On Sun, Dec 06, 2020 at 10:40:07PM +0100, Thomas Gleixner wrote:
> syzbot reported KCSAN data races vs. timer_base::timer_running being set to
> NULL without holding base::lock in expire_timers().
>
> This looks innocent and most reads are clearly not problematic but for a
> non-RT kernel it's completely irrelevant whether the store happens before
> or after taking the lock. For an RT kernel moving the store under the lock
> requires an extra unlock/lock pair in the case that there is a waiter for
> the timer. But that's not the end of the world and definitely not worth the
> trouble of adding boatloads of comments and annotations to the code. Famous
> last words...
There is another thing I noticed lately wrt. del_timer_sync() VS timer
execution:
int data = 0;
void timer_func(struct timer_list *t)
{
data = 1;
}
CPU 0 CPU 1
------------------------------
--------------------------
base = lock_timer_base(timer, &flags);
raw_spin_unlock(&base->lock);
if (base->running_timer != timer)
call_timer_fn(timer, fn, baseclk);
ret = detach_if_pending(timer, base, true);
base->running_timer = NULL;
raw_spin_unlock_irqrestore(&base->lock, flags);
raw_spin_lock(&base->lock);
x = data;
Here if the timer has previously executed on CPU 1 and then CPU 0 sees
base->running_timer == NULL,
it will return, assuming the timer has completed. But there is nothing to
enforce the fact that x
will be equal to 1. Enforcing that is a behaviour I would expect in this case
since this is a kind
of "wait for completion" function. But perhaps it doesn't apply here, in fact I
have no idea...
But if we recognize that as an issue, we would need a mirroring
load_acquire()/store_release() on
base->running_timer.
