Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp863078rdf;
        Fri, 3 Nov 2023 19:07:22 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGALPgV3PLyEifkly1izaa/2ifl90y6/YAXlufAe58iBP6ngJC4GSFFISNpBH6SnhsHiwH2
X-Received: by 2002:a05:6871:4984:b0:1ea:2e2c:e9e7 with SMTP id tx4-20020a056871498400b001ea2e2ce9e7mr20661983oab.59.1699063642107;
        Fri, 03 Nov 2023 19:07:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1699063642; cv=none;
        d=google.com; s=arc-20160816;
        b=rsWKeghEmbyzylqnow0rCgFnlDk7Ognn9q9JtF9l4J0yLlnqasQjmSt9ZRxFx2F4J8
         FXOawBFw77rW/o9PPh2lPvlYMx8QxR928l+HnsHlOPSx/rHc0idg/fsA3fksr+5cpyg2
         cbhWf551cfhv8dSRjFrCAtZgmwvxSK/swhirTJFCtWGWacqJZXvCwEErQYWptZmwDU7q
         OgGJsucEJzBjQ7prRuuLOT21T0XvKjqF2XP5ljqH951z71u1QDosSwodl5xLzswEjHpI
         xVcMoL28+EQBPPeFiPKRToTt0rjGqiLbCvnptaYNZL+ojpgqNmeOWxkpdkvyx6sQA6ka
         HQJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=Oxi0Gs7OIv7LWO/6I2/nImKNusdC/LABFouqVtsbWJs=;
        fh=kfJf1t2HIp1mvSYgL6hLdsiU+5UKJmbGqT5tKnOGL5A=;
        b=xdL0t+ZXs9WWrvN2CuKlaHgthxZYv3gYb3UP/yG1W6ACVE6P3HjGpAstzo6j7Evjea
         bxFO9+IabrAQyF2WE5yCP7MJaplplkCi6d8eyXYDL1DQC1vsiR3UMJYVGg/VVtE2Mer1
         Gozpd+2dwBDlHpOpl8xGYtjSL2irElMta7giDOgKOBRcVPX3qqndADjiNxTb7bvJCB+z
         NPUCD1+q2rG94WBmXy8VK09S/eB1egbiepUbibY0CKxO/0CPT1CSMPFoa/31QkY1C88e
         UxScHzvCjmqWto3oQ3VoDy98k/XuZn5JUZiOgAQ93cYljPzvH2ZXcJdiaN8BFk5Y+gT7
         /mHA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=DdnHURhl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
        by mx.google.com with ESMTPS id a73-20020a63904c000000b0056f7f18bbfdsi2613834pge.632.2023.11.03.19.07.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 Nov 2023 19:07:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=DdnHURhl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 6982B80F9C9A;
	Fri,  3 Nov 2023 19:07:19 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231209AbjKDCHM (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Fri, 3 Nov 2023 22:07:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33454 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229470AbjKDCHL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Nov 2023 22:07:11 -0400
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 881F4D52;
        Fri,  3 Nov 2023 19:07:07 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1cc41afd376so5226245ad.1;
        Fri, 03 Nov 2023 19:07:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1699063627; x=1699668427; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=Oxi0Gs7OIv7LWO/6I2/nImKNusdC/LABFouqVtsbWJs=;
        b=DdnHURhl8/4vtHrSPZVBJ+EatZDhBg21q5eJV4EtHcaTLzrTHoCIWruT1xSk/qlMPl
         z8hMld8+J5c8udJo0Ct4xvMKqJOBR8ba9+dIXJWJH8l1px7kbKL8KTni0aE1zWIJdyDs
         8fgZMA4IaQ77V3lYL1GLP61F2uS9K357Wz9G0SlOcWxCxqnZuRM9tAoso7qbg3t1JTyF
         eMenA1awprbqcampnyyHMYmbmDCTn2SDaHeflEQwuT4nZgdnUv1yLQZDLq8KWII5n0zi
         ZS3n8k6Dza0LjGeAeF899J1PitrhJmByali39hmcGwXRNcf3e43E1rLn+XM0/RrtlDpU
         oFxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1699063627; x=1699668427;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Oxi0Gs7OIv7LWO/6I2/nImKNusdC/LABFouqVtsbWJs=;
        b=jvqsSLKPoMulpV0gwAIr4hWot0sFE0gNwA0JozAXc4yS1MZp3AKx7xOCSBn0c6q+Kf
         zd8MqsIBNF+J4zHm5n3eq9BWGyOi+8C5tyJTpUOwTdgHndg4BIYiLHhoqA3EFWyHuNRR
         PPu4DxivYS/TUmYKrKhhs8d9XqtzEjKeM+jntZFG+5aARi9+ZRf5jc+se/XWGFKioALW
         UmSUrcM7Vx3Z4o7pe4Egel+4zA6Uff7Vs3QdPZ8699HaIi7meAW6LR4HX93E2P2tlLkk
         9P2aFExAQmxinBuleFO/MaGHi5DEesSn/UMXEjaIh8h7meZOZEszrwrZ4vS7m6Mu62Xa
         Cqjg==
X-Gm-Message-State: AOJu0Yxf3/ii+eeekZzxT/VwzFtLJUYw2mGdsBMIBk/jXUZhksBPCopD
        8AtvynbelR0bhwhfeBJcsUE=
X-Received: by 2002:a05:6a20:5483:b0:17a:d292:25d1 with SMTP id i3-20020a056a20548300b0017ad29225d1mr29991031pzk.6.1699063626928;
        Fri, 03 Nov 2023 19:07:06 -0700 (PDT)
Received: from hoboy.vegasvil.org ([2601:640:8000:54:e2d5:5eff:fea5:802f])
        by smtp.gmail.com with ESMTPSA id 10-20020a17090a0cca00b0026b46ad94c9sm2105077pjt.24.2023.11.03.19.07.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 Nov 2023 19:07:05 -0700 (PDT)
Date:   Fri, 3 Nov 2023 19:07:03 -0700
From:   Richard Cochran <richardcochran@gmail.com>
To:     Edward Adam Davis <eadavis@qq.com>
Cc:     jeremy@jcline.org, davem@davemloft.net, habetsm.xilinx@gmail.com,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        reibax@gmail.com,
        syzbot+df3f3ef31f60781fa911@syzkaller.appspotmail.com
Subject: Re: [PATCH net-next V3] ptp: fix corrupted list in ptp_open
Message-ID: <ZUWnR6T6RZfc6LeF@hoboy.vegasvil.org>
References: <tencent_97D1BA12BBF933129EC01B1D4BB71BE92508@qq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <tencent_97D1BA12BBF933129EC01B1D4BB71BE92508@qq.com>
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Fri, 03 Nov 2023 19:07:19 -0700 (PDT)

