From: Marco Elver <elver@google.com>
To: elver@google.com, Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
Waiman Long <longman@redhat.com>,
Boqun Feng <boqun.feng@gmail.com>
Cc: "Paul E. McKenney" <paulmck@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Mark Rutland <mark.rutland@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/5] kcsan, seqlock: Support seqcount_latch_t
Date: Mon, 4 Nov 2024 16:43:04 +0100 [thread overview]
Message-ID: <20241104161910.780003-1-elver@google.com> (raw)
While fuzzing an arm64 kernel, Alexander Potapenko reported:
| BUG: KCSAN: data-race in ktime_get_mono_fast_ns / timekeeping_update
|
| write to 0xffffffc082e74248 of 56 bytes by interrupt on cpu 0:
| update_fast_timekeeper kernel/time/timekeeping.c:430 [inline]
| timekeeping_update+0x1d8/0x2d8 kernel/time/timekeeping.c:768
| timekeeping_advance+0x9e8/0xb78 kernel/time/timekeeping.c:2344
| update_wall_time+0x18/0x38 kernel/time/timekeeping.c:2360
| [...]
|
| read to 0xffffffc082e74258 of 8 bytes by task 5260 on cpu 1:
| __ktime_get_fast_ns kernel/time/timekeeping.c:372 [inline]
| ktime_get_mono_fast_ns+0x88/0x174 kernel/time/timekeeping.c:489
| init_srcu_struct_fields+0x40c/0x530 kernel/rcu/srcutree.c:263
| init_srcu_struct+0x14/0x20 kernel/rcu/srcutree.c:311
| [...]
|
| value changed: 0x000002f875d33266 -> 0x000002f877416866
|
| Reported by Kernel Concurrency Sanitizer on:
| CPU: 1 UID: 0 PID: 5260 Comm: syz.2.7483 Not tainted 6.12.0-rc3-dirty #78
This is a false positive data race between a seqcount latch writer and a reader
accessing stale data. Since its introduction, KCSAN has never understood the
seqcount_latch interface (due to being unannotated).
Unlike the regular seqlock interface, the seqcount_latch interface for latch
writers never has had a well-defined critical section, making it difficult to
teach tooling where the critical section starts and ends.
This series introduces an instrumentable (non-raw) seqcount_latch interface,
with which we can clearly denote writer critical sections. This both helps
readability and tooling like KCSAN to understand when the writer is done
updating all latch copies.
Changelog
=========
v2:
* New interface, courtesy of Peter Zijlstra. This simplifies things and we
avoid instrumenting the raw interface which is now reserved for noinstr
functions.
* Fix for read_seqbegin/retry() found during testing of new changes.
v1: https://lkml.kernel.org/r/20241029083658.1096492-1-elver@google.com
Marco Elver (5):
time/sched_clock: Swap update_clock_read_data() latch writes
time/sched_clock: Broaden sched_clock()'s instrumentation coverage
kcsan, seqlock: Support seqcount_latch_t
seqlock, treewide: Switch to non-raw seqcount_latch interface
kcsan, seqlock: Fix incorrect assumption in read_seqbegin()
Documentation/locking/seqlock.rst | 2 +-
arch/x86/kernel/tsc.c | 5 +-
include/linux/rbtree_latch.h | 20 ++++---
include/linux/seqlock.h | 98 +++++++++++++++++++++++--------
kernel/printk/printk.c | 9 +--
kernel/time/sched_clock.c | 34 +++++++----
kernel/time/timekeeping.c | 12 ++--
7 files changed, 123 insertions(+), 57 deletions(-)
--
2.47.0.163.g1226f6d8fa-goog
next reply other threads:[~2024-11-04 16:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 15:43 Marco Elver [this message]
2024-11-04 15:43 ` [PATCH v2 1/5] time/sched_clock: Swap update_clock_read_data() latch writes Marco Elver
2024-11-06 10:47 ` [tip: locking/core] " tip-bot2 for Marco Elver
2024-11-04 15:43 ` [PATCH v2 2/5] time/sched_clock: Broaden sched_clock()'s instrumentation coverage Marco Elver
2024-11-05 9:22 ` Marco Elver
2024-11-05 9:35 ` Peter Zijlstra
2024-11-06 10:47 ` [tip: locking/core] " tip-bot2 for Marco Elver
2024-11-04 15:43 ` [PATCH v2 3/5] kcsan, seqlock: Support seqcount_latch_t Marco Elver
2024-11-06 10:47 ` [tip: locking/core] " tip-bot2 for Marco Elver
2024-11-04 15:43 ` [PATCH v2 4/5] seqlock, treewide: Switch to non-raw seqcount_latch interface Marco Elver
2024-11-06 10:47 ` [tip: locking/core] " tip-bot2 for Marco Elver
2024-11-04 15:43 ` [PATCH v2 5/5] kcsan, seqlock: Fix incorrect assumption in read_seqbegin() Marco Elver
2024-11-05 9:13 ` Peter Zijlstra
2024-11-05 9:28 ` Marco Elver
2024-11-05 9:34 ` Peter Zijlstra
2024-11-05 9:41 ` Peter Zijlstra
2024-11-05 9:50 ` Marco Elver
2024-11-06 10:47 ` [tip: locking/core] " tip-bot2 for Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241104161910.780003-1-elver@google.com \
--to=elver@google.com \
--cc=boqun.feng@gmail.com \
--cc=dvyukov@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox