Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753141AbdHOSOm (ORCPT <rfc822;w@1wt.eu>);
        Tue, 15 Aug 2017 14:14:42 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:35329 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753014AbdHOSOj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Aug 2017 14:14:39 -0400
Date: Tue, 15 Aug 2017 11:14:35 -0700
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Anton Volkov <avolkov@ispras.ru>
Cc: marek.vasut@gmail.com, linux-input@vger.kernel.org,
        linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: Re: Possible race in ucb1400_ts.ko
Message-ID: <20170815181435.GA14966@dtor-ws>
References: <237b7e86-f8da-ae37-b56d-4786bbfaefc4@ispras.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <237b7e86-f8da-ae37-b56d-4786bbfaefc4@ispras.ru>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1425
Lines: 44

Hi Anton,

On Tue, Aug 15, 2017 at 04:46:25PM +0300, Anton Volkov wrote:
> Hello.
> 
> While searching for races in the Linux kernel I've come across
> "drivers/input/touchscreen/ucb1400_ts.ko" module. Here is a question
> that I came up with while analyzing results. Lines are given using
> the info from Linux v4.12.
> 
> Consider the following case:
> 
> Thread 1:                   Thread 2:
> ucb1400_suspend
> ->ucb1400_ts_start
>     ucb->stopped = false
>     enable_irq()
> 
> ucb1400_resume
> ->ucb1400_ts_stop           ucb1400_irq
>     ucb->stopped = true       while(!ucb->stopped && ...)
>     (ucb1400_ts.c: line 230)  (ucb1400_ts.c: line 202)
>     disable_irq()
> 
> The value of ucb->stopped may be changed in the midst of 'while'
> loop iterations or prevent all of them from happening. Is this
> feasible from your point of view? If so, is it a benign race or is
> it serious?

Well, I guess nobody is using that driver in mainline, or at least not
with platforms that do system suspend. The suspend is supposed to call
ucb1400_ts_stop(), not ucb1400_ts_start(), and resume is messed up as
well.

We need to fix it. Once it is done, then it should look better. The
ucb->stopped can change in the middle of while loop, and that should
cause the interrupt handler to stop running. The "stop" uses
disable_irq() and thus will wait for the interrupt handler to finish
before continuing.

Thanks.

-- 
Dmitry