rtc: add data_race() in rtc_dev_poll() · tjh.dev/kernel@b47bcab

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

rtc: add data_race() in rtc_dev_poll()

The unlocked read of rtc->irq_data in rtc_dev_poll() can race with
the write in rtc_handle_legacy_irq() and also, theoretically, with
the write in rtc_dev_read().

These races should be safe (see inline comment), thus annotate the
read with data_race() for KCSAN.

Reported-by: syzbot+2d4127acca35ed7b31ad@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=2d4127acca35ed7b31ad
Signed-off-by: Mauricio Faria de Oliveira <mfo@igalia.com>
Link: https://patch.msgid.link/20260317-irq_data-v1-1-a2741002be60@igalia.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

authored by

Mauricio Faria de Oliveira and committed by

Alexandre Belloni 1 month ago b47bcab6 5827fe59

+10 -1

1 changed file

expand all

drivers

rtc

dev.c

+10 -1

drivers/rtc/dev.c

··· 195 195 196 196 poll_wait(file, &rtc->irq_queue, wait); 197 197 198 - data = rtc->irq_data; 198 + /* 199 + * This read can race with the write in rtc_handle_legacy_irq(). 200 + * 201 + * - If this check misses a zero to non-zero transition the next check 202 + * will pick it up (rtc_handle_legacy_irq() wakes up rtc->irq_queue). 203 + * - Non-zero to non-zero transition misses do not change return value. 204 + * - And a non-zero to zero transition is unlikely to be missed, since 205 + * it occurs on rtc_dev_read(), during which polling is not expected. 206 + */ 207 + data = data_race(rtc->irq_data); 199 208 200 209 return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0; 201 210 }

Configure Feed

Configure Feed