On Fri, Nov 03, 2023 at 09:15:03PM +0800, Edward Adam Davis wrote:
> There is no lock protection when writing ptp->tsevqs in ptp_open(),
> ptp_release(), which can cause data corruption, use mutex lock to avoid this
> issue.
> 
> Moreover, ptp_release() should not be used to release the queue in ptp_read(),
> and it should be deleted together.

Oh, now I see what you are fixing...

> @@ -138,14 +143,19 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
>  int ptp_release(struct posix_clock_context *pccontext)
>  {
>  	struct timestamp_event_queue *queue = pccontext->private_clkdata;
> +	struct ptp_clock *ptp =
> +		container_of(pccontext->clk, struct ptp_clock, clock);
>  	unsigned long flags;
>  
>  	if (queue) {
> +		if (mutex_lock_interruptible(&ptp->tsevq_mux)) 
> +			return -ERESTARTSYS;

I don't think it is a good idea to return ERESTARTSYS on signal here.
The release method needs to succeed.

>  		debugfs_remove(queue->debugfs_instance);
>  		pccontext->private_clkdata = NULL;
>  		spin_lock_irqsave(&queue->lock, flags);

This spin lock is wrong.  The spin lock protects the queue, not the
list of queues.

The spin lock/unlock needs to be replaced with mutex lock/unlock.

>  		list_del(&queue->qlist);
>  		spin_unlock_irqrestore(&queue->lock, flags);
> +		mutex_unlock(&ptp->tsevq_mux);
>  		bitmap_free(queue->mask);
>  		kfree(queue);
>  	}

> diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
> index 52f87e394aa6..1525bd2059ba 100644
> --- a/drivers/ptp/ptp_private.h
> +++ b/drivers/ptp/ptp_private.h
> @@ -44,6 +44,7 @@ struct ptp_clock {
>  	struct pps_device *pps_source;
>  	long dialed_frequency; /* remembers the frequency adjustment */
>  	struct list_head tsevqs; /* timestamp fifo list */
> +	struct mutex tsevq_mux; /* one process at a time reading the fifo */

This comment is very misleading.  The mutex does not protect the
fifo.  It protects 'tsevqs' from concurrent access.

Thanks,
Richard