iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b2c74ebab9
linux/kernel
History
Eric Dumazet 190d14f3dd hrtimer: Annotate lockless access to timer->state 
commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream.

syzbot reported various data-race caused by hrtimer_is_queued() reading
timer->state. A READ_ONCE() is required there to silence the warning.

Also add the corresponding WRITE_ONCE() when timer->state is set.

In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
loading timer->state twice.

KCSAN reported these cases:

BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check

write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
 __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
 __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
 __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
 hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
 smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
 tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
 tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
 tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
 tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
 tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
 tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 sk_backlog_rcv include/net/sock.h:945 [inline]
 __release_sock+0x135/0x1e0 net/core/sock.c:2435
 release_sock+0x61/0x160 net/core/sock.c:2951
 sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
 tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
 tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
 inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0x9f/0xc0 net/socket.c:657

BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check

write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
 __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
 __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
 __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
 hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830

read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
 __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
 tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
 tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 sk_backlog_rcv include/net/sock.h:945 [inline]
 __release_sock+0x135/0x1e0 net/core/sock.c:2435
 release_sock+0x61/0x160 net/core/sock.c:2951
 sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
 tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
 tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
 inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0x9f/0xc0 net/socket.c:657
 __sys_sendto+0x21f/0x320 net/socket.c:1952
 __do_sys_sendto net/socket.c:1964 [inline]
 __se_sys_sendto net/socket.c:1960 [inline]
 __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

[ tglx: Added comments ]

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-04 13:41:08 +01:00
..
bpf
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
2019-08-25 10:51:50 +02:00
configs
config: android: enable CONFIG_SECCOMP
2016-10-11 15:06:32 -07:00
debug
kdb: use memmove instead of overlapping memcpy
2018-12-08 13:05:05 +01:00
events
signal: Properly deliver SIGILL from uprobes
2019-11-25 09:52:12 +01:00
gcov
gcov: support GCC 7.1
2017-09-02 07:07:53 +02:00
irq
genirq: Prevent NULL pointer dereference in resend_irqs()
2019-09-21 07:14:04 +02:00
livepatch
livepatch/module: make TAINT_LIVEPATCH module-specific
2016-08-26 14:42:08 +02:00
locking
locking/lockdep: Add debug_locks check in __lock_downgrade()
2019-10-05 12:30:10 +02:00
power
x86/power: Fix 'nosmt' vs hibernation triple fault during resume
2019-06-11 12:22:48 +02:00
printk
printk: fix integer overflow in setup_log_buf()
2019-11-28 18:28:15 +01:00
rcu
rcuperf: Fix cleanup path for invalid perf_type strings
2019-05-31 06:48:30 -07:00
sched
sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
2019-12-21 10:41:28 +01:00
time
hrtimer: Annotate lockless access to timer->state
2020-01-04 13:41:08 +01:00
trace
tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
2019-11-06 12:18:13 +01:00
.gitignore
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-10 09:29:51 +01:00
async.c
kernel/async.c: revert "async: simplify lowest_in_progress()"
2018-02-17 13:21:18 +01:00
audit_fsnotify.c
audit_tree.c
audit_watch.c
audit_get_nd(): don't unlock parent too early
2019-12-21 10:40:48 +01:00
audit.c
audit: return on memory error to avoid null pointer dereference
2018-05-30 07:50:49 +02:00
audit.h
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit
2016-07-29 17:54:17 -07:00
auditfilter.c
audit: fix a memory leak bug
2019-05-31 06:48:20 -07:00
auditsc.c
audit: print empty EXECVE args
2019-11-28 18:28:55 +01:00
backtracetest.c
bounds.c
kbuild: fix kernel/bounds.c 'W=1' warning
2018-11-13 11:16:57 -08:00
capability.c
ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
2017-01-06 10:40:13 +01:00
cgroup_freezer.c
cgroup_pids.c
cgroup: pids: use atomic64_t for pids->limit
2019-12-21 10:42:02 +01:00
cgroup.c
cgroup: Fix deadlock in cpu hotplug path
2018-10-13 09:18:56 +02:00
compat.c
configs.c
context_tracking.c
cpu_pm.c
cpu.c
cpu/SMT: State SMT is disabled even with nosmt and without "=force"
2019-11-25 09:53:32 +01:00
cpuset.c
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
2017-10-12 11:51:25 +02:00
crash_dump.c
cred.c
access: avoid the RCU grace period for the temporary subjective credentials
2019-08-04 09:33:43 +02:00
delayacct.c
dma.c
elfcore.c
kernel/elfcore.c: include proper prototypes
2019-10-17 13:42:13 -07:00
exec_domain.c
exit.c
kernel/exit.c: release ptraced tasks before zap_pid_ns_processes
2019-02-06 17:33:29 +01:00
extable.c
kernel/extable.c: mark core_kernel_text notrace
2017-07-21 07:42:21 +02:00
fork.c
kernel/sysctl.c: do not override max_threads provided by userspace
2019-10-17 13:42:44 -07:00
freezer.c
freezer, oom: check TIF_MEMDIE on the correct task
2016-07-28 16:07:41 -07:00
futex_compat.c
futex.c
futex: Ensure that futex address is aligned in handle_futex_death()
2019-03-27 14:13:03 +09:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
hung_task.c
kernel: hung_task.c: disable on suspend
2019-04-20 09:07:52 +02:00
irq_work.c
jump_label.c
jump_label: Invoke jump_label_test() via early_initcall()
2017-12-14 09:28:24 +01:00
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: ensure irq code sees a valid area
2018-08-03 07:55:12 +02:00
kexec_core.c
objtool, x86: Add several functions and files to the objtool whitelist
2018-06-05 10:28:57 +02:00
kexec_file.c
kexec: fix double-free when failing to relocate the purgatory
2016-09-01 17:52:01 -07:00
kexec_internal.h
kexec.c
kexec: allow architectures to override boot mapping
2016-08-02 19:35:27 -04:00
kmod.c
kprobes.c
kprobes: Don't call BUG_ON() if there is a kprobe in use on free list
2019-11-25 09:52:15 +01:00
ksysfs.c
kexec: add a kexec_crash_loaded() function
2016-08-02 19:35:30 -04:00
kthread.c
kthread, tracing: Don't expose half-written comm when creating kthreads
2018-08-03 07:55:12 +02:00
latencytop.c
Makefile
x86/uaccess, kcov: Disable stack protector
2019-06-22 08:17:19 +02:00
membarrier.c
Fix: Disable sys_membarrier when nohz_full is enabled
2017-03-12 06:41:45 +01:00
memremap.c
mm, devm_memremap_pages: kill mapping "System RAM" support
2019-01-13 10:03:51 +01:00
module_signing.c
module-internal.h
module.c
kernel/module.c: wakeup processes in module_wq on module unload
2019-12-21 10:42:21 +01:00
notifier.c
nsproxy.c
padata.c
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
2019-08-04 09:33:28 +02:00
panic.c
panic: ensure preemption is disabled during panic()
2019-10-17 13:42:25 -07:00
params.c
pid_namespace.c
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
2019-08-04 09:33:16 +02:00
pid.c
pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
2018-04-13 19:47:53 +02:00
profile.c
profile: Convert to hotplug state machine
2016-07-15 10:41:42 +02:00
ptrace.c
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
2019-07-10 09:55:45 +02:00
range.c
reboot.c
relay.c
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
2018-05-30 07:50:29 +02:00
resource.c
resource: fix integer overflow at reallocation
2018-04-24 09:34:09 +02:00
seccomp.c
seccomp: Move speculation migitation control to arch code
2018-05-22 16:58:02 +02:00
signal.c
signal: Always ignore SIGKILL and SIGSTOP sent to the global init
2019-11-25 09:52:12 +01:00
smp.c
cpu/hotplug: Fix SMT supported evaluation
2018-08-15 18:14:53 +02:00
smpboot.c
kthread/smpboot: do not park in kthread_create_on_cpu()
2016-10-11 15:06:33 -07:00
smpboot.h
softirq.c
Mark HI and TASKLET softirq synchronous
2018-08-15 18:14:42 +02:00
stacktrace.c
stacktrace, lockdep: Fix address, newline ugliness
2017-02-14 15:25:42 -08:00
stop_machine.c
stop_machine: Use raw spinlocks
2018-08-03 07:55:24 +02:00
sys_ni.c
x86/pkeys: Fix pkeys build breakage for some non-x86 arches
2016-09-13 14:41:36 +02:00
sys.c
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
2019-06-22 08:17:13 +02:00
sysctl_binary.c
kernel/sysctl_binary.c: use generic UUID library
2016-05-20 17:58:30 -07:00
sysctl.c
kernel: sysctl: make drop_caches write-only
2020-01-04 13:41:04 +01:00
task_work.c
task_work: use READ_ONCE/lockless_dereference, avoid pi_lock if !task_works
2016-08-02 19:35:02 -04:00
taskstats.c
taskstats: fix the length of cgroupstats_cmd_get_policy
2016-11-03 16:55:58 -04:00
test_kprobes.c
torture.c
torture: Convert torture_shutdown() to hrtimer
2016-08-22 10:01:49 -07:00
tracepoint.c
tracepoint: Do not warn on ENOMEM
2018-05-09 09:50:20 +02:00
tsacct.c
ucount.c
kernel/ucount.c: mark user_header with kmemleak_ignore()
2017-06-17 06:41:51 +02:00
uid16.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
up.c
smp: Add function to execute a function synchronously on a CPU
2016-09-05 13:52:39 +02:00
user_namespace.c
userns: move user access out of the mutex
2018-09-09 20:01:24 +02:00
user-return-notifier.c
user.c
utsname_sysctl.c
sys: don't hold uts_sem while accessing userspace memory
2018-09-09 20:01:24 +02:00
utsname.c
Merge branch 'nsfs-ioctls' into HEAD
2016-09-22 20:00:36 -05:00
watchdog_hld.c
kernel/watchdog: prevent false hardlockup on overloaded system
2017-06-17 06:41:57 +02:00
watchdog.c
kernel/watchdog: prevent false hardlockup on overloaded system
2017-06-17 06:41:57 +02:00
workqueue_internal.h
workqueue: Fix NULL pointer dereference
2017-11-15 15:53:17 +01:00
workqueue.c
workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
2019-12-21 10:42:19 +01:00