ptp: annotate data-race around q->head and q->tail

Hangbin Liu · Hangbin Liu · commit b29d145a3949 · 2024-05-27T11:49:14.000+08:00
JIRA: https://issues.redhat.com/browse/RHEL-38600 Upstream Status: net.git commit 73bde5a commit 73bde5a Author: Eric Dumazet <edumazet@google.com> Date: Thu Nov 9 17:48:59 2023 +0000 ptp: annotate data-race around q->head and q->tail As I was working on a syzbot report, I found that KCSAN would probably complain that reading q->head or q->tail without barriers could lead to invalid results. Add corresponding READ_ONCE() and WRITE_ONCE() to avoid load-store tearing. Fixes: d94ba80 ("ptp: Added a brand new class driver for ptp clocks.") Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Richard Cochran <richardcochran@gmail.com> Link: https://lore.kernel.org/r/20231109174859.3995880-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Hangbin Liu <haliu@redhat.com>
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
@@ -490,7 +490,8 @@ ssize_t ptp_read(struct posix_clock *pc,
 
 	for (i = 0; i < cnt; i++) {
 		event[i] = queue->buf[queue->head];
-		queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
+		/* Paired with READ_ONCE() in queue_cnt() */
+		WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
 	}
 
 	spin_unlock_irqrestore(&queue->lock, flags);
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
@@ -56,10 +56,11 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue,
 	dst->t.sec = seconds;
 	dst->t.nsec = remainder;
 
+	/* Both WRITE_ONCE() are paired with READ_ONCE() in queue_cnt() */
 	if (!queue_free(queue))
-		queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
+		WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
 
-	queue->tail = (queue->tail + 1) % PTP_MAX_TIMESTAMPS;
+	WRITE_ONCE(queue->tail, (queue->tail + 1) % PTP_MAX_TIMESTAMPS);
 
 	spin_unlock_irqrestore(&queue->lock, flags);
 }
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
@@ -76,9 +76,13 @@ struct ptp_vclock {
  * that a writer might concurrently increment the tail does not
  * matter, since the queue remains nonempty nonetheless.
  */
-static inline int queue_cnt(struct timestamp_event_queue *q)
+static inline int queue_cnt(const struct timestamp_event_queue *q)
 {
-	int cnt = q->tail - q->head;
+	/*
+	 * Paired with WRITE_ONCE() in enqueue_external_timestamp(),
+	 * ptp_read(), extts_fifo_show().
+	 */
+	int cnt = READ_ONCE(q->tail) - READ_ONCE(q->head);
 	return cnt < 0 ? PTP_MAX_TIMESTAMPS + cnt : cnt;
 }
 
diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
@@ -90,7 +90,8 @@ static ssize_t extts_fifo_show(struct device *dev,
 	qcnt = queue_cnt(queue);
 	if (qcnt) {
 		event = queue->buf[queue->head];
-		queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
+		/* Paired with READ_ONCE() in queue_cnt() */
+		WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
 	}
 	spin_unlock_irqrestore(&queue->lock, flags);
 

Original file line number	Diff line number	Diff line change
`@@ -490,7 +490,8 @@ ssize_t ptp_read(struct posix_clock *pc,`
`490`	`490`
`491`	`491`	`for (i = 0; i < cnt; i++) {`
`492`	`492`	`event[i] = queue->buf[queue->head];`
`493`		`- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;`
	`493`	`+ /* Paired with READ_ONCE() in queue_cnt() */`
	`494`	`+ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);`
`494`	`495`	`}`
`495`	`496`
`496`	`497`	`spin_unlock_irqrestore(&queue->lock, flags);`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,8 @@ static ssize_t extts_fifo_show(struct device *dev,`
`90`	`90`	`qcnt = queue_cnt(queue);`
`91`	`91`	`if (qcnt) {`
`92`	`92`	`event = queue->buf[queue->head];`
`93`		`- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;`
	`93`	`+ /* Paired with READ_ONCE() in queue_cnt() */`
	`94`	`+ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);`
`94`	`95`	`}`
`95`	`96`	`spin_unlock_irqrestore(&queue->lock, flags);`
`96`	`97`