| Message ID | 20240604223633.2371664-2-paulmck@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6040072f4774a575fa67b912efe7722874be337b |
| Headers | show |
| Series | Torture-test updates for v6.11 | expand |
On Wed, 5 Jun 2024 at 00:36, Paul E. McKenney <paulmck@kernel.org> wrote: > > On powerpc systems, spinlock acquisition does not order prior stores > against later loads. This means that this statement: > > rfcp->rfc_next = NULL; > > Can be reordered to follow this statement: > > WRITE_ONCE(*rfcpp, rfcp); > > Which is then a data race with rcu_torture_fwd_prog_cr(), specifically, > this statement: > > rfcpn = READ_ONCE(rfcp->rfc_next) > > KCSAN located this data race, which represents a real failure on powerpc. > > Signed-off-by: Paul E. McKenney <paulmck@kernel.org> > Cc: Marco Elver <elver@google.com> > Cc: Andrey Konovalov <andreyknvl@gmail.com> > Cc: <kasan-dev@googlegroups.com> Nice find - was this found by KCSAN's weak memory modeling, i.e. the report showed you that a reordered access resulted in a data race? Acked-by: Marco Elver <elver@google.com> > --- > kernel/rcu/rcutorture.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c > index 44cc455e1b615..cafe047d046e8 100644 > --- a/kernel/rcu/rcutorture.c > +++ b/kernel/rcu/rcutorture.c > @@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp) > spin_lock_irqsave(&rfp->rcu_fwd_lock, flags); > rfcpp = rfp->rcu_fwd_cb_tail; > rfp->rcu_fwd_cb_tail = &rfcp->rfc_next; > - WRITE_ONCE(*rfcpp, rfcp); > + smp_store_release(rfcpp, rfcp); > WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1); > i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV)); > if (i >= ARRAY_SIZE(rfp->n_launders_hist)) > -- > 2.40.1 >
On Wed, Jun 05, 2024 at 09:56:41AM +0200, Marco Elver wrote: > On Wed, 5 Jun 2024 at 00:36, Paul E. McKenney <paulmck@kernel.org> wrote: > > > > On powerpc systems, spinlock acquisition does not order prior stores > > against later loads. This means that this statement: > > > > rfcp->rfc_next = NULL; > > > > Can be reordered to follow this statement: > > > > WRITE_ONCE(*rfcpp, rfcp); > > > > Which is then a data race with rcu_torture_fwd_prog_cr(), specifically, > > this statement: > > > > rfcpn = READ_ONCE(rfcp->rfc_next) > > > > KCSAN located this data race, which represents a real failure on powerpc. > > > > Signed-off-by: Paul E. McKenney <paulmck@kernel.org> > > Cc: Marco Elver <elver@google.com> > > Cc: Andrey Konovalov <andreyknvl@gmail.com> > > Cc: <kasan-dev@googlegroups.com> > > Nice find - was this found by KCSAN's weak memory modeling, i.e. the > report showed you that a reordered access resulted in a data race? If I remember correctly, yes. Even on x86, the compiler is free to reorder that WRITE_ONCE() with unmarked accesses, so one can argue that this bug is not specific to powerpc. > Acked-by: Marco Elver <elver@google.com> I will apply on my next rebase, thank you! Thanx, Paul > > --- > > kernel/rcu/rcutorture.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c > > index 44cc455e1b615..cafe047d046e8 100644 > > --- a/kernel/rcu/rcutorture.c > > +++ b/kernel/rcu/rcutorture.c > > @@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp) > > spin_lock_irqsave(&rfp->rcu_fwd_lock, flags); > > rfcpp = rfp->rcu_fwd_cb_tail; > > rfp->rcu_fwd_cb_tail = &rfcp->rfc_next; > > - WRITE_ONCE(*rfcpp, rfcp); > > + smp_store_release(rfcpp, rfcp); > > WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1); > > i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV)); > > if (i >= ARRAY_SIZE(rfp->n_launders_hist)) > > -- > > 2.40.1 > >
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 44cc455e1b615..cafe047d046e8 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp) spin_lock_irqsave(&rfp->rcu_fwd_lock, flags); rfcpp = rfp->rcu_fwd_cb_tail; rfp->rcu_fwd_cb_tail = &rfcp->rfc_next; - WRITE_ONCE(*rfcpp, rfcp); + smp_store_release(rfcpp, rfcp); WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1); i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV)); if (i >= ARRAY_SIZE(rfp->n_launders_hist))
On powerpc systems, spinlock acquisition does not order prior stores against later loads. This means that this statement: rfcp->rfc_next = NULL; Can be reordered to follow this statement: WRITE_ONCE(*rfcpp, rfcp); Which is then a data race with rcu_torture_fwd_prog_cr(), specifically, this statement: rfcpn = READ_ONCE(rfcp->rfc_next) KCSAN located this data race, which represents a real failure on powerpc. Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Cc: Marco Elver <elver@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: <kasan-dev@googlegroups.com> --- kernel/rcu/rcutorture.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)