A potential data race in drivers/media/platform/s5p-mfc/

is if the device can produce the interrupts. Its registers are initialized in [3] and there are nothing like "enabling interrupts". So, likely, they are activated. And if interrupts can come, then this is a data race. Best regards, Pavel Andrianov Linux Verification Center, ISPRAS web:http://linuxt

A potential data race in drivers/iio/adc/berlin2-adc.ko

Hi, berlin2_adc_probe [1] registers two interrupt handlers: berlin2_adc_irq [2] and berlin2_adc_tsen_irq [3]. The interrupt handlers operate with the same data, for example, modify priv->data with different masks: priv->data &= BERLIN2_SM_ADC_MASK; and priv->data &= BERLIN2_SM_TSEN_MASK; If

[PATCH] net: pxa168_eth: Fix a potential data race in pxa168_eth_remove

lead to an inconsistent state and memory leaks. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Pavel Andrianov --- drivers/net/ethernet/marvell/pxa168_eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/marvell

A potential bug in drivers/usb/gadget/udc/m66592-udc.ko

to_driver -> usb_gadget_udc_start -> m66592_udc_start m66592->driver is set. In interrupt handler the data is used, thus if interrupt comes before udc_start is executed, null pointer dereference occurs. Should the call of request_irq be after complete initialization?

A potential bug in drivers/usb/gadget/udc/m66592-udc.ko

to_driver -> usb_gadget_udc_start -> m66592_udc_start m66592->driver is set. In interrupt handler the data is used, thus if interrupt comes before udc_start is executed, null pointer dereference occurs. Should the call of request_irq be after complete initialization?

Re: A potential bug in drivers/iio/light/opt3001.ko

03.09.2016 19:38, Jonathan Cameron пишет: On 31/08/16 11:23, Pavel Andrianov wrote: Hi! There is a bug in drivers/iio/light/opt3001.ko. Regard such case: Thread 1 Thread 2 -> opt3001_read_raw -> mutex_lock(>lock) -> opt

Re: A potential bug in drivers/iio/light/opt3001.ko

03.09.2016 19:38, Jonathan Cameron пишет: On 31/08/16 11:23, Pavel Andrianov wrote: Hi! There is a bug in drivers/iio/light/opt3001.ko. Regard such case: Thread 1 Thread 2 -> opt3001_read_raw -> mutex_lock(>lock) -> opt

[PATCH] speakup: Add spinlock in synth_direct_store

All operations with synth buffer should be protected, as there are global pointers, which should be modified atomically. Found by Linux Driver Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov <andria...@ispras.ru> --- drivers/staging/speakup/kobjects.c | 3 +++

[PATCH] speakup: Add spinlock in synth_direct_store

All operations with synth buffer should be protected, as there are global pointers, which should be modified atomically. Found by Linux Driver Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov --- drivers/staging/speakup/kobjects.c | 3 +++ 1 file changed, 3 insertions

Re: A potential race in drivers/staging/speakup/speakup.ko

05.09.2016 12:56, Samuel Thibault пишет: Pavel Andrianov, on Mon 05 Sep 2016 12:54:10 +0300, wrote: 05.09.2016 12:43, Samuel Thibault пишет: Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote: There is a potential race in drivers/staging/speakup/speakup.ko. All operations with global

Re: A potential race in drivers/staging/speakup/speakup.ko

05.09.2016 12:56, Samuel Thibault пишет: Pavel Andrianov, on Mon 05 Sep 2016 12:54:10 +0300, wrote: 05.09.2016 12:43, Samuel Thibault пишет: Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote: There is a potential race in drivers/staging/speakup/speakup.ko. All operations with global

Re: A potential race in drivers/staging/speakup/speakup.ko

05.09.2016 12:43, Samuel Thibault пишет: Hello, Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote: There is a potential race in drivers/staging/speakup/speakup.ko. All operations with global pointers buff_in and buff_out are performed without any locks. Thus, a simultaneous write (via

Re: A potential race in drivers/staging/speakup/speakup.ko

05.09.2016 12:43, Samuel Thibault пишет: Hello, Pavel Andrianov, on Mon 05 Sep 2016 11:51:50 +0300, wrote: There is a potential race in drivers/staging/speakup/speakup.ko. All operations with global pointers buff_in and buff_out are performed without any locks. Thus, a simultaneous write (via

A potential bug in drivers/tty/serial/jsm/jsm.ko

out locks. Should the same lock be used in these cases? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential bug in drivers/tty/serial/jsm/jsm.ko

out locks. Should the same lock be used in these cases? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential race in drivers/staging/speakup/speakup.ko

lock be used here? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential race in drivers/staging/speakup/speakup.ko

lock be used here? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential bug in drivers/net/ethernet/synopsys/dwc_eth_qos.ko

executed. Should the registration of net device be at the end of dwceqos_probe? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential bug in drivers/net/ethernet/synopsys/dwc_eth_qos.ko

executed. Should the registration of net device be at the end of dwceqos_probe? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential race in drivers/iio/adc/vf610_adc.ko

->mlock, and vf610_write_raw does not. Thus updating the structure 'info' may be performed simultaneously. Should vf610_write_raw also acquire the same mutex indio_dev->mlock? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential race in drivers/iio/adc/vf610_adc.ko

->mlock, and vf610_write_raw does not. Thus updating the structure 'info' may be performed simultaneously. Should vf610_write_raw also acquire the same mutex indio_dev->mlock? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential bug in drivers/iio/light/opt3001.ko

opt->result_ready = true wake_up() opt->result_ready = false; wait_event_timeout() In this case the first thread misses the result and waits until timeout expires. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential bug in drivers/iio/light/opt3001.ko

opt->result_ready = true wake_up() opt->result_ready = false; wait_event_timeout() In this case the first thread misses the result and waits until timeout expires. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[PATCH] smc91c92_cs : add a spinlock to avoid race condition

smc_reset may be executed in parallel with timer function media_check. To avoid data race in smc_set_xcvr a spinlock was added. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Pavel Andrianov <andria...@ispras.ru> --- drivers/net/ethernet/smsc/smc91c92_cs

[PATCH] smc91c92_cs : add a spinlock to avoid race condition

smc_reset may be executed in parallel with timer function media_check. To avoid data race in smc_set_xcvr a spinlock was added. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Pavel Andrianov --- drivers/net/ethernet/smsc/smc91c92_cs.c | 3 +++ 1 file changed, 3

A potential data race in drivers/isdn/hardware/eicon/diva_mnt.ko

are registered in divas_maint_register_chrdev, which is called (divamnt.c: line 206) before initialization (divamnt.c: line 211). Thus, there may occur a situation when the handlers of divas_main_fops occur to uninitialized resources. -- Pavel Andrianov Linux Verification Center, ISPRAS web

A potential data race in drivers/isdn/hardware/eicon/diva_mnt.ko

are registered in divas_maint_register_chrdev, which is called (divamnt.c: line 206) before initialization (divamnt.c: line 211). Thus, there may occur a situation when the handlers of divas_main_fops occur to uninitialized resources. -- Pavel Andrianov Linux Verification Center, ISPRAS web

Potential data race in drivers/net/ethernet/sis/sis190.ko

free_skb(skb) In this case the skb is freed twice. Likely, in the interrupt handler the same spinlock should be acquired as in sis190_tx_timeout. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

Potential data race in drivers/net/ethernet/sis/sis190.ko

free_skb(skb) In this case the skb is freed twice. Likely, in the interrupt handler the same spinlock should be acquired as in sis190_tx_timeout. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential data race in drivers/scsi/mvumi.ko

-> mvumi_handshake -> mvumi_hs_build_page In this case the same data mhba->handshake_page is modified from two threads. Likely the first thread should acquire the same spinlock mhba->shost->host_lock as the second thread. -- Pavel Andrianov Linux Verification Center

A potential data race in drivers/scsi/mvumi.ko

-> mvumi_handshake -> mvumi_hs_build_page In this case the same data mhba->handshake_page is modified from two threads. Likely the first thread should acquire the same spinlock mhba->shost->host_lock as the second thread. -- Pavel Andrianov Linux Verification Center

A potential race in drivers/scsi/megaraid.ko

e same spinlock adapter->lock as the second one. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential race in drivers/scsi/megaraid.ko

e same spinlock adapter->lock as the second one. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

A potential data race in drivers/net/ethernet/smsc/smc91c92_cs.ko

t; smc_reset ->media_check - timer function -> smc_set_xcvr->smc_set_xcvr In this case the struct 'smc' is modified from two threads simultaneously. Likely, the first thread should acquire the same spinlock smc->lock as the second thread in

A potential data race in drivers/net/ethernet/smsc/smc91c92_cs.ko

t; smc_reset ->media_check - timer function -> smc_set_xcvr->smc_set_xcvr In this case the struct 'smc' is modified from two threads simultaneously. Likely, the first thread should acquire the same spinlock smc->lock as the second thread in

Re: Potential race condition in drivers/ata/sata_mv.ko

ext can not be acquired there. The comment may be wrong and eh_context is acquired somewhere before, but I also can not find it. Do you know where is the initial acquire of eh_context in this case? 10.08.2016 06:51, Tejun Heo пишет: Hello, On Fri, Aug 05, 2016 at 03:43:30PM +0300, Pavel Andriano

Re: Potential race condition in drivers/ata/sata_mv.ko

ext can not be acquired there. The comment may be wrong and eh_context is acquired somewhere before, but I also can not find it. Do you know where is the initial acquire of eh_context in this case? 10.08.2016 06:51, Tejun Heo пишет: Hello, On Fri, Aug 05, 2016 at 03:43:30PM +0300, Pavel Andriano

A potential race in drivers/atm/eni.ko

. Thus, the interrupt may occur while initialization is not finishing and the new value of events will be lost. Moreover, the spinlock, which is used in the interrupt handler, is also initialized (line 1842) after request_irq (line 1813). -- Pavel Andrianov Linux Verification Center, ISPRAS web

A potential race in drivers/atm/eni.ko

. Thus, the interrupt may occur while initialization is not finishing and the new value of events will be lost. Moreover, the spinlock, which is used in the interrupt handler, is also initialized (line 1842) after request_irq (line 1813). -- Pavel Andrianov Linux Verification Center, ISPRAS web

Potential race condition in drivers/ata/sata_mv.ko

. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

Potential race condition in drivers/ata/sata_mv.ko

. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[PATCH] wl3501_cs: Add spinlock to wl3501_reset

Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov <andria...@ispras.ru> --- drivers/net/wireless/wl3501_cs.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c index 13fd734..1

[PATCH] wl3501_cs: Add spinlock to wl3501_reset

Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov --- drivers/net/wireless/wl3501_cs.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c index 13fd734..196f13c 100644 --- a/drivers

Re: A potential race

Hi! We have no hardware to test possible fixes. If somebody has it and agrees to check our patches, we will prepare them. Best regards, Pavel 01.07.2016 20:17, Hans Verkuil пишет: On 07/01/2016 05:02 PM, Pavel Andrianov wrote: 01.07.2016 19:53, Hans Verkuil пишет: On 07/01/2016 04:39 PM

Re: A potential race

Hi! We have no hardware to test possible fixes. If somebody has it and agrees to check our patches, we will prepare them. Best regards, Pavel 01.07.2016 20:17, Hans Verkuil пишет: On 07/01/2016 05:02 PM, Pavel Andrianov wrote: 01.07.2016 19:53, Hans Verkuil пишет: On 07/01/2016 04:39 PM

Re: A potential race

01.07.2016 19:53, Hans Verkuil пишет: On 07/01/2016 04:39 PM, Pavel Andrianov wrote: Hi! There is a potential race condition between usbvision_v4l2_close and usbvision_disconnect. The possible scenario may be the following. usbvision_disconnect starts execution, assigns usbvision

Re: A potential race

01.07.2016 19:53, Hans Verkuil пишет: On 07/01/2016 04:39 PM, Pavel Andrianov wrote: Hi! There is a potential race condition between usbvision_v4l2_close and usbvision_disconnect. The possible scenario may be the following. usbvision_disconnect starts execution, assigns usbvision

[PATCH] libertas: Add spinlock to avoid race condition

lbs_mac_event_disconnected may free priv->currenttxskb while lbs_hard_start_xmit accesses to it. The patch adds a spinlock for mutual exclusion. Tested on OLPC XO-1 (usb8388) and XO-1.5 (sd8686) with v4.7-rc3. Confirmed that lbs_mac_event_disconnected is being called on the station when hostapd

[PATCH] libertas: Add spinlock to avoid race condition

lbs_mac_event_disconnected may free priv->currenttxskb while lbs_hard_start_xmit accesses to it. The patch adds a spinlock for mutual exclusion. Tested on OLPC XO-1 (usb8388) and XO-1.5 (sd8686) with v4.7-rc3. Confirmed that lbs_mac_event_disconnected is being called on the station when hostapd

[ldv-project] [net] wcn36xx: potential race condition

a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[ldv-project] [net] wcn36xx: potential race condition

a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

Re: [ldv-project] [net] libertas: potential race condition

08.06.2016 02:51, James Cameron пишет: On Tue, Jun 07, 2016 at 09:39:55AM -0500, Dan Williams wrote: On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote: Hi! There is a potential race condition in drivers/net/wireless/libertas/libertas.ko. In the function lbs_hard_start_xmit(..), line

Re: [ldv-project] [net] libertas: potential race condition

08.06.2016 02:51, James Cameron пишет: On Tue, Jun 07, 2016 at 09:39:55AM -0500, Dan Williams wrote: On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote: Hi! There is a potential race condition in drivers/net/wireless/libertas/libertas.ko. In the function lbs_hard_start_xmit(..), line

[ldv-project] [net] rtl8188ee: a potential race condition

affect the rtl88e_dm_watchdog as in the previous case. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[ldv-project] [net] rtl8188ee: a potential race condition

affect the rtl88e_dm_watchdog as in the previous case. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

Re: [ldv-project] [net] libertas: potential race condition

07.06.2016 18:39, Dan Williams пишет: On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote: Hi! There is a potential race condition in drivers/net/wireless/libertas/libertas.ko. In the function lbs_hard_start_xmit(..), line 159, a socket buffer is written to priv->current_

Re: [ldv-project] [net] libertas: potential race condition

07.06.2016 18:39, Dan Williams пишет: On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote: Hi! There is a potential race condition in drivers/net/wireless/libertas/libertas.ko. In the function lbs_hard_start_xmit(..), line 159, a socket buffer is written to priv->current_

[ldv-project] [net] libertas: potential race condition

mit. Is it a real race or I have missed something? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[ldv-project] [net] libertas: potential race condition

mit. Is it a real race or I have missed something? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andria...@ispras.ru

[PATCH] scsi_megaraid: addition spin_lock in megaraid_abort()

to megaraid_abort(). Found by Linux Driver Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov --- drivers/scsi/megaraid.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 4d39a9f..7572d86 100644

[PATCH] scsi_megaraid: addition spin_lock in megaraid_abort()

to megaraid_abort(). Found by Linux Driver Verification project (linuxtesting.org) Signed-off-by: Pavel Andrianov andria...@ispras.ru --- drivers/scsi/megaraid.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 4d39a9f