hrtimer: Protect lockless access to timer->base

Julien Grall · KAGA-KOKO · commit dd2261ed45aa · 2019-08-21T16:10:01.000+02:00
The update to timer->base is protected by the base->cpu_base->lock(). However, hrtimer_cancel_wait_running() does access it lockless. So the compiler is allowed to refetch timer->base which can cause havoc when the timer base is changed concurrently. Use READ_ONCE() to prevent this. [ tglx: Adapted from a RT patch ] Signed-off-by: Julien Grall <julien.grall@arm.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20190821092409.13225-2-julien.grall@arm.com
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
@@ -1214,7 +1214,8 @@ static void hrtimer_sync_wait_running(struct hrtimer_cpu_base *cpu_base,
  */
 void hrtimer_cancel_wait_running(const struct hrtimer *timer)
 {
-	struct hrtimer_clock_base *base = timer->base;
+	/* Lockless read. Prevent the compiler from reloading it below */
+	struct hrtimer_clock_base *base = READ_ONCE(timer->base);
 
 	if (!timer->is_soft || !base || !base->cpu_base) {
 		cpu_relax();

Original file line number	Diff line number	Diff line change
`@@ -1214,7 +1214,8 @@ static void hrtimer_sync_wait_running(struct hrtimer_cpu_base *cpu_base,`
`1214`	`1214`	`*/`
`1215`	`1215`	`void hrtimer_cancel_wait_running(const struct hrtimer *timer)`
`1216`	`1216`	`{`
`1217`		`- struct hrtimer_clock_base *base = timer->base;`
	`1217`	`+ /* Lockless read. Prevent the compiler from reloading it below */`
	`1218`	`+ struct hrtimer_clock_base *base = READ_ONCE(timer->base);`
`1218`	`1219`
`1219`	`1220`	`if (!timer->is_soft \|\| !base \|\| !base->cpu_base) {`
`1220`	`1221`	`cpu_relax();`