From patchwork Tue Dec 12 16:53:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steven Rostedt <rostedt@goodmis.org>
X-Patchwork-Id: 177469
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp7854607vqy;
        Tue, 12 Dec 2023 08:52:45 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IG/dbNvnrnPS77Z4v3VqU+i2xgVyh4EykjGF3engd7e4aK3xoqYubE45nHanR+ylYQAi+Z+
X-Received: by 2002:a05:6358:722:b0:170:c2d0:7225 with SMTP id
 e34-20020a056358072200b00170c2d07225mr4182682rwj.7.1702399964937;
        Tue, 12 Dec 2023 08:52:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702399964; cv=none;
        d=google.com; s=arc-20160816;
        b=Q3ZEjj0Hry9B+e4IaQHpfjfYIwcjqPdaZkgrWBi+88wJu3jXfPFLs8+Ay1R8NzHc+1
         6K7NhKWLdqq3ql2QUXZ6IpcSLq4tSlu/EKaat8mnOMqB/rFUcdEAqSyj6xZtrjsYF7cX
         Q8VQIZb8BaMubbTDO7UPNjxPsh3Cix1ZiFQCgO5o1AaOj6BNXVM5H3dItUPtT0ZVLVuT
         7S/2ar8u/HCa/ih6zOKBd4s+0kz9jwCZuOfF0xr0TUdojyzeH2Eoa8CQNNBEqvDqAxdM
         1XY2fOIQe7dQWFNMiDlobumgDsHZzP0w+OzDaMIDfkQZxSLrXQam1gYR5YMt28iBwZWb
         SFxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:subject:cc:to:from:date;
        bh=FGhE7ZtFJN4h+448i1LBMns4EjG9ZgdThbPt4UbmACo=;
        fh=R8JZsVKDlS7lXIAvTNV55bsjlDBI0i4sqiOYXO4tZQA=;
        b=hJy6Aoapof+wdQ4MWGnqeh65V3yLl3yd3DarNxxsei9YH7aR/pBG4pP7nacZ6HcyQH
         H3ANsJn5opsmfaAkhPP5nXaTqyy5hl0TlXFSwSoaNgx/SbJiD7cQhnewxWg/w7S9Ivgd
         C/ODQSbdn3SISD5TbxTUzzQUw/M3YImG3NkWOlY0QAzyTCMjn+Yn3Sa1FZmbDhr3kDnP
         SNUyNw+gshMsglHllCx99N95sGzT0TG8tOIy5wo3uI2FDh5dZrN3I3Bp9T1jDFwQyLxK
         Ongk2BklvGxDeyaUjZZ996Lxd8ycnr2iFyBN4AFgXu//ICKSiHpbm8Jquy9R6VqI+CbQ
         v2lA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id
 u17-20020a631411000000b005c679836faesi7979685pgl.785.2023.12.12.08.52.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Dec 2023 08:52:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id AD06680AE803;
	Tue, 12 Dec 2023 08:52:40 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233022AbjLLQwU (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Tue, 12 Dec 2023 11:52:20 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51348 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232570AbjLLQwO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Dec 2023 11:52:14 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC6F0B7
        for <linux-kernel@vger.kernel.org>;
 Tue, 12 Dec 2023 08:52:20 -0800 (PST)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D996AC433CA;
        Tue, 12 Dec 2023 16:52:19 +0000 (UTC)
Date: Tue, 12 Dec 2023 11:53:01 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: LKML <linux-kernel@vger.kernel.org>,
        Linux Trace Kernel <linux-trace-kernel@vger.kernel.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Subject: [PATCH] ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit
 archs
Message-ID: <20231212115301.7a9c9a64@gandalf.local.home>
X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Spam-Status: No,
 score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Tue, 12 Dec 2023 08:52:40 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785095745567076957
X-GMAIL-MSGID: 1785095745567076957

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

Mathieu Desnoyers pointed out an issue in the rb_time_cmpxchg() for 32 bit
architectures. That is:

 static bool rb_time_cmpxchg(rb_time_t *t, u64 expect, u64 set)
 {
	unsigned long cnt, top, bottom, msb;
	unsigned long cnt2, top2, bottom2, msb2;
	u64 val;

	/* The cmpxchg always fails if it interrupted an update */
	 if (!__rb_time_read(t, &val, &cnt2))
		 return false;

	 if (val != expect)
		 return false;

<<<< interrupted here!

	 cnt = local_read(&t->cnt);

The problem is that the synchronization counter in the rb_time_t is read
*after* the value of the timestamp is read. That means if an interrupt
were to come in between the value being read and the counter being read,
it can change the value and the counter and the interrupted process would
be clueless about it!

The counter needs to be read first and then the value. That way it is easy
to tell if the value is stale or not. If the counter hasn't been updated,
then the value is still good.

Link: https://lore.kernel.org/linux-trace-kernel/20231211201324.652870-1-mathieu.desnoyers@efficios.com/

Cc: stable@vger.kernel.org
Fixes: 10464b4aa605e ("ring-buffer: Add rb_time_t 64 bit operations for speeding up 32 bit")
Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 kernel/trace/ring_buffer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 1d9caee7f542..e110cde685ea 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -706,6 +706,9 @@ static bool rb_time_cmpxchg(rb_time_t *t, u64 expect, u64 set)
 	unsigned long cnt2, top2, bottom2, msb2;
 	u64 val;
 
+	/* Any interruptions in this function should cause a failure */
+	cnt = local_read(&t->cnt);
+
 	/* The cmpxchg always fails if it interrupted an update */
 	 if (!__rb_time_read(t, &val, &cnt2))
 		 return false;
@@ -713,7 +716,6 @@ static bool rb_time_cmpxchg(rb_time_t *t, u64 expect, u64 set)
 	 if (val != expect)
 		 return false;
 
-	 cnt = local_read(&t->cnt);
 	 if ((cnt & 3) != cnt2)
 		 return false;