From: "Dae R. Jeong" <threeearcat@gmail.com>
To: tglx@linutronix.de, linux-kernel@vger.kernel.org
Subject: WARNING in do_timer_settime
Date: Mon, 27 Mar 2023 16:17:46 +0900 [thread overview]
Message-ID: <ZCFDGrz5mJXLLC49@dragonet> (raw)
Hi,
I'm looking an issue detected during fuzzing "WARNING in
do_timer_settime". Its report is attached at the end of this email.
I think this does not cause any serious issue, but my rough sketch of
a scenario causing the warning is a race condition caused by two
timer_settime() system calls for CLOCK_PROCESS_CPUTIME_ID.
CPU1 CPU2
----- -----
do_timer_settime(CLOCK_PROCESS_CPUTIME_ID)
posix_cpu_timer_set()
arm_timer(timer, p);
timer interrupt handler
run_posix_cpu_timers()
handle_posix_cpu_timers()
lock_task_sighand()
check_process_timers()
collect_posix_cpu_timers() do_timer_settime(CLOCK_PROCESS_CPUTIME_ID)
ctmr->firing = 1; - (1) posix_cpu_timer_set()
unlock_task_sighand() - (2)
lock_task_sighand() // can acquire the sighand
// lock because of (2)
if (timer->it.cpu.firing)) // true because of (1) and (3)
ret = TIMER_RETRY;
..
return tret;
timer_wait_running()
WARN_ON(!kc->timer_was_running);
// kc->timer_was_running is NULL in clock_posix_cpu
timer->it.cpu.firing = 0; - (3)
But regardless of the scenario, I wonder if the commit ec8f954a40d
("posix-timers: Use a callback for cancel synchronization on
PREEMPT_RT") missed initializations to the timer_was_running field in
clock_posix_cpu. I can see that the commit initialized the
timer_was_running field of all other clocks but clock_posix_cpu. So I
think the warning does not occur if the timer_was_running field of
clock_posix_cpu is initialized to, for example,
common_timer_wait_running. Could you please check this?
Thank you in advance.
Best regards,
Dae R. Jeong
-----
- Kernel version:
6.2.0-rc7
- Report:
WARNING: CPU: 1 PID: 13389 at kernel/time/posix-timers.c:849 do_timer_settime+0x193/0x200 kernel/time/posix-timers.c:929
Modules linked in:
CPU: 1 PID: 13389 Comm: syz-executor.0 Not tainted 6.2.0-rc7-32171-g7f09e8f6ebfb #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
<- omitting registers ->
Call Trace:
<TASK>
__do_sys_timer_settime kernel/time/posix-timers.c:952 [inline]
__se_sys_timer_settime kernel/time/posix-timers.c:938 [inline]
__x64_sys_timer_settime+0xa3/0x110 kernel/time/posix-timers.c:938
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
<- omitting registers ->
</TASK>
---[ end trace 0000000000000000 ]---
next reply other threads:[~2023-03-27 7:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 7:17 Dae R. Jeong [this message]
2023-04-07 20:02 ` WARNING in do_timer_settime Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZCFDGrz5mJXLLC49@dragonet \
--to=threeearcat@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.