is if the device can produce the
interrupts. Its registers are initialized in [3] and there are nothing like
"enabling interrupts". So, likely, they are activated. And if interrupts can
come, then this is a data race.
Best regards,
Pavel Andrianov
Linux Verification Center, ISPRAS
web:http://linuxt
Hi,
berlin2_adc_probe [1] registers two interrupt handlers: berlin2_adc_irq [2]
and berlin2_adc_tsen_irq [3]. The interrupt handlers operate with the
same data, for example, modify
priv->data with different masks:
priv->data &= BERLIN2_SM_ADC_MASK;
and
priv->data &= BERLIN2_SM_TSEN_MASK;
If
lead to an inconsistent state and memory
leaks.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Pavel Andrianov
---
drivers/net/ethernet/marvell/pxa168_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell
to_driver
-> usb_gadget_udc_start
-> m66592_udc_start
m66592->driver is set. In interrupt handler the data is used, thus if
interrupt comes before udc_start is executed, null pointer dereference
occurs.
Should the call of request_irq be after complete initialization?
to_driver
-> usb_gadget_udc_start
-> m66592_udc_start
m66592->driver is set. In interrupt handler the data is used, thus if
interrupt comes before udc_start is executed, null pointer dereference
occurs.
Should the call of request_irq be after complete initialization?
03.09.2016 19:38, Jonathan Cameron пишет:
On 31/08/16 11:23, Pavel Andrianov wrote:
Hi!
There is a bug in drivers/iio/light/opt3001.ko. Regard such case:
Thread 1 Thread 2
-> opt3001_read_raw
-> mutex_lock(>lock)
-> opt
03.09.2016 19:38, Jonathan Cameron пишет:
On 31/08/16 11:23, Pavel Andrianov wrote:
Hi!
There is a bug in drivers/iio/light/opt3001.ko. Regard such case:
Thread 1 Thread 2
-> opt3001_read_raw
-> mutex_lock(>lock)
-> opt
All operations with synth buffer should be protected,
as there are global pointers, which should be modified atomically.
Found by Linux Driver Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov <andria...@ispras.ru>
---
drivers/staging/speakup/kobjects.c | 3 +++
All operations with synth buffer should be protected,
as there are global pointers, which should be modified atomically.
Found by Linux Driver Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov
---
drivers/staging/speakup/kobjects.c | 3 +++
1 file changed, 3 insertions
05.09.2016 12:56, Samuel Thibault пишет:
Pavel Andrianov, on Mon 05 Sep 2016 12:54:10 +0300, wrote:
05.09.2016 12:43, Samuel Thibault пишет:
Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote:
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global
05.09.2016 12:56, Samuel Thibault пишет:
Pavel Andrianov, on Mon 05 Sep 2016 12:54:10 +0300, wrote:
05.09.2016 12:43, Samuel Thibault пишет:
Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote:
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global
05.09.2016 12:43, Samuel Thibault пишет:
Hello,
Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote:
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global pointers buff_in and buff_out are performed
without any locks. Thus, a simultaneous write (via
05.09.2016 12:43, Samuel Thibault пишет:
Hello,
Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote:
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global pointers buff_in and buff_out are performed
without any locks. Thus, a simultaneous write (via
out locks.
Should the same lock be used in these cases?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
out locks.
Should the same lock be used in these cases?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
lock be used here?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
lock be used here?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
executed.
Should the registration of net device be at the end of dwceqos_probe?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
executed.
Should the registration of net device be at the end of dwceqos_probe?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
->mlock, and vf610_write_raw does not. Thus updating the
structure 'info' may be performed simultaneously.
Should vf610_write_raw also acquire the same mutex indio_dev->mlock?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
->mlock, and vf610_write_raw does not. Thus updating the
structure 'info' may be performed simultaneously.
