Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp15842198rwd; Mon, 26 Jun 2023 02:00:51 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5oE4RAZ6st71/JQNItBJXJW4vFX99vXY7tWhFVXIP0hgZLEEC2B9UkgHEVlod0JVMPV8Vt X-Received: by 2002:a17:907:1ded:b0:98e:2413:952f with SMTP id og45-20020a1709071ded00b0098e2413952fmr3144513ejc.18.1687770051422; Mon, 26 Jun 2023 02:00:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687770051; cv=none; d=google.com; s=arc-20160816; b=sQdfpmPVyfswpMscCBEQP84xb61g9I1i5APxWsE78DGLJo2UgIDc80SQkJQ+TIX4bJ KT1+gdGVszXuMfMFrh+vUeITt/gmB1XFf54fCji2WMiGUilIaatqzby6CpPvU6ciBLn3 fPJUfj79/7d9uw8IG4yTb7T9JFYLodzfGftyvb9MpbDR9dXneHdXP0PAMOeomLKtSj8b mWC0XzXfqZwdVuqD3NU2FdRuwHBfqv8q2061ybPj1OIuqrTonNpnmNpmP8Wz2APG7GrF v99KFvrWfdDQGj+azn8QMdDcr7yhYIyMhRx7vd1CQrGp4+w/uqD8Y3WtU+1srxZb20Ri hWkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=n3P9OZJWzMEw+HCOB/2/9OKBcaBnbB33CMEBt6EtuOg=; fh=lGDrFX9+9voFNlh1fL8VPpwM1sIVFHkjisvz2y7Ezi8=; b=qVk3XGFiG8bZQInsbdoVJr2lQiXHFbenfSk/Ob+djVSSHeTAn/8qqnwflYanUtCX9F 7GE7oXlReRsuNq/qqa9inO3sqHtE6LnKAj7FEvifteyhE5UVqZVNetszULjlits9yYoo 9+/byZJstQX1XarW90tFvbtDfnxB1Ehy/P7hZjBSJIxXd/+KBami0tji1oSL5Ecb+z+5 m9MxObgzz4wD6wPiJ0ArvuoyV04DE3UUwpEj00uTSbHqmyH3K0S9GajFbLqLGTGSgk4z quyTMRTD8DVOmb2LYONWb4C8fnvE7yH5EwwHJEkIUKT9hsNLI/KhIBv8rO6lUHXYc12I UbnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=NzJLbmTb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z23-20020a1709064e1700b0098b0feb8935si2635972eju.1035.2023.06.26.02.00.22; Mon, 26 Jun 2023 02:00:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=NzJLbmTb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230242AbjFZIoD (ORCPT + 99 others); Mon, 26 Jun 2023 04:44:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229965AbjFZIoB (ORCPT ); Mon, 26 Jun 2023 04:44:01 -0400 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0B341A6 for ; Mon, 26 Jun 2023 01:43:58 -0700 (PDT) Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-4008d810c28so21475431cf.3 for ; Mon, 26 Jun 2023 01:43:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687769038; x=1690361038; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=n3P9OZJWzMEw+HCOB/2/9OKBcaBnbB33CMEBt6EtuOg=; b=NzJLbmTbs2cRWIXCuozi6jBQ2e1FyIyN0caD6N25S24shFOJHBMhlFPvmJrLxrTl+w BIpxU78dMHsLwl25CQo9g8xyyHZ/hT7PNdzx2ljIgjwfhdbPuZUJVwF+5c/X7/Wo/u3w 4XVzj5LLV1s3POGgMEDzyn9ChPZ7gpvV+grYOMblm9286TplG2iXydjQRX04F5EjDoa7 YrBvOjNCvPmRDqsR4zYZHa7BXMdLbkOrUFeaajWb1sEKxStKEwvaOd/M+q8BOVMDHdDF zNzxm0WpEuBjQ/WDkMlEV+krYm4EMcnAbK/NkIEc1M08PNH0ta/rNTmcfXCM3OKJXNO3 QEeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687769038; x=1690361038; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=n3P9OZJWzMEw+HCOB/2/9OKBcaBnbB33CMEBt6EtuOg=; b=UGzjpbc7wcZrWN3J5HLZpIG5TxfQvkIF4qJL8R34iTdgYVJvw+qIB29MHoq6Zszf+B fRyUnZeeIM653K8zZzeygxj1JB+w+yGRnUnKlYj8NwYlKaQhnSxlImTQ4CmB4uP0LWT9 Izl0c4gtZG0VvzIIMEgWtBm9AI4P0OTSEX9p9HC/JM7WAtY4LaytehADAs2TK+h5Sx/P