[PATCH openEuler-1.0-LTS 3/6] rcu: Use *_ONCE() to protect lockless ->expmask accesses

27 May 2023

From: "Paul E. McKenney" paulmck@kernel.org
mainline inclusion
from mainline-v5.6-rc1
commit 15c7c972cd26d89a26788e609c53b5a465324a6c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I70RD3
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The rcu_node structure's ->expmask field is accessed locklessly when
starting a new expedited grace period and when reporting an expedited
RCU CPU stall warning.  This commit therefore handles the former by
taking a snapshot of ->expmask while the lock is held and the latter
by applying READ_ONCE() to lockless reads and WRITE_ONCE() to the
corresponding updates.
Link: https://lore.kernel.org/lkml/CANpmjNNmSOagbTpffHr4=Yedckx9Rm2NuGqC9UqE+AOz5f...
Reported-by: syzbot+134336b86f728d6e55a0@syzkaller.appspotmail.com
Signed-off-by: Paul E. McKenney paulmck@kernel.org
Acked-by: Marco Elver elver@google.com
Conflicts:
    kernel/rcu/tree_exp.h
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
Reviewed-by: Wei Li liwei391@huawei.com
Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com
---
 kernel/rcu/tree_exp.h | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
index 72770a551c24..7f8cb91aaea6 100644
--- a/kernel/rcu/tree_exp.h
+++ b/kernel/rcu/tree_exp.h
@@ -144,7 +144,7 @@ static void __maybe_unused sync_exp_reset_tree(struct rcu_state *rsp)
    rcu_for_each_node_breadth_first(rsp, rnp) {
    	raw_spin_lock_irqsave_rcu_node(rnp, flags);
    	WARN_ON_ONCE(rnp->expmask);
-		rnp->expmask = rnp->expmaskinit;
+		WRITE_ONCE(rnp->expmask, rnp->expmaskinit);
    	raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
    }
 }
@@ -221,7 +221,7 @@ static void __rcu_report_exp_rnp(struct rcu_state *rsp, struct rcu_node *rnp,
    	rnp = rnp->parent;
    	raw_spin_lock_rcu_node(rnp); /* irqs already disabled */
    	WARN_ON_ONCE(!(rnp->expmask & mask));
-		rnp->expmask &= ~mask;
+		WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
    }
 }
@@ -252,7 +252,7 @@ static void rcu_report_exp_cpu_mult(struct rcu_state *rsp, struct rcu_node *rnp,
    	raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
    	return;
    }
-	rnp->expmask &= ~mask;
+	WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
    __rcu_report_exp_rnp(rsp, rnp, wake, flags); /* Releases rnp->lock. */
 }
@@ -427,12 +427,10 @@ static void sync_rcu_exp_select_node_cpus(struct work_struct *wp)
    raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
/* IPI the remaining CPUs for expedited quiescent state. */
-	for_each_leaf_node_cpu_mask(rnp, cpu, rnp->expmask) {
+	for_each_leaf_node_cpu_mask(rnp, cpu, mask_ofl_ipi) {
    	unsigned long mask = leaf_node_cpu_bit(rnp, cpu);
    	struct rcu_data *rdp = per_cpu_ptr(rsp->rda, cpu);
-		if (!(mask_ofl_ipi & mask))
-			continue;
 retry_ipi:
    	if (rcu_dynticks_in_eqs_since(rdp->dynticks,
    				      rdp->exp_dynticks_snap)) {
@@ -545,7 +543,7 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp)
    			struct rcu_data *rdp;
mask = leaf_node_cpu_bit(rnp, cpu);
-				if (!(rnp->expmask & mask))
+				if (!(READ_ONCE(rnp->expmask) & mask))
    				continue;
    			ndetected++;
    			rdp = per_cpu_ptr(rsp->rda, cpu);
@@ -557,7 +555,8 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp)
    	}
    	pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n",
    		jiffies - jiffies_start, rsp->expedited_sequence,
-			rnp_root->expmask, ".T"[!!rnp_root->exp_tasks]);
+			READ_ONCE(rnp_root->expmask),
+			".T"[!!rnp_root->exp_tasks]);
    	if (ndetected) {
    		pr_err("blocking rcu_node structures:");
    		rcu_for_each_node_breadth_first(rsp, rnp) {
@@ -567,7 +566,7 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp)
    				continue;
    			pr_cont(" l=%u:%d-%d:%#lx/%c",
    				rnp->level, rnp->grplo, rnp->grphi,
-					rnp->expmask,
+					READ_ONCE(rnp->expmask),
    				".T"[!!rnp->exp_tasks]);
    		}
    		pr_cont("\n");
@@ -575,7 +574,7 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp)
    	rcu_for_each_leaf_node(rsp, rnp) {
    		for_each_leaf_node_possible_cpu(rnp, cpu) {
    			mask = leaf_node_cpu_bit(rnp, cpu);
-				if (!(rnp->expmask & mask))
+				if (!(READ_ONCE(rnp->expmask) & mask))
    				continue;
    			dump_cpu_task(cpu);
    		}
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS 3/6] rcu: Use *_ONCE() to protect lockless ->expmask accesses