Should vf610_write_raw also acquire the same mutex indio_dev->mlock?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
opt->result_ready = true
wake_up()
opt->result_ready = false;
wait_event_timeout()
In this case the first thread misses the result and waits until timeout
expires.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
opt->result_ready = true
wake_up()
opt->result_ready = false;
wait_event_timeout()
In this case the first thread misses the result and waits until timeout
expires.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
smc_reset may be executed in parallel with timer function media_check.
To avoid data race in smc_set_xcvr a spinlock was added.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Pavel Andrianov <andria...@ispras.ru>
---
drivers/net/ethernet/smsc/smc91c92_cs
smc_reset may be executed in parallel with timer function media_check.
To avoid data race in smc_set_xcvr a spinlock was added.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Pavel Andrianov
---
drivers/net/ethernet/smsc/smc91c92_cs.c | 3 +++
1 file changed, 3
are registered in divas_maint_register_chrdev, which is called
(divamnt.c: line 206) before initialization (divamnt.c: line 211). Thus,
there may occur a situation when the handlers of divas_main_fops occur
to uninitialized resources.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web
are registered in divas_maint_register_chrdev, which is called
(divamnt.c: line 206) before initialization (divamnt.c: line 211). Thus,
there may occur a situation when the handlers of divas_main_fops occur
to uninitialized resources.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web
free_skb(skb)
In this case the skb is freed twice. Likely, in the interrupt handler
the same spinlock should be acquired as in
sis190_tx_timeout.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
free_skb(skb)
In this case the skb is freed twice. Likely, in the interrupt handler
the same spinlock should be acquired as in
sis190_tx_timeout.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
-> mvumi_handshake
-> mvumi_hs_build_page
In this case the same data mhba->handshake_page is modified from two
threads. Likely the first thread should acquire the same spinlock
mhba->shost->host_lock as the second thread.
--
Pavel Andrianov
Linux Verification Center
-> mvumi_handshake
-> mvumi_hs_build_page
In this case the same data mhba->handshake_page is modified from two
threads. Likely the first thread should acquire the same spinlock
mhba->shost->host_lock as the second thread.
--
Pavel Andrianov
Linux Verification Center
e same
spinlock adapter->lock as the second one.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
e same
spinlock adapter->lock as the second one.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
t; smc_reset ->media_check - timer function
-> smc_set_xcvr->smc_set_xcvr
In this case the struct 'smc' is modified from two threads
simultaneously. Likely, the first thread should acquire the same
spinlock smc->lock as the second thread in
t; smc_reset ->media_check - timer function
-> smc_set_xcvr->smc_set_xcvr
In this case the struct 'smc' is modified from two threads
simultaneously. Likely, the first thread should acquire the same
spinlock smc->lock as the second thread in
ext can
not be acquired there. The comment may be wrong and eh_context is
acquired somewhere before, but I also can not find it. Do you know where
is the initial acquire of eh_context in this case?
10.08.2016 06:51, Tejun Heo пишет:
Hello,
On Fri, Aug 05, 2016 at 03:43:30PM +0300, Pavel Andriano
ext can
not be acquired there. The comment may be wrong and eh_context is
acquired somewhere before, but I also can not find it. Do you know where
is the initial acquire of eh_context in this case?
10.08.2016 06:51, Tejun Heo пишет:
Hello,
On Fri, Aug 05, 2016 at 03:43:30PM +0300, Pavel Andriano
. Thus, the interrupt may occur while initialization is not
finishing and the new value of events will be lost. Moreover, the
spinlock, which is used in the interrupt handler, is also initialized
(line 1842) after request_irq (line 1813).
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web
. Thus, the interrupt may occur while initialization is not
finishing and the new value of events will be lost. Moreover, the
spinlock, which is used in the interrupt handler, is also initialized
(line 1842) after request_irq (line 1813).
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web
.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov <andria...@ispras.ru>
---
drivers/net/wireless/wl3501_cs.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 13fd734..1
Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov
---
drivers/net/wireless/wl3501_cs.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 13fd734..196f13c 100644
--- a/drivers
Hi!
We have no hardware to test possible fixes. If somebody has it and
agrees to check our patches, we will prepare them.
Best regards,
Pavel
01.07.2016 20:17, Hans Verkuil пишет:
On 07/01/2016 05:02 PM, Pavel Andrianov wrote:
01.07.2016 19:53, Hans Verkuil пишет:
On 07/01/2016 04:39 PM
Hi!
We have no hardware to test possible fixes. If somebody has it and
agrees to check our patches, we will prepare them.
Best regards,
Pavel
01.07.2016 20:17, Hans Verkuil пишет:
On 07/01/2016 05:02 PM, Pavel Andrianov wrote:
01.07.2016 19:53, Hans Verkuil пишет:
On 07/01/2016 04:39 PM
01.07.2016 19:53, Hans Verkuil пишет:
On 07/01/2016 04:39 PM, Pavel Andrianov wrote:
Hi!
There is a potential race condition between usbvision_v4l2_close and
usbvision_disconnect. The possible scenario may be the following.
usbvision_disconnect starts execution, assigns usbvision
01.07.2016 19:53, Hans Verkuil пишет:
On 07/01/2016 04:39 PM, Pavel Andrianov wrote:
Hi!
There is a potential race condition between usbvision_v4l2_close and
usbvision_disconnect. The possible scenario may be the following.
usbvision_disconnect starts execution, assigns usbvision
lbs_mac_event_disconnected may free priv->currenttxskb
while lbs_hard_start_xmit accesses to it.
The patch adds a spinlock for mutual exclusion.
Tested on OLPC XO-1 (usb8388) and XO-1.5 (sd8686) with v4.7-rc3.
Confirmed that lbs_mac_event_disconnected is being called on the
station when hostapd
lbs_mac_event_disconnected may free priv->currenttxskb
while lbs_hard_start_xmit accesses to it.
The patch adds a spinlock for mutual exclusion.
Tested on OLPC XO-1 (usb8388) and XO-1.5 (sd8686) with v4.7-rc3.
Confirmed that lbs_mac_event_disconnected is being called on the
station when hostapd
a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
08.06.2016 02:51, James Cameron пишет:
On Tue, Jun 07, 2016 at 09:39:55AM -0500, Dan Williams wrote:
On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote:
Hi!
There is a potential race condition in
drivers/net/wireless/libertas/libertas.ko.
In the function lbs_hard_start_xmit(..), line
08.06.2016 02:51, James Cameron пишет:
On Tue, Jun 07, 2016 at 09:39:55AM -0500, Dan Williams wrote:
On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote:
Hi!
There is a potential race condition in
drivers/net/wireless/libertas/libertas.ko.
In the function lbs_hard_start_xmit(..), line
affect the rtl88e_dm_watchdog as in
the previous case.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
affect the rtl88e_dm_watchdog as in
the previous case.
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
07.06.2016 18:39, Dan Williams пишет:
On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote:
Hi!
There is a potential race condition in
drivers/net/wireless/libertas/libertas.ko.
In the function lbs_hard_start_xmit(..), line 159, a socket buffer
is
written to priv->current_
07.06.2016 18:39, Dan Williams пишет:
On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote:
Hi!
There is a potential race condition in
drivers/net/wireless/libertas/libertas.ko.
In the function lbs_hard_start_xmit(..), line 159, a socket buffer
is
written to priv->current_
mit.
Is it a real race or I have missed something?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
mit.
Is it a real race or I have missed something?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andria...@ispras.ru
to
megaraid_abort().
Found by Linux Driver Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov
---
drivers/scsi/megaraid.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 4d39a9f..7572d86 100644
to
megaraid_abort().
Found by Linux Driver Verification project (linuxtesting.org)
Signed-off-by: Pavel Andrianov andria...@ispras.ru
---
drivers/scsi/megaraid.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 4d39a9f
61 matches
Mail list logo