Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Subject: Re: [PATCH] rapidio: Avoid data race between file operation callbacks
 and mport_cdev_add().
To:     madhuparnabhowmik10@gmail.com, mporter@kernel.crashing.org,
        akpm@linux-foundation.org, dan.carpenter@oracle.com,
        hubcap@omnibond.com, tglx@linutronix.de, ira.weiny@intel.com,
        allison@lohutok.net
Cc:     linux-kernel@vger.kernel.org, andrianov@ispras.ru,
        ldv-project@linuxtesting.org
References: <20200426112950.1803-1-madhuparnabhowmik10@gmail.com>
From:   "alex.b" <alex.bou9@gmail.com>
Message-ID: <2a0d3c96-c332-2c95-db10-ffba78f9c9a3@gmail.com>
Date:   Sun, 26 Apr 2020 11:19:51 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <20200426112950.1803-1-madhuparnabhowmik10@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 2020-04-26 7:29 a.m., madhuparnabhowmik10@gmail.com wrote:
> From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
>
> Fields of md(mport_dev) are set after cdev_device_add().
> However, the file operation callbacks can be called after
> cdev_device_add() and therefore accesses to fields of md in the
> callbacks can race with the rest of the mport_cdev_add() function.
>
> One such example is INIT_LIST_HEAD(&md->portwrites) in
> mport_cdev_add(), the list is initialised after cdev_device_add().
> This can race with list_add_tail(&pw_filter->md_node,&md->portwrites)
> in rio_mport_add_pw_filter() which is called by unlocked_ioctl.
>
> To avoid such data races use cdev_device_add() after initializing md.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> ---
>   drivers/rapidio/devices/rio_mport_cdev.c | 14 +++++++-------
>   1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 8155f59ece38..40296378e5ee 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -2379,13 +2379,6 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport)
>   	cdev_init(&md->cdev, &mport_fops);
>   	md->cdev.owner = THIS_MODULE;
>   
> -	ret = cdev_device_add(&md->cdev, &md->dev);
> -	if (ret) {
> -		rmcd_error("Failed to register mport %d (err=%d)",
> -		       mport->id, ret);
> -		goto err_cdev;
> -	}
> -
>   	INIT_LIST_HEAD(&md->doorbells);
>   	spin_lock_init(&md->db_lock);
>   	INIT_LIST_HEAD(&md->portwrites);
> @@ -2405,6 +2398,13 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport)
>   #else
>   	md->properties.transfer_mode |= RIO_TRANSFER_MODE_TRANSFER;
>   #endif
> +
> +	ret = cdev_device_add(&md->cdev, &md->dev);
> +	if (ret) {
> +		rmcd_error("Failed to register mport %d (err=%d)",
> +		       mport->id, ret);
> +		goto err_cdev;
> +	}
>   	ret = rio_query_mport(mport, &attr);
>   	if (!ret) {
>   		md->properties.flags = attr.flags;

Acked-by: Alexandre Bounine <alex.bou9@gmail.com>