Patch "ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ring-buffer-fix-32-bit-rb_time_read-race-with-rb_tim.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9c8977245a32c9a32567b935df66321b6b043bbf
Author: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
Date:   Tue Dec 12 14:30:49 2023 -0500

    ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
    
    [ Upstream commit dec890089bf79a4954b61482715ee2d084364856 ]
    
    The following race can cause rb_time_read() to observe a corrupted time
    stamp:
    
    rb_time_cmpxchg()
    [...]
            if (!rb_time_read_cmpxchg(&t->msb, msb, msb2))
                    return false;
            if (!rb_time_read_cmpxchg(&t->top, top, top2))
                    return false;
    <interrupted before updating bottom>
    __rb_time_read()
    [...]
            do {
                    c = local_read(&t->cnt);
                    top = local_read(&t->top);
                    bottom = local_read(&t->bottom);
                    msb = local_read(&t->msb);
            } while (c != local_read(&t->cnt));
    
            *cnt = rb_time_cnt(top);
    
            /* If top and msb counts don't match, this interrupted a write */
            if (*cnt != rb_time_cnt(msb))
                    return false;
              ^ this check fails to catch that "bottom" is still not updated.
    
    So the old "bottom" value is returned, which is wrong.
    
    Fix this by checking that all three of msb, top, and bottom 2-bit cnt
    values match.
    
    The reason to favor checking all three fields over requiring a specific
    update order for both rb_time_set() and rb_time_cmpxchg() is because
    checking all three fields is more robust to handle partial failures of
    rb_time_cmpxchg() when interrupted by nested rb_time_set().
    
    Link: https://lore.kernel.org/lkml/20231211201324.652870-1-mathieu.desnoyers@xxxxxxxxxxxx/
    Link: https://lore.kernel.org/linux-trace-kernel/20231212193049.680122-1-mathieu.desnoyers@xxxxxxxxxxxx
    
    Fixes: f458a1453424e ("ring-buffer: Test last update in 32bit version of __rb_time_read()")
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
    Signed-off-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index af08a1a411e3d..070566baa0ca4 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -644,8 +644,8 @@ static inline bool __rb_time_read(rb_time_t *t, u64 *ret, unsigned long *cnt)
 
 	*cnt = rb_time_cnt(top);
 
-	/* If top and msb counts don't match, this interrupted a write */
-	if (*cnt != rb_time_cnt(msb))
+	/* If top, msb or bottom counts don't match, this interrupted a write */
+	if (*cnt != rb_time_cnt(msb) || *cnt != rb_time_cnt(bottom))
 		return false;
 
 	/* The shift to msb will lose its cnt bits */




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux