Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753409AbbFCW2Q (ORCPT <rfc822;w@1wt.eu>);
	Wed, 3 Jun 2015 18:28:16 -0400
Received: from mail.ispras.ru ([83.149.199.45]:41855 "EHLO mail.ispras.ru"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751558AbbFCW2H (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 3 Jun 2015 18:28:07 -0400
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
To: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>,
        linux1394-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: [PATCH] firewire: cdev: fix potential data race in dequeue_event()
Date: Thu,  4 Jun 2015 01:27:55 +0300
Message-Id: <1433370475-15027-1-git-send-email-khoroshilov@ispras.ru>
X-Mailer: git-send-email 1.9.1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1772
Lines: 52

When wait_event happens in dequeue_event(), it checks if event_list is empty
without acquiring client->lock. A potential race can happen as follows:
     T1                   T2                   T3
  sleep in             sleep in
dequeue_event()      dequeue_event()
                                          enque_event()
  wake up, check
if event_list is empty
and is preempted
                                        device is shut down
                      wake up and
                       list_del()
try to dequeue event
 from empty list

The patch moves acquiring client->lock before checking the event_list.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 drivers/firewire/core-cdev.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 2a3973a7c441..7010dc2f02f2 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -314,11 +314,13 @@ static int dequeue_event(struct client *client,
 	if (ret < 0)
 		return ret;
 
+	spin_lock_irq(&client->lock);
 	if (list_empty(&client->event_list) &&
-		       fw_device_is_shutdown(client->device))
+		       fw_device_is_shutdown(client->device)) {
+		spin_unlock_irq(&client->lock);
 		return -ENODEV;
+	}
 
-	spin_lock_irq(&client->lock);
 	event = list_first_entry(&client->event_list, struct event, link);
 	list_del(&event->link);
 	spin_unlock_irq(&client->lock);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/