a7y18lte-ubports/android_kernel_samsung_a7y18lte
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5824f32cfd
android_kernel_samsung_a7y1.../kernel
History
Eric Dumazet 928689182b hrtimer: Annotate lockless access to timer->state 
commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream.

syzbot reported various data-race caused by hrtimer_is_queued() reading
timer->state. A READ_ONCE() is required there to silence the warning.

Also add the corresponding WRITE_ONCE() when timer->state is set.

In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
loading timer->state twice.

KCSAN reported these cases:

BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check

write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
 __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
 __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
 __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
 hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
 smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
 tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
 tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
 tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
 tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
 tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
 tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 sk_backlog_rcv include/net/sock.h:945 [inline]
 __release_sock+0x135/0x1e0 net/core/sock.c:2435
 release_sock+0x61/0x160 net/core/sock.c:2951
 sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
 tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
 tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
 inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0x9f/0xc0 net/socket.c:657

BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check

write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
 __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
 __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
 __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
 hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830

read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
 __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
 tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
 tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 sk_backlog_rcv include/net/sock.h:945 [inline]
 __release_sock+0x135/0x1e0 net/core/sock.c:2435
 release_sock+0x61/0x160 net/core/sock.c:2951
 sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
 tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
 tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
 inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0x9f/0xc0 net/socket.c:657
 __sys_sendto+0x21f/0x320 net/socket.c:1952
 __do_sys_sendto net/socket.c:1964 [inline]
 __se_sys_sendto net/socket.c:1960 [inline]
 __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

[ tglx: Added comments ]

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-07 13:24:02 +02:00
..
bpf bpf: silence warning messages in core 2020-04-06 19:54:55 +02:00
configs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
debug A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
events signal: Properly deliver SIGILL from uprobes 2020-04-07 12:27:23 +02:00
gcov A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
irq genirq: Prevent NULL pointer dereference in resend_irqs() 2020-04-06 21:35:35 +02:00
livepatch A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
locking locking/lockdep: Add debug_locks check in __lock_downgrade() 2020-04-07 07:36:48 +02:00
power PM / Hibernate: Call flush_icache_range() on pages restored in-place 2020-04-06 12:52:20 +02:00
printk printk: fix integer overflow in setup_log_buf() 2020-04-07 12:34:15 +02:00
rcu rcutorture: Fix cleanup path for invalid torture_type strings 2020-04-06 18:20:15 +02:00
sched sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision 2020-04-07 12:45:36 +02:00
time hrtimer: Annotate lockless access to timer->state 2020-04-07 13:24:02 +02:00
trace tracing: Initialize iter->seq after zeroing in tracing_read_pipe() 2020-04-07 09:27:54 +02:00
acct.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
async.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
audit_fsnotify.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
audit_tree.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
audit_watch.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
audit.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
audit.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
auditfilter.c audit: fix a memory leak bug 2020-04-06 18:18:45 +02:00
auditsc.c audit: print empty EXECVE args 2020-04-07 12:36:13 +02:00
backtracetest.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bounds.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
capability.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cgroup_freezer.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cgroup_pids.c cgroup: pids: use atomic64_t for pids->limit 2020-04-07 13:07:11 +02:00
cgroup.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
compat.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
configs.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
context_tracking.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cpu_pm.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cpu.c cpu/speculation: Warn on unsupported mitigations= parameter 2020-04-06 19:17:21 +02:00
cpuset.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
crash_dump.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cred.c access: avoid the RCU grace period for the temporary subjective credentials 2020-04-06 20:24:58 +02:00
delayacct.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dma.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
elfcore.c kernel/elfcore.c: include proper prototypes 2020-04-07 08:08:10 +02:00
exec_domain.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
exit.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
extable.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fork.c kernel/sysctl.c: do not override max_threads provided by userspace 2020-04-07 08:09:55 +02:00
freezer.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
futex_compat.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
futex.c futex: Fix futex lock the wrong page 2020-04-06 19:02:46 +02:00
groups.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hung_task.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
irq_work.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
jump_label.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kallsyms.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kaslr.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kcmp.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.freezer A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.hz A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.locks A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.preempt A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kcov.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kexec_core.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kexec_file.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kexec_internal.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kexec.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kmod.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kprobes.c kprobes: Don't call BUG_ON() if there is a kprobe in use on free list 2020-04-07 12:27:35 +02:00
ksysfs.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kthread.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
latencytop.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Makefile A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
membarrier.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memremap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
module_signing.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
module-internal.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
module.c kernel/module.c: wakeup processes in module_wq on module unload 2020-04-07 13:08:13 +02:00
notifier.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nsproxy.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
padata.c padata: use smp_mb in padata_reorder to avoid orphaned padata jobs 2020-04-06 20:04:27 +02:00
panic.c panic: ensure preemption is disabled during panic() 2020-04-07 08:08:25 +02:00
params.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
pid_namespace.c signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig 2020-04-06 19:54:23 +02:00
pid.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
profile.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ptrace.c ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME 2020-04-06 19:20:56 +02:00
range.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
reboot.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
relay.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
resource.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
seccomp.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
signal.c signal: Always ignore SIGKILL and SIGSTOP sent to the global init 2020-04-07 12:27:21 +02:00
smp.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
smpboot.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
smpboot.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
softirq.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
stacktrace.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
stop_machine.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sys_ni.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sys.c kernel/sys.c: prctl: fix false positive in validate_prctl_map() 2020-04-06 19:01:43 +02:00
sysctl_binary.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sysctl.c kernel: sysctl: make drop_caches write-only 2020-04-07 13:23:45 +02:00
task_work.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
taskstats.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
test_kprobes.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
torture.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tracepoint.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tsacct.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
uid16.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
up.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
user_namespace.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
user-return-notifier.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
user.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
utsname_sysctl.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
utsname.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
watchdog.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
workqueue_internal.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
workqueue.c workqueue: Fix missing kfree(rescuer) in destroy_workqueue() 2020-04-07 13:08:09 +02:00