From: "Leonid Shatz" <leonid.shatz@ravellosystems.com>
To: "'Thomas Gleixner'" <tglx@linutronix.de>,
"'Izik Eidus'" <izik.eidus@ravellosystems.com>
Cc: "'Andrea Arcangeli'" <aarcange@redhat.com>,
<linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] fix hrtimer_enqueue_reprogram race
Date: Tue, 5 Feb 2013 12:55:17 +0200 [thread overview]
Message-ID: <03b201ce038f$4a2db840$de8928c0$@ravellosystems.com> (raw)
In-Reply-To: <alpine.LFD.2.02.1302051138370.11905@ionos>
The explanation were submitted as possible scenario which could explain how
the bug in kernel could happen and it does not mean that serious designer
could do exactly that. As I said before, it's also possible that a race
between hrtimer_cancel and hrtimer_start can trigger the bug. The idea is to
have kernel more robust. There are already locks used inside hrtimer code,
so why should users of the hrtimer add another layer of locks and get
involved in the intricacy of which cases are protected by internal hrtimer
lock and which are not?
Leonid Shatz
> -----Original Message-----
> From: Thomas Gleixner [mailto:tglx@linutronix.de]
> Sent: Tuesday, February 05, 2013 12:44 PM
> To: Izik Eidus
> Cc: Andrea Arcangeli; linux-kernel@vger.kernel.org; leonid Shatz
> Subject: Re: [PATCH] fix hrtimer_enqueue_reprogram race
>
> On Mon, 4 Feb 2013, Izik Eidus wrote:
>
> > From: leonid Shatz <leonid.shatz@ravellosystems.com>
> >
> > it seems like hrtimer_enqueue_reprogram contain a race which could
> > result in timer.base switch during unlock/lock sequence.
> >
> > See the code at __hrtimer_start_range_ns where it calls
> > hrtimer_enqueue_reprogram. The later is releasing lock protecting the
> > timer base for a short time and timer base switch can occur from a
> > different CPU thread. Later when __hrtimer_start_range_ns calls
> > unlock_hrtimer_base, a base switch could have happened and this causes
> > the bug
> >
> > Try to start the same hrtimer from two different threads in kernel
> > running each one on a different CPU. Eventually one of the calls will
> > cause timer base switch while another thread is not expecting it.
>
> Aside of the bug in the hrtimer code being a real one, writing code which
> fiddles with the same resource (hrtimer) unserialized is broken on its
own.
>
> > This can happen in virtualized environment where one thread can be
> > delayed by lower hypervisor, and due to time delay a different CPU is
> > taking care of missed timer start and runs the timer start logic on its
own.
>
> Without noticing that something else already takes care of it? So you're
> saying that the code in question relies on magic serialization in the
hrtimer
> code. Doesn't look like a brilliant design.
>
> Thanks,
>
> tglx
next prev parent reply other threads:[~2013-02-05 10:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-04 12:33 [PATCH] fix hrtimer_enqueue_reprogram race Izik Eidus
2013-02-05 10:44 ` Thomas Gleixner
2013-02-05 10:55 ` Leonid Shatz [this message]
2013-02-05 11:15 ` Thomas Gleixner
2013-02-05 12:36 ` Leonid Shatz
2013-02-05 11:02 ` [tip:timers/core] hrtimer: Prevent " tip-bot for Leonid Shatz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='03b201ce038f$4a2db840$de8928c0$@ravellosystems.com' \
--to=leonid.shatz@ravellosystems.com \
--cc=aarcange@redhat.com \
--cc=izik.eidus@ravellosystems.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox