drivers/hwtracing/coresight/coresight-etb10.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate
for userspace buffer access. etb_open() claims that gate with
local_cmpxchg(), and etb_release() clears it with local_set().
That gate is shared per-device state rather than CPU-local state. A
running system can reach it whenever /dev/<etb> is opened, closed, and
reopened by different tasks while the device remains registered, so the
same drvdata->reading variable may be claimed on one CPU and later
cleared on another.
This code used to use atomic_t for the same gate, but commit
27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
changed it to local_t even though the access pattern remained cross-task
and cross-CPU. Restore atomic_t together with atomic_cmpxchg() and
atomic_set() so the exclusivity gate again uses a primitive intended
for shared state.
The issue was found on Linux v6.18.21 by our static analysis tool while
scanning surviving local_t-on-shared-state sites, and then manually
reviewed against the live etb10 file-op path.
It was runtime-validated with a reproducible QEMU no-device KCSAN PoC
that kept the same report-local contract:
1. use one shared struct etb_drvdata carrier and its
drvdata->reading gate;
2. call etb_open() and etb_release() sequentially on that gate to
confirm the original claim/clear path;
3. bind the open side to CPU0 and the release side to CPU1 for the
same gate to show cross-CPU ownership;
4. run bound workers that repeatedly race etb_open() and
etb_release() on the same gate until KCSAN reports a target hit.
The harness recorded:
L1 passed open=1 release=1
reading_after_open=1 reading_after_release=0
L2 passed open_cpu=0 release_cpu=1
cross_cpu_release=1 reading_after=0 open_ret=0
Representative KCSAN excerpt from the no-device validation run:
BUG: KCSAN: data-race in etb_open.constprop.0.isra.0 [vuln_msv]
write to 0xffffffffc0003810 of 4 bytes by task 216 on cpu 1:
etb_open.constprop.0.isra.0+0x38/0x80 [vuln_msv]
l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
kthread+0x17e/0x1c0
ret_from_fork+0x22/0x30
read to 0xffffffffc0003810 of 4 bytes by task 215 on cpu 0:
etb_open.constprop.0.isra.0+0x18/0x80 [vuln_msv]
l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
kthread+0x17e/0x1c0
ret_from_fork+0x22/0x30
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 215 Comm: etb10_l3_a Tainted: G O 6.1.66 #2
This no-device harness is not a real ETB10 hardware end-to-end run, but
it preserves the same shared drvdata->reading gate and the same
etb_open()/etb_release() claim/clear contract. No real ETB10 hardware
was available for runtime testing.
Build-tested with:
make olddefconfig
make -j"$(nproc)" drivers/hwtracing/coresight/coresight-etb10.o
Fixes: 27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
drivers/hwtracing/coresight/coresight-etb10.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 35db1b6093d1..98269ea6f7ae 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -85,7 +85,7 @@ struct etb_drvdata {
struct coresight_device *csdev;
struct miscdevice miscdev;
raw_spinlock_t spinlock;
- local_t reading;
+ atomic_t reading;
pid_t pid;
u8 *buf;
u32 buffer_depth;
@@ -603,7 +603,7 @@ static int etb_open(struct inode *inode, struct file *file)
struct etb_drvdata *drvdata = container_of(file->private_data,
struct etb_drvdata, miscdev);
- if (local_cmpxchg(&drvdata->reading, 0, 1))
+ if (atomic_cmpxchg(&drvdata->reading, 0, 1))
return -EBUSY;
dev_dbg(&drvdata->csdev->dev, "%s: successfully opened\n", __func__);
@@ -641,7 +641,7 @@ static int etb_release(struct inode *inode, struct file *file)
{
struct etb_drvdata *drvdata = container_of(file->private_data,
struct etb_drvdata, miscdev);
- local_set(&drvdata->reading, 0);
+ atomic_set(&drvdata->reading, 0);
dev_dbg(&drvdata->csdev->dev, "%s: released\n", __func__);
return 0;
--
2.34.1
On Fri, 29 May 2026 00:52:01 +0800, Runyu Xiao wrote:
> The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate
> for userspace buffer access. etb_open() claims that gate with
> local_cmpxchg(), and etb_release() clears it with local_set().
>
> That gate is shared per-device state rather than CPU-local state. A
> running system can reach it whenever /dev/<etb> is opened, closed, and
> reopened by different tasks while the device remains registered, so the
> same drvdata->reading variable may be claimed on one CPU and later
> cleared on another.
>
> [...]
Applied, thanks!
[1/1] coresight: etb10: restore atomic_t for shared reading state
https://git.kernel.org/coresight/c/fa09f08ede3d
Best regards,
--
Suzuki K Poulose <suzuki.poulose@arm.com>
On 28/05/2026 5:52 pm, Runyu Xiao wrote:
> The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate
> for userspace buffer access. etb_open() claims that gate with
> local_cmpxchg(), and etb_release() clears it with local_set().