SI9i2IyPciX9nG7XOC7u62bpid7dzIEsu9y+DDJX8rM4e15gh6rSWEtH7CKH7Q67/N6i FrFTVdhaf2++OjAkm5bG9uPXfWDBNs7R9x5DN89aaFnBDv7HFGw6Fg4eZasphzjxTTtk 2gzg== X-Gm-Message-State: AC+VfDwULFDz1ha0bf7y/LZA9rpdnCkZ8JQKyhDB/oax6XKwmHqShcZB VcPSN4VvKDOkl3yepOlsftI= X-Received: by 2002:a05:622a:20f:b0:3f9:c539:c9d5 with SMTP id b15-20020a05622a020f00b003f9c539c9d5mr36477606qtx.68.1687769037696; Mon, 26 Jun 2023 01:43:57 -0700 (PDT) Received: from oslab-pc.tsinghua.edu.cn ([166.111.139.122]) by smtp.gmail.com with ESMTPSA id m23-20020aa78a17000000b0066a67637cfasm3340667pfa.26.2023.06.26.01.43.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Jun 2023 01:43:57 -0700 (PDT) From: Tuo Li To: dtwlin@gmail.com, johan@kernel.org, elder@kernel.org, gregkh@linuxfoundation.org Cc: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@outlook.com, Tuo Li , BassCheck Subject: [PATCH] staging: greybus: fix a possible data-inconsistency due to data race in get_serial_info() Date: Mon, 26 Jun 2023 16:43:39 +0800 Message-Id: <20230626084339.998784-1-islituo@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The variables gb_tty->port.close_delay and gb_tty->port.closing_wait are ofter accessed together while holding the lock gb_tty->port.mutex. Here is an example in set_serial_info(): mutex_lock(&gb_tty->port.mutex); ... gb_tty->port.close_delay = close_delay; gb_tty->port.closing_wait = closing_wait; ... mutex_unlock(&gb_tty->port.mutex); However, they are accessed without holding the lock gb_tty->port.mutex when are accessed in get_serial_info(): ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10; ss->closing_wait = gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? ASYNC_CLOSING_WAIT_NONE : jiffies_to_msecs(gb_tty->port.closing_wait) / 10; In my opinion, this may be a harmful race, because ss->close_delay can be inconsistent with ss->closing_wait if gb_tty->port.close_delay and gb_tty->port.closing_wait are updated by another thread after the assignment to ss->close_delay. Besides, the select operator may return wrong value if gb_tty->port.closing_wait is updated right after the condition is calculated. To fix this possible data-inconsistency caused by data race, a lock and unlock pair is added when accessing different fields of gb_tty->port. Reported-by: BassCheck Signed-off-by: Tuo Li --- drivers/staging/greybus/uart.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c index 20a34599859f..b8875517ea6a 100644 --- a/drivers/staging/greybus/uart.c +++ b/drivers/staging/greybus/uart.c @@ -596,12 +596,14 @@ static int get_serial_info(struct tty_struct *tty, { struct gb_tty *gb_tty = tty->driver_data; + mutex_lock(&gb_tty->port.mutex); ss->line = gb_tty->minor; ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10; ss->closing_wait = gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? ASYNC_CLOSING_WAIT_NONE : jiffies_to_msecs(gb_tty->port.closing_wait) / 10; + mutex_unlock(&gb_tty->port.mutex); return 0; } -- 2.34.1