1. Patchew
  2. linux
  3. [PATCH rcu 0/4] Torture-test updates for v6.11
  4. View patch

[PATCH rcu 2/4] rcutorture: Fix rcu_torture_fwd_cb_cr() data race

Paul E. McKenney posted 4 patches 1 year, 8 months ago
[PATCH rcu 2/4] rcutorture: Fix rcu_torture_fwd_cb_cr() data race
Posted by Paul E. McKenney 1 year, 8 months ago 
On powerpc systems, spinlock acquisition does not order prior stores
against later loads.  This means that this statement:

	rfcp->rfc_next = NULL;

Can be reordered to follow this statement:

	WRITE_ONCE(*rfcpp, rfcp);

Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
this statement:

	rfcpn = READ_ONCE(rfcp->rfc_next)

KCSAN located this data race, which represents a real failure on powerpc.

Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: <kasan-dev@googlegroups.com>
---
 kernel/rcu/rcutorture.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 44cc455e1b615..cafe047d046e8 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
 	spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
 	rfcpp = rfp->rcu_fwd_cb_tail;
 	rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
-	WRITE_ONCE(*rfcpp, rfcp);
+	smp_store_release(rfcpp, rfcp);
 	WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
 	i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
 	if (i >= ARRAY_SIZE(rfp->n_launders_hist))
-- 
2.40.1
Re: [PATCH rcu 2/4] rcutorture: Fix rcu_torture_fwd_cb_cr() data race
Posted by Marco Elver 1 year, 8 months ago 
On Wed, 5 Jun 2024 at 00:36, Paul E. McKenney <paulmck@kernel.org> wrote:
>
> On powerpc systems, spinlock acquisition does not order prior stores
> against later loads.  This means that this statement:
>
>         rfcp->rfc_next = NULL;
>
> Can be reordered to follow this statement:
>
>         WRITE_ONCE(*rfcpp, rfcp);
>
> Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
> this statement:
>
>         rfcpn = READ_ONCE(rfcp->rfc_next)
>
> KCSAN located this data race, which represents a real failure on powerpc.
>
> Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
> Cc: Marco Elver <elver@google.com>
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Cc: <kasan-dev@googlegroups.com>

Nice find - was this found by KCSAN's weak memory modeling, i.e. the
report showed you that a reordered access resulted in a data race?

Acked-by: Marco Elver <elver@google.com>

> ---
>  kernel/rcu/rcutorture.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
> index 44cc455e1b615..cafe047d046e8 100644
> --- a/kernel/rcu/rcutorture.c
> +++ b/kernel/rcu/rcutorture.c
> @@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
>         spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
>         rfcpp = rfp->rcu_fwd_cb_tail;
>         rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
> -       WRITE_ONCE(*rfcpp, rfcp);
> +       smp_store_release(rfcpp, rfcp);
>         WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
>         i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
>         if (i >= ARRAY_SIZE(rfp->n_launders_hist))
> --
> 2.40.1
>
Re: [PATCH rcu 2/4] rcutorture: Fix rcu_torture_fwd_cb_cr() data race
Posted by Paul E. McKenney 1 year, 8 months ago 
On Wed, Jun 05, 2024 at 09:56:41AM +0200, Marco Elver wrote:
> On Wed, 5 Jun 2024 at 00:36, Paul E. McKenney <paulmck@kernel.org> wrote:
> >
> > On powerpc systems, spinlock acquisition does not order prior stores
> > against later loads.  This means that this statement:
> >
> >         rfcp->rfc_next = NULL;
> >
> > Can be reordered to follow this statement:
> >
> >         WRITE_ONCE(*rfcpp, rfcp);
> >
> > Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
> > this statement:
> >
> >         rfcpn = READ_ONCE(rfcp->rfc_next)
> >
> > KCSAN located this data race, which represents a real failure on powerpc.
> >
> > Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
> > Cc: Marco Elver <elver@google.com>
> > Cc: Andrey Konovalov <andreyknvl@gmail.com>
> > Cc: <kasan-dev@googlegroups.com>
> 
> Nice find - was this found by KCSAN's weak memory modeling, i.e. the
> report showed you that a reordered access resulted in a data race?

If I remember correctly, yes.

Even on x86, the compiler is free to reorder that WRITE_ONCE() with
unmarked accesses, so one can argue that this bug is not specific
to powerpc.

> Acked-by: Marco Elver <elver@google.com>

I will apply on my next rebase, thank you!

							Thanx, Paul

> > ---
> >  kernel/rcu/rcutorture.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
> > index 44cc455e1b615..cafe047d046e8 100644
> > --- a/kernel/rcu/rcutorture.c
> > +++ b/kernel/rcu/rcutorture.c
> > @@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
> >         spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
> >         rfcpp = rfp->rcu_fwd_cb_tail;
> >         rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
> > -       WRITE_ONCE(*rfcpp, rfcp);
> > +       smp_store_release(rfcpp, rfcp);
> >         WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
> >         i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
> >         if (i >= ARRAY_SIZE(rfp->n_launders_hist))
> > --
> > 2.40.1
> >

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.