support for PREEMPT_RT") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://lore.kernel.org/r/87lfea7gw8.fsf@nanos.tec.linutronix.de Cc: stable@vger.kernel.org
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
@@ -1265,8 +1265,10 @@ static inline void timer_base_unlock_expiry(struct timer_base *base)
 static void timer_sync_wait_running(struct timer_base *base)
 {
 	if (atomic_read(&base->timer_waiters)) {
+		raw_spin_unlock_irq(&base->lock);
 		spin_unlock(&base->expiry_lock);
 		spin_lock(&base->expiry_lock);
+		raw_spin_lock_irq(&base->lock);
 	}
 }
 
@@ -1457,14 +1459,14 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
 		if (timer->flags & TIMER_IRQSAFE) {
 			raw_spin_unlock(&base->lock);
 			call_timer_fn(timer, fn, baseclk);
-			base->running_timer = NULL;
 			raw_spin_lock(&base->lock);
+			base->running_timer = NULL;
 		} else {
 			raw_spin_unlock_irq(&base->lock);
 			call_timer_fn(timer, fn, baseclk);
+			raw_spin_lock_irq(&base->lock);
 			base->running_timer = NULL;
 			timer_sync_wait_running(base);
-			raw_spin_lock_irq(&base->lock);
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -1265,8 +1265,10 @@ static inline void timer_base_unlock_expiry(struct timer_base *base)`
`1265`	`1265`	`static void timer_sync_wait_running(struct timer_base *base)`
`1266`	`1266`	`{`
`1267`	`1267`	`if (atomic_read(&base->timer_waiters)) {`
	`1268`	`+ raw_spin_unlock_irq(&base->lock);`
`1268`	`1269`	`spin_unlock(&base->expiry_lock);`
`1269`	`1270`	`spin_lock(&base->expiry_lock);`
	`1271`	`+ raw_spin_lock_irq(&base->lock);`
`1270`	`1272`	`}`
`1271`	`1273`	`}`
`1272`	`1274`
`@@ -1457,14 +1459,14 @@ static void expire_timers(struct timer_base base, struct hlist_head head)`
`1457`	`1459`	`if (timer->flags & TIMER_IRQSAFE) {`
`1458`	`1460`	`raw_spin_unlock(&base->lock);`
`1459`	`1461`	`call_timer_fn(timer, fn, baseclk);`
`1460`		`- base->running_timer = NULL;`
`1461`	`1462`	`raw_spin_lock(&base->lock);`
	`1463`	`+ base->running_timer = NULL;`
`1462`	`1464`	`} else {`
`1463`	`1465`	`raw_spin_unlock_irq(&base->lock);`
`1464`	`1466`	`call_timer_fn(timer, fn, baseclk);`
	`1467`	`+ raw_spin_lock_irq(&base->lock);`
`1465`	`1468`	`base->running_timer = NULL;`
`1466`	`1469`	`timer_sync_wait_running(base);`
`1467`		`- raw_spin_lock_irq(&base->lock);`
`1468`	`1470`	`}`
`1469`	`1471`	`}`
`1470`	`1472`	`}`