| Message ID | 20250122023745.584995-1-2045gemini@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v2] atm/fore200e: Fix possible data race in fore200e_open() | expand |
On Wed, Jan 22, 2025 at 02:37:45AM +0000, Gui-Dong Han wrote: > Protect access to fore200e->available_cell_rate with rate_mtx lock to > prevent potential data race. > > In this case, since the update depends on a prior read, a data race > could lead to a wrong fore200e.available_cell_rate value. > > The field fore200e.available_cell_rate is generally protected by the lock > fore200e.rate_mtx when accessed. In all other read and write cases, this > field is consistently protected by the lock, except for this case and > during initialization. > > This potential bug was detected by our experimental static analysis tool, > which analyzes locking APIs and paired functions to identify data races > and atomicity violations. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable@vger.kernel.org > Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> > --- > v2: > * Added a description of the data race hazard in fore200e_open(), as > suggested by Jakub Kicinski and Simon Horman. Reviewed-by: Simon Horman <horms@kernel.org>
On Wed, 22 Jan 2025 02:37:45 +0000 Gui-Dong Han wrote: > Protect access to fore200e->available_cell_rate with rate_mtx lock to > prevent potential data race. > > In this case, since the update depends on a prior read, a data race > could lead to a wrong fore200e.available_cell_rate value. > > The field fore200e.available_cell_rate is generally protected by the lock > fore200e.rate_mtx when accessed. In all other read and write cases, this > field is consistently protected by the lock, except for this case and > during initialization. Please describe the call paths which interact to cause the race.
diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c index 4fea1149e003..f62e38571440 100644 --- a/drivers/atm/fore200e.c +++ b/drivers/atm/fore200e.c @@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc) vcc->dev_data = NULL; + mutex_lock(&fore200e->rate_mtx); fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; + mutex_unlock(&fore200e->rate_mtx); kfree(fore200e_vcc); return -EINVAL;
Protect access to fore200e->available_cell_rate with rate_mtx lock to prevent potential data race. In this case, since the update depends on a prior read, a data race could lead to a wrong fore200e.available_cell_rate value. The field fore200e.available_cell_rate is generally protected by the lock fore200e.rate_mtx when accessed. In all other read and write cases, this field is consistently protected by the lock, except for this case and during initialization. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> --- v2: * Added a description of the data race hazard in fore200e_open(), as suggested by Jakub Kicinski and Simon Horman. --- drivers/atm/fore200e.c | 2 ++ 1 file changed, 2 insertions(+)