[PATCH -next] power/qos: fix a data race in pm_qos_*_value

From: Qian Cai
Date: Fri Feb 21 2020 - 16:09:21 EST

Next message: Nick Desaulniers: "Re: [PATCH] ARM: kexec: drop invalid assembly argument"
Previous message: Stephen Kitt: "[PATCH] docs: remove MPX from the x86 toc"
Next in thread: Rafael J. Wysocki: "Re: [PATCH -next] power/qos: fix a data race in pm_qos_*_value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

cpu_latency_constraints.target_value could be accessed concurrently as
noticed by KCSAN,

LTP: starting ppoll01
BUG: KCSAN: data-race in cpu_latency_qos_limit / pm_qos_update_target

write to 0xffffffff99081470 of 4 bytes by task 27532 on cpu 2:
pm_qos_update_target+0xa4/0x370
pm_qos_set_value at kernel/power/qos.c:78
cpu_latency_qos_apply+0x3b/0x50
cpu_latency_qos_remove_request+0xea/0x270
cpu_latency_qos_release+0x4b/0x70
__fput+0x187/0x3d0
____fput+0x1e/0x30
task_work_run+0xbf/0x130
do_exit+0xa78/0xfd0
do_group_exit+0x8b/0x180
__x64_sys_exit_group+0x2e/0x30
do_syscall_64+0x91/0xb05
entry_SYSCALL_64_after_hwframe+0x49/0xbe

read to 0xffffffff99081470 of 4 bytes by task 0 on cpu 41:
cpu_latency_qos_limit+0x1f/0x30
pm_qos_read_value at kernel/power/qos.c:55
cpuidle_governor_latency_req+0x4f/0x80
cpuidle_governor_latency_req at drivers/cpuidle/governor.c:114
menu_select+0x6b/0xc29
cpuidle_select+0x50/0x70
do_idle+0x214/0x280
cpu_startup_entry+0x1d/0x1f
start_secondary+0x1b2/0x230
secondary_startup_64+0xb6/0xc0

Reported by Kernel Concurrency Sanitizer on:
CPU: 41 PID: 0 Comm: swapper/41 Tainted: G L 5.6.0-rc2-next-20200221+ #7
Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019

The read is outside pm_qos_lock critical section which results in a data
race. Fix it by adding a pair of READ|WRITE_ONCE().

Signed-off-by: Qian Cai <cai@xxxxxx>
---
kernel/power/qos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/power/qos.c b/kernel/power/qos.c
index 32927682bcc4..db0bed2cae26 100644
--- a/kernel/power/qos.c
+++ b/kernel/power/qos.c
@@ -52,7 +52,7 @@
*/
s32 pm_qos_read_value(struct pm_qos_constraints *c)
{
- return c->target_value;
+ return READ_ONCE(c->target_value);
}

static int pm_qos_get_value(struct pm_qos_constraints *c)
@@ -75,7 +75,7 @@ static int pm_qos_get_value(struct pm_qos_constraints *c)

static void pm_qos_set_value(struct pm_qos_constraints *c, s32 value)
{
- c->target_value = value;
+ WRITE_ONCE(c->target_value, value);
}

/**
--
1.8.3.1

Next message: Nick Desaulniers: "Re: [PATCH] ARM: kexec: drop invalid assembly argument"
Previous message: Stephen Kitt: "[PATCH] docs: remove MPX from the x86 toc"
Next in thread: Rafael J. Wysocki: "Re: [PATCH -next] power/qos: fix a data race in pm_qos_*_value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]