Bug 207913 - Potential data races in `settimeofday`
Summary: Potential data races in `settimeofday`
Status: NEW
Alias: None
Product: Timers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: john stultz
: 207911 (view as bug list)
Depends on:
Reported: 2020-05-27 02:24 UTC by Yanze
Modified: 2020-05-27 03:25 UTC (History)
0 users

See Also:
Kernel Version: 5.7-rc7
Tree: Mainline
Regression: No

race_report_firsttime (130.19 KB, image/png)
2020-05-27 02:25 UTC, Yanze
race_report_persistent_clock_is_local (187.04 KB, image/png)
2020-05-27 02:25 UTC, Yanze
race_report_vdata (199.06 KB, image/png)
2020-05-27 02:26 UTC, Yanze

Description Yanze 2020-05-27 02:24:29 UTC
Hello, we are working on a static race detection tool and we tested it on the Linux kernel.

The races we found do not appear to be dangerous to the core functions of the kernel, but we thought it would be better to report it just in case it leads to undefined behavior.

The well-formatted reports are attached.

There are 3 races in total, all potentially happen when the system call `settimeofday` is called concurrently:

1. The race is on `firsttime` in `do_sys_settimeofday64()` in the `kernel/time/time.c`. The read of `firsttime` at line 188 and the write at line 189 are not protected by locks.

2. The race is on `persistent_clock_is_local` in `timekeeping_warp_clock()` in `kernel/time/timekeeping.c`. The write at line 1337 could potentially race with itself, if `settimeofday` is called concurrently

3. The race is on `vdata[CS_HRES_COARSE]` in `update_vsyscall_tz()` in `kernel/time/vsyscall.c`. The write at line 125 and 126 could potentially race with themselves, if `settimeofday` is called concurrently.
Comment 1 Yanze 2020-05-27 02:25:12 UTC
Created attachment 289323 [details]
Comment 2 Yanze 2020-05-27 02:25:47 UTC
Created attachment 289325 [details]
Comment 3 Yanze 2020-05-27 02:26:05 UTC
Created attachment 289327 [details]
Comment 4 Yanze 2020-05-27 02:31:57 UTC
*** Bug 207911 has been marked as a duplicate of this bug. ***
Comment 5 john stultz 2020-05-27 03:25:09 UTC
Yea. The timezone setting logic is pretty old and grungy. Mostly its assuming we're only calling it early in boot so its not likely to race with anything.

A possible solution might be in do_sys_settimeofday64() moving firsttime out to a static global, and adding a separate spinlock (say tz_lock) which is taken on line 185 before we set sys_tz and released after line 192.

I think doing that would resolve all the races in this issue.

Do you want to create and submit such a patch?

Note You need to log in before you can comment on or make changes to this bug.