rcutorture: Fix rcu_torture_fwd_cb_cr() data race

On powerpc systems, spinlock acquisition does not order prior stores
against later loads.  This means that this statement:

	rfcp->rfc_next = NULL;

Can be reordered to follow this statement:

	WRITE_ONCE(*rfcpp, rfcp);

Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
this statement:

	rfcpn = READ_ONCE(rfcp->rfc_next)

KCSAN located this data race, which represents a real failure on powerpc.

Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: <kasan-dev@googlegroups.com>

diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 44cc455e1b615dc34a2f89931a51c8152bb4babd..cafe047d046e84da9262d3a19e55cfa6637bd330 100644 (file)
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2630,7 +2630,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
        spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
        rfcpp = rfp->rcu_fwd_cb_tail;
        rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
-       WRITE_ONCE(*rfcpp, rfcp);
+       smp_store_release(rfcpp, rfcp);
        WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
        i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
        if (i >= ARRAY_SIZE(rfp->n_launders_hist))