From nobody Mon Jun 8 14:37:43 2026 Received: from mail-m49198.qiye.163.com (mail-m49198.qiye.163.com [45.254.49.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F20392F7F13; Thu, 28 May 2026 16:57:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.198 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779987449; cv=none; b=VP8eBqzCxOApxn4g1ZMf//gMtJqyii0hVHLK8L+WdYNeK992TO/w3AJZRaParLKahJMwHLklkGBaQ867Yv7+xeVjLsa82yEIf7IYapo0rrXwa0Tu/IGIqxIwxzs4h2gTPgyNmiCFECzWdHZYG/upL7k6gxKvW1zKQT7QoJlX/Mg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779987449; c=relaxed/simple; bh=S/PC2fJU+K080gGaQwOrehjOQN9GZtQdYiopStlVwH8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=meZPiPXWTVOLhCwfJx93TXfC+FwL6FpQclFGhTeDHt2POynqP6H/f9ga3E2ipzR9ZqNXxuXpQ4/zraizE0cQPyOxSW0oXg53VfyEHvZhQodMIChKTaSH0XLRYNIYCi1PaOdsK/E2t9L+A3+k332VJ+GS59RoQGd93UEaf9iFAXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=WW05eevj; arc=none smtp.client-ip=45.254.49.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="WW05eevj" Received: from PC-202605011814.localdomain (unknown [IPV6:2409:8924:2013:1a6b:50af:214a:ea2b:7da2]) by smtp.qiye.163.com (Hmail) with ESMTP id 403594fc0; Fri, 29 May 2026 00:52:10 +0800 (GMT+08:00) From: Runyu Xiao To: suzuki.poulose@arm.com, alexander.shishkin@linux.intel.com Cc: mike.leach@linaro.org, james.clark@linaro.org, mathieu.poirier@linaro.org, gregkh@linuxfoundation.org, coresight@lists.linaro.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, runyu.xiao@seu.edu.cn, jianhao.xu@seu.edu.cn, stable@vger.kernel.org Subject: [PATCH] coresight: etb10: restore atomic_t for shared reading state Date: Fri, 29 May 2026 00:52:01 +0800 Message-Id: <20260528165201.319452-1-runyu.xiao@seu.edu.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e6f8028ff03a1kunm2f79b8526ba12 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVkZHhpJVh9NTE1PHU0YTUsZS1YeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJT0tCQUNCSU9BSUtKSEFKGk0ZQU5LGh1BSUpPGkEeGkkZQU wfGklZV1kWGg8SFR0UWUFZT0tIVUpLSUhOQ0NVSktLVUtZBg++ DKIM-Signature: a=rsa-sha256; b=WW05eevjZQMJAhFhF9ztJLnsUyl5H1/yh18GhU7JzlaRniiQ6KXLE2Nia81lzO7qdhzh6Bp7UeX/357JhOfycisZiGkixs6pFrvWCf9KyQAYYx+dMr96SZC7ai2hLVzH1jQhj9MrGDrsnA6yK77grpufcnBldI5wBiEWXQfKPwo=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=VqpF95Me50rWFEF/pPooatQSHRrhpris1NlOAFjPDf8=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate for userspace buffer access. etb_open() claims that gate with local_cmpxchg(), and etb_release() clears it with local_set(). That gate is shared per-device state rather than CPU-local state. A running system can reach it whenever /dev/ is opened, closed, and reopened by different tasks while the device remains registered, so the same drvdata->reading variable may be claimed on one CPU and later cleared on another. This code used to use atomic_t for the same gate, but commit 27b10da8fff2 ("coresight: etb10: moving to local atomic operations") changed it to local_t even though the access pattern remained cross-task and cross-CPU. Restore atomic_t together with atomic_cmpxchg() and atomic_set() so the exclusivity gate again uses a primitive intended for shared state. The issue was found on Linux v6.18.21 by our static analysis tool while scanning surviving local_t-on-shared-state sites, and then manually reviewed against the live etb10 file-op path. It was runtime-validated with a reproducible QEMU no-device KCSAN PoC that kept the same report-local contract: 1. use one shared struct etb_drvdata carrier and its drvdata->reading gate; 2. call etb_open() and etb_release() sequentially on that gate to confirm the original claim/clear path; 3. bind the open side to CPU0 and the release side to CPU1 for the same gate to show cross-CPU ownership; 4. run bound workers that repeatedly race etb_open() and etb_release() on the same gate until KCSAN reports a target hit. The harness recorded: L1 passed open=3D1 release=3D1 reading_after_open=3D1 reading_after_release=3D0 L2 passed open_cpu=3D0 release_cpu=3D1 cross_cpu_release=3D1 reading_after=3D0 open_ret=3D0 Representative KCSAN excerpt from the no-device validation run: BUG: KCSAN: data-race in etb_open.constprop.0.isra.0 [vuln_msv] write to 0xffffffffc0003810 of 4 bytes by task 216 on cpu 1: etb_open.constprop.0.isra.0+0x38/0x80 [vuln_msv] l3_worker_thread_fn+0x4f/0xf0 [vuln_msv] kthread+0x17e/0x1c0 ret_from_fork+0x22/0x30 read to 0xffffffffc0003810 of 4 bytes by task 215 on cpu 0: etb_open.constprop.0.isra.0+0x18/0x80 [vuln_msv] l3_worker_thread_fn+0x4f/0xf0 [vuln_msv] kthread+0x17e/0x1c0 ret_from_fork+0x22/0x30 value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 215 Comm: etb10_l3_a Tainted: G O 6.1.66 #2 This no-device harness is not a real ETB10 hardware end-to-end run, but it preserves the same shared drvdata->reading gate and the same etb_open()/etb_release() claim/clear contract. No real ETB10 hardware was available for runtime testing. Build-tested with: make olddefconfig make -j"$(nproc)" drivers/hwtracing/coresight/coresight-etb10.o Fixes: 27b10da8fff2 ("coresight: etb10: moving to local atomic operations") Cc: stable@vger.kernel.org Signed-off-by: Runyu Xiao Reviewed-by: James Clark --- drivers/hwtracing/coresight/coresight-etb10.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtrac= ing/coresight/coresight-etb10.c index 35db1b6093d1..98269ea6f7ae 100644 --- a/drivers/hwtracing/coresight/coresight-etb10.c +++ b/drivers/hwtracing/coresight/coresight-etb10.c @@ -85,7 +85,7 @@ struct etb_drvdata { struct coresight_device *csdev; struct miscdevice miscdev; raw_spinlock_t spinlock; - local_t reading; + atomic_t reading; pid_t pid; u8 *buf; u32 buffer_depth; @@ -603,7 +603,7 @@ static int etb_open(struct inode *inode, struct file *f= ile) struct etb_drvdata *drvdata =3D container_of(file->private_data, struct etb_drvdata, miscdev); =20 - if (local_cmpxchg(&drvdata->reading, 0, 1)) + if (atomic_cmpxchg(&drvdata->reading, 0, 1)) return -EBUSY; =20 dev_dbg(&drvdata->csdev->dev, "%s: successfully opened\n", __func__); @@ -641,7 +641,7 @@ static int etb_release(struct inode *inode, struct file= *file) { struct etb_drvdata *drvdata =3D container_of(file->private_data, struct etb_drvdata, miscdev); - local_set(&drvdata->reading, 0); + atomic_set(&drvdata->reading, 0); =20 dev_dbg(&drvdata->csdev->dev, "%s: released\n", __func__); return 0; --=20 2.34.1