timers: Annotate possible non critical data race of next_expiry

Global timers could be expired remotely when the target CPU is idle. After
a remote timer expiry, the remote timer_base->next_expiry value is updated
while holding the timer_base->lock. When the formerly idle CPU becomes
active at the same time and checks whether timers need to expire, this
check is done lockless as it is on the local CPU. This could lead to a data
race, which was reported by sysbot:

  https://lore.kernel.org/r/000000000000916e55061f969e14@google.com

When the value is read lockless but changed by the remote CPU, only two non
critical scenarios could happen:

1) The already update value is read -> everything is perfect

2) The old value is read -> a superfluous timer soft interrupt is raised

The same situation could happen when enqueueing a new first pinned timer by
a remote CPU also with non critical scenarios:

1) The already update value is read -> everything is perfect

2) The old value is read -> when the CPU is idle, an IPI is executed
nevertheless and when the CPU isn't idle, the updated value will be visible
on the next tick and the timer might be late one jiffie.

As this is very unlikely to happen, the overhead of doing the check under
the lock is a way more effort, than a superfluous timer soft interrupt or a
possible 1 jiffie delay of the timer.

Document and annotate this non critical behavior in the code by using
READ/WRITE_ONCE() pair when accessing timer_base->next_expiry.

Reported-by: syzbot+bf285fcc0a048e028118@syzkaller.appspotmail.com
Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://lore.kernel.org/all/20240829154305.19259-1-anna-maria@linutronix.de
Closes: https://lore.kernel.org/lkml/000000000000916e55061f969e14@google.com

diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index d8eb368a5a5b2c03a4f7c80ad388128b6f32f94d..311ea459b976936e409a4cc522296cf1f77e53ed 100644 (file)
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -672,7 +672,7 @@ static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
                 * Set the next expiry time and kick the CPU so it
                 * can reevaluate the wheel:
                 */
-               base->next_expiry = bucket_expiry;
+               WRITE_ONCE(base->next_expiry, bucket_expiry);
                base->timers_pending = true;
                base->next_expiry_recalc = false;
                trigger_dyntick_cpu(base, timer);
@@ -1966,7 +1966,7 @@ static void next_expiry_recalc(struct timer_base *base)
                clk += adj;
        }
 
-       base->next_expiry = next;
+       WRITE_ONCE(base->next_expiry, next);
        base->next_expiry_recalc = false;
        base->timers_pending = !(next == base->clk + NEXT_TIMER_MAX_DELTA);
 }
@@ -2020,7 +2020,7 @@ static unsigned long next_timer_interrupt(struct timer_base *base,
         * easy comparable to find out which base holds the first pending timer.
         */
        if (!base->timers_pending)
-               base->next_expiry = basej + NEXT_TIMER_MAX_DELTA;
+               WRITE_ONCE(base->next_expiry, basej + NEXT_TIMER_MAX_DELTA);
 
        return base->next_expiry;
 }
@@ -2464,8 +2464,40 @@ static void run_local_timers(void)
        hrtimer_run_queues();
 
        for (int i = 0; i < NR_BASES; i++, base++) {
-               /* Raise the softirq only if required. */
-               if (time_after_eq(jiffies, base->next_expiry) ||
+               /*
+                * Raise the softirq only if required.
+                *
+                * timer_base::next_expiry can be written by a remote CPU while
+                * holding the lock. If this write happens at the same time than
+                * the lockless local read, sanity checker could complain about
+                * data corruption.
+                *
+                * There are two possible situations where
+                * timer_base::next_expiry is written by a remote CPU:
+                *
+                * 1. Remote CPU expires global timers of this CPU and updates
+                * timer_base::next_expiry of BASE_GLOBAL afterwards in
+                * next_timer_interrupt() or timer_recalc_next_expiry(). The
+                * worst outcome is a superfluous raise of the timer softirq
+                * when the not yet updated value is read.
+                *
+                * 2. A new first pinned timer is enqueued by a remote CPU
+                * and therefore timer_base::next_expiry of BASE_LOCAL is
+                * updated. When this update is missed, this isn't a
+                * problem, as an IPI is executed nevertheless when the CPU
+                * was idle before. When the CPU wasn't idle but the update
+                * is missed, then the timer would expire one jiffie late -
+                * bad luck.
+                *
+                * Those unlikely corner cases where the worst outcome is only a
+                * one jiffie delay or a superfluous raise of the softirq are
+                * not that expensive as doing the check always while holding
+                * the lock.
+                *
+                * Possible remote writers are using WRITE_ONCE(). Local reader
+                * uses therefore READ_ONCE().
+                */
+               if (time_after_eq(jiffies, READ_ONCE(base->next_expiry)) ||
                    (i == BASE_DEF && tmigr_requires_handle_remote())) {
                        raise_softirq(TIMER_SOFTIRQ);
                        return;