Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754596AbdHYQs5 (ORCPT <rfc822;w@1wt.eu>);
        Fri, 25 Aug 2017 12:48:57 -0400
Received: from g9t1613g.houston.hpe.com ([15.241.32.99]:45848 "EHLO
        g9t1613g.houston.hpe.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751476AbdHYQsz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Aug 2017 12:48:55 -0400
Date: Fri, 25 Aug 2017 09:48:47 -0700
From: Jean Tourrilhes <jt@labs.hpe.com>
To: Anton Volkov <avolkov@ispras.ru>
Cc: dagb@cs.uit.no, samuel@sortiz.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: Re: Possible race in nsc-ircc.ko
Message-ID: <20170825164847.GA18854@labs.hpe.com>
Reply-To: jean.tourrilhes@hpe.com
References: <4a33a281-f8bd-305b-e580-0e594feea799@ispras.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4a33a281-f8bd-305b-e580-0e594feea799@ispras.ru>
Organisation: HP Labs Palo Alto
Address: HP Labs, MS1184, 1501 Page Mill road, Palo Alto, CA 94304, USA.
E-mail: jean.tourrilhes@hpe.com
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1452
Lines: 40

On Fri, Aug 25, 2017 at 05:05:25PM +0300, Anton Volkov wrote:
> Hello.
> 
> While searching for races in the Linux kernel I've come across
> "drivers/net/irda/nsc-ircc.ko" module. Here is a question that I came up
> with while analyzing results. Lines are given using the info from Linux
> v4.12.
> 
> Consider the following case:
> 
> Thread 1:                   Thread 2:
> nsc_ircc_init
> ->nsc_ircc_open
>     self = netdev_priv(dev)
>     register_netdev(dev)
>                             nsc_ircc_net_ioctl
>                             ->nsc_ircc_change_speed
>     self->dongle_id = ...       <READ self->io.dongle_id>
>     (nsc-ircc.c: line 485)      (nsc-ircc.c: line 1318)
>     platform_device_register_simple
> 
> Before the initialization of self->dongle_id in msc_ircc_open() its value is
> 0. Thus if read access to its value in nsc_ircc_change_speed occurs before
> the initialization there will be an attempt to change speed of dongle with
> undesired id (if the dongle with id 0 exists). Is this case feasible from
> your point of view?
> 
> Thank you for your time.
> 
> -- Anton Volkov

	A first glance, that seems like a valid race. I'm not sure if
there is a netdev lock/status to protect the driver, because it looks
like doing any operation on a device before "open" has completed would
be dangerous for most drivers.
	I don't have time to check the code paths, as I have not
looked at that code in ages.
	Good luck !

	Jean