>
> That gate is shared per-device state rather than CPU-local state. A
> running system can reach it whenever /dev/<etb> is opened, closed, and
> reopened by different tasks while the device remains registered, so the
> same drvdata->reading variable may be claimed on one CPU and later
> cleared on another.
>
> This code used to use atomic_t for the same gate, but commit
> 27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
> changed it to local_t even though the access pattern remained cross-task
> and cross-CPU. Restore atomic_t together with atomic_cmpxchg() and
> atomic_set() so the exclusivity gate again uses a primitive intended
> for shared state.
>
> The issue was found on Linux v6.18.21 by our static analysis tool while
> scanning surviving local_t-on-shared-state sites, and then manually
> reviewed against the live etb10 file-op path.
>
> It was runtime-validated with a reproducible QEMU no-device KCSAN PoC
> that kept the same report-local contract:
>
> 1. use one shared struct etb_drvdata carrier and its
> drvdata->reading gate;
> 2. call etb_open() and etb_release() sequentially on that gate to
> confirm the original claim/clear path;
> 3. bind the open side to CPU0 and the release side to CPU1 for the
> same gate to show cross-CPU ownership;
> 4. run bound workers that repeatedly race etb_open() and
> etb_release() on the same gate until KCSAN reports a target hit.
>
> The harness recorded:
>
> L1 passed open=1 release=1
> reading_after_open=1 reading_after_release=0
> L2 passed open_cpu=0 release_cpu=1
> cross_cpu_release=1 reading_after=0 open_ret=0
>
> Representative KCSAN excerpt from the no-device validation run:
>
> BUG: KCSAN: data-race in etb_open.constprop.0.isra.0 [vuln_msv]
>
> write to 0xffffffffc0003810 of 4 bytes by task 216 on cpu 1:
> etb_open.constprop.0.isra.0+0x38/0x80 [vuln_msv]
> l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
> kthread+0x17e/0x1c0
> ret_from_fork+0x22/0x30
>
> read to 0xffffffffc0003810 of 4 bytes by task 215 on cpu 0:
> etb_open.constprop.0.isra.0+0x18/0x80 [vuln_msv]
> l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
> kthread+0x17e/0x1c0
> ret_from_fork+0x22/0x30
>
> value changed: 0x00000000 -> 0x00000001
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 0 PID: 215 Comm: etb10_l3_a Tainted: G O 6.1.66 #2
>
> This no-device harness is not a real ETB10 hardware end-to-end run, but
> it preserves the same shared drvdata->reading gate and the same
> etb_open()/etb_release() claim/clear contract. No real ETB10 hardware
> was available for runtime testing.
>
> Build-tested with:
> make olddefconfig
> make -j"$(nproc)" drivers/hwtracing/coresight/coresight-etb10.o
>
> Fixes: 27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
> Cc: stable@vger.kernel.org
> Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
> ---
> drivers/hwtracing/coresight/coresight-etb10.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
> index 35db1b6093d1..98269ea6f7ae 100644
> --- a/drivers/hwtracing/coresight/coresight-etb10.c
> +++ b/drivers/hwtracing/coresight/coresight-etb10.c
> @@ -85,7 +85,7 @@ struct etb_drvdata {
> struct coresight_device *csdev;
> struct miscdevice miscdev;
> raw_spinlock_t spinlock;
> - local_t reading;
> + atomic_t reading;
> pid_t pid;
> u8 *buf;
> u32 buffer_depth;
> @@ -603,7 +603,7 @@ static int etb_open(struct inode *inode, struct file *file)
> struct etb_drvdata *drvdata = container_of(file->private_data,
> struct etb_drvdata, miscdev);
>
> - if (local_cmpxchg(&drvdata->reading, 0, 1))
> + if (atomic_cmpxchg(&drvdata->reading, 0, 1))
> return -EBUSY;
>
> dev_dbg(&drvdata->csdev->dev, "%s: successfully opened\n", __func__);
> @@ -641,7 +641,7 @@ static int etb_release(struct inode *inode, struct file *file)
> {
> struct etb_drvdata *drvdata = container_of(file->private_data,
> struct etb_drvdata, miscdev);
> - local_set(&drvdata->reading, 0);
> + atomic_set(&drvdata->reading, 0);
>
> dev_dbg(&drvdata->csdev->dev, "%s: released\n", __func__);
> return 0;
Reviewed-by: James Clark <james.clark@linaro.org>
Semi-related to this change, etb_read() doesn't have any lock when
reading drvdata->buffer_dept or drvdata->buf. It locks in etb_dump(),
but then unlocks before actually calling copy_to_user().
Seems like concurrent calls to etb_read() might end up with corrupt
data, although I'm not sure if that would ever happen in practice
because it only allows one open file handle.
© 2016 - 2026 Red Hat, Inc.