Re: [PATCH net v4] ptp: prevent possible ABBA deadlock in ptp_clock_freerun()
From: Vladimir Oltean
Date: Tue Jul 29 2025 - 11:48:34 EST
On Mon, Jul 28, 2025 at 03:26:49PM +0900, Jeongjun Park wrote:
> syzbot reported the following ABBA deadlock:
>
> CPU0 CPU1
> ---- ----
> n_vclocks_store()
> lock(&ptp->n_vclocks_mux) [1]
> (physical clock)
> pc_clock_adjtime()
> lock(&clk->rwsem) [2]
> (physical clock)
> ...
> ptp_clock_freerun()
> ptp_vclock_in_use()
> lock(&ptp->n_vclocks_mux) [3]
> (physical clock)
> ptp_clock_unregister()
> posix_clock_unregister()
> lock(&clk->rwsem) [4]
> (virtual clock)
>
> Since ptp virtual clock is registered only under ptp physical clock, both
> ptp_clock and posix_clock must be physical clocks for ptp_vclock_in_use()
> to lock &ptp->n_vclocks_mux and check ptp->n_vclocks.
>
> However, when unregistering vclocks in n_vclocks_store(), the locking
> ptp->n_vclocks_mux is a physical clock lock, but clk->rwsem of
> ptp_clock_unregister() called through device_for_each_child_reverse()
> is a virtual clock lock.
>
> Therefore, clk->rwsem used in CPU0 and clk->rwsem used in CPU1 are
> different locks, but in lockdep, a false positive occurs because the
> possibility of deadlock is determined through lock-class.
>
> To solve this, lock subclass annotation must be added to the posix_clock
> rwsem of the vclock.
>
> Reported-by: syzbot+7cfb66a237c4a5fb22ad@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=7cfb66a237c4a5fb22ad
> Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
> Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
> ---
> v4: Remove unnecessary lock class annotation and CC "POSIX CLOCKS and TIMERS" maintainer
> - Link to v3: https://lore.kernel.org/all/20250719124022.1536524-1-aha310510@xxxxxxxxx/
> v3: Annotate lock subclass to prevent false positives of lockdep
> - Link to v2: https://lore.kernel.org/all/20250718114958.1473199-1-aha310510@xxxxxxxxx/
> v2: Add CC Vladimir
> - Link to v1: https://lore.kernel.org/all/20250705145031.140571-1-aha310510@xxxxxxxxx/
> ---
For the general idea:
Reviewed-by: Vladimir Oltean <vladimir.oltean@xxxxxxx>
> drivers/ptp/ptp_private.h | 5 +++++
> drivers/ptp/ptp_vclock.c | 7 +++++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
> index a6aad743c282..b352df4cd3f9 100644
> --- a/drivers/ptp/ptp_private.h
> +++ b/drivers/ptp/ptp_private.h
> @@ -24,6 +24,11 @@
> #define PTP_DEFAULT_MAX_VCLOCKS 20
> #define PTP_MAX_CHANNELS 2048
>
> +enum {
> + PTP_LOCK_PHYSICAL = 0,
> + PTP_LOCK_VIRTUAL,
> +};
> +
> struct timestamp_event_queue {
> struct ptp_extts_event buf[PTP_MAX_TIMESTAMPS];
> int head;
> diff --git a/drivers/ptp/ptp_vclock.c b/drivers/ptp/ptp_vclock.c
> index 7febfdcbde8b..8ed4b8598924 100644
> --- a/drivers/ptp/ptp_vclock.c
> +++ b/drivers/ptp/ptp_vclock.c
> @@ -154,6 +154,11 @@ static long ptp_vclock_refresh(struct ptp_clock_info *ptp)
> return PTP_VCLOCK_REFRESH_INTERVAL;
> }
>
> +static void ptp_vclock_set_subclass(struct ptp_clock *ptp)
> +{
> + lockdep_set_subclass(&ptp->clock.rwsem, PTP_LOCK_VIRTUAL);
Just not sure whether the PTP clock should be exposing this API, or the
POSIX clock, who actually owns the rwsem.
> +}
> +
> static const struct ptp_clock_info ptp_vclock_info = {
> .owner = THIS_MODULE,
> .name = "ptp virtual clock",
> @@ -213,6 +218,8 @@ struct ptp_vclock *ptp_vclock_register(struct ptp_clock *pclock)
> return NULL;
> }
>
> + ptp_vclock_set_subclass(vclock->clock);
> +
> timecounter_init(&vclock->tc, &vclock->cc, 0);
> ptp_schedule_worker(vclock->clock, PTP_VCLOCK_REFRESH_INTERVAL);
>
> --