Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3201939imm; Fri, 20 Jul 2018 11:57:15 -0700 (PDT) X-Google-Smtp-Source: AAOMgpckxsun87OCqy9qpAgPOuSknkpR8fka9BcpbGoIIdIIwua6F2cYnOZlgKY/FpA181ru8ACE X-Received: by 2002:a17:902:e18b:: with SMTP id cd11-v6mr3109422plb.305.1532113035625; Fri, 20 Jul 2018 11:57:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532113035; cv=none; d=google.com; s=arc-20160816; b=u7swto0jJE7q87+S0Yg6ZK9Yv1pn2jH5gSC345Sf36DdMyNunxfAX/T1iMJJDR2Q2N 8uscuKUG6XvwSZ+LLO4e2GiqSq5nhfdy1XjsswAQRnvQVy/ASweaZ4LtieGNT/1jK2s2 tPLgCr2t/BvKLvoEntErFhg5A+2F380jQJ56r1fZXGQWQGb2UV439MF/9MJUfFvEMfit ztogWae9ouLxd15a9PEJxIDfl/2HwxPKmgc3EzfHKSLnzBLNU+E8Yne3VhC146sGOfhZ gGjrCJU+mcS+sFfzGeIm8g056CZYRVkqsnYVzMTEPznJfsVRMKTjg8XUeEbC5AfWZtl3 JAjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=2AT3mdZASNLv5XJLxVqjOLJ3VSF/UFHg9Q6rH/tBakI=; b=yuECxLvNnwRzwMUiDoZkCmYv5pAAVCmKqSZJdcxBgOl5NZgR+3nI4otV7aWmAazHfX biFFEkXbaf51Q1iMbTBz4aHIADu2tE4s6XD+j5nm8NaQYKMaHKuHP1VXBmcZNRwKkPFC euB5vxv6uzzs9xVsO4QsRtYBib2Kl7BBp7pOeXsdFZNvj8IjtRHCPstIX1IE0HRGXkD3 QuTusFTYTXKJTy7X+lxHsDKbekVRgx3fb4jIvP/MJmAZ2v06IA+GXoh9d720ITx+Fk1g ZNq20srQFtuk43d/3TzhpWj5nH2jLdvTtOeZ4siesMFiHWOR+vX99wON3YF+2xHuP7Bj uMyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6-v6si2426283pgr.684.2018.07.20.11.57.01; Fri, 20 Jul 2018 11:57:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388227AbeGTTqA (ORCPT + 99 others); Fri, 20 Jul 2018 15:46:00 -0400 Received: from imap1.codethink.co.uk ([176.9.8.82]:46023 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388043AbeGTTqA (ORCPT ); Fri, 20 Jul 2018 15:46:00 -0400 Received: from [148.252.241.226] (helo=xylophone) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1fgaZk-0001Cp-PI; Fri, 20 Jul 2018 19:56:24 +0100 Message-ID: <1532112984.21552.39.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 089/105] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() From: Ben Hutchings To: Mauro Carvalho Chehab Cc: stable@vger.kernel.org, Greg Kroah-Hartman , LKML Date: Fri, 20 Jul 2018 19:56:24 +0100 In-Reply-To: <20180701153155.855633462@linuxfoundation.org> References: <20180701153149.382300170@linuxfoundation.org> <20180701153155.855633462@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2018-07-01 at 18:02 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch.  If anyone has any objections, please let me know. > > ------------------ > > From: Mauro Carvalho Chehab > > commit 76d81243a487c09619822ef8e7201a756e58a87d upstream. > > As warned by smatch: > drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'. >   Locked on:   line 288 >                line 295 >                line 306 >                line 314 >   Unlocked on: line 303 > > The lock implementation for get event is wrong, as, if an > interrupt occurs, down_interruptible() will fail, and the > routine will call up() twice when userspace calls the ioctl > again. > > The bad code is there since when Linux migrated to git, in > 2005. [...]  > --- a/drivers/media/dvb-core/dvb_frontend.c > +++ b/drivers/media/dvb-core/dvb_frontend.c [...] > +static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv, > +    struct dvb_fe_events *events) > +{ > + int ret; > + > + up(&fepriv->sem); > + ret = events->eventw != events->eventr; > + down(&fepriv->sem); > + > + return ret; > +} This is broken. You must not wait inside a wait condition. (It would be nice if this rule was explicitly documented.) Why not leave the condition as it was and only change the down_interruptible() to down()? Ben. >  static int dvb_frontend_get_event(struct dvb_frontend *fe, > -     struct dvb_frontend_event *event, int flags) > +           struct dvb_frontend_event *event, int flags) >  { >   struct dvb_frontend_private *fepriv = fe->frontend_priv; >   struct dvb_fe_events *events = &fepriv->events; > @@ -249,13 +261,8 @@ static int dvb_frontend_get_event(struct >   if (flags & O_NONBLOCK) >   return -EWOULDBLOCK; >   > - up(&fepriv->sem); > - > - ret = wait_event_interruptible (events->wait_queue, > - events->eventw != events->eventr); > - > - if (down_interruptible (&fepriv->sem)) > - return -ERESTARTSYS; > + ret = wait_event_interruptible(events->wait_queue, > +        dvb_frontend_test_event(fepriv, events)); >   >   if (ret < 0) >   return ret; > > > -- Ben Hutchings, Software Developer   Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom