Patch "rcutorture: Fix rcu_torture_fwd_cb_cr() data race" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    rcutorture: Fix rcu_torture_fwd_cb_cr() data race

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rcutorture-fix-rcu_torture_fwd_cb_cr-data-race.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9a1aef52f6281d9f5bb74b3b86fabefdd807b4f6
Author: Paul E. McKenney <paulmck@xxxxxxxxxx>
Date:   Fri Apr 5 12:02:11 2024 -0700

    rcutorture: Fix rcu_torture_fwd_cb_cr() data race
    
    [ Upstream commit 6040072f4774a575fa67b912efe7722874be337b ]
    
    On powerpc systems, spinlock acquisition does not order prior stores
    against later loads.  This means that this statement:
    
            rfcp->rfc_next = NULL;
    
    Can be reordered to follow this statement:
    
            WRITE_ONCE(*rfcpp, rfcp);
    
    Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
    this statement:
    
            rfcpn = READ_ONCE(rfcp->rfc_next)
    
    KCSAN located this data race, which represents a real failure on powerpc.
    
    Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxx>
    Acked-by: Marco Elver <elver@xxxxxxxxxx>
    Cc: Andrey Konovalov <andreyknvl@xxxxxxxxx>
    Cc: <kasan-dev@xxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 9d8d1f233d7bd..a3bab6af4028f 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2186,7 +2186,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
 	spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
 	rfcpp = rfp->rcu_fwd_cb_tail;
 	rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
-	WRITE_ONCE(*rfcpp, rfcp);
+	smp_store_release(rfcpp, rfcp);
 	WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
 	i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
 	if (i >= ARRAY_SIZE(rfp->n_launders_hist))




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux