Possible race in ibmasm.ko

From: Anton Volkov
Date: Fri Aug 18 2017 - 10:16:06 EST

Next message: Edward Cree: "Re: [PATCH v3 net-next] bpf/verifier: track liveness for pruning"
Previous message: Ben Hutchings: "[PATCH 3.2 33/59] [media] dw2102: Don't use dynamic static allocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

While searching for races in the Linux kernel I've come across
"drivers/misc/ibmasm/ibmasm.ko" module. Here is a question that I came up with while analyzing results. Lines are given using the info from Linux v4.12.

Consider the following case:

Thread 1: Thread 2:
ibmasm_interrupt_handler
->ibmasm_receive_message
->ibmasm_receive_event event_file_open
buffer = sp->event_buffer ->ibmasm_event_reader_register
buffer->next_serial_number++ sp->event_buffer->next_serial_number
(event.c: line 73) (event.c: line 133)

There is a possibility of event serial_number clash if in ibmasm_event_reader_register value of next_serial_number field is read before the assignment happens. This is possible only if the readers can dynamically subscribe to an event. Is this case feasible from your point of view?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@xxxxxxxxx

Next message: Edward Cree: "Re: [PATCH v3 net-next] bpf/verifier: track liveness for pruning"
Previous message: Ben Hutchings: "[PATCH 3.2 33/59] [media] dw2102: Don't use dynamic static allocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]