On Wed, Mar 18, 2020 at 09:43:03PM +0100, Thomas Gleixner wrote: > From: Logan Gunthorpe <logang@xxxxxxxxxxxx> > > The call to init_completion() in mrpc_queue_cmd() can theoretically > race with the call to poll_wait() in switchtec_dev_poll(). > > poll() write() > switchtec_dev_poll() switchtec_dev_write() > poll_wait(&s->comp.wait); mrpc_queue_cmd() > init_completion(&s->comp) > init_waitqueue_head(&s->comp.wait) > > To my knowledge, no one has hit this bug. > > Fix this by using reinit_completion() instead of init_completion() in > mrpc_queue_cmd(). > > Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver") > Reported-by: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> > Signed-off-by: Logan Gunthorpe <logang@xxxxxxxxxxxx> > Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Link: https://lkml.kernel.org/r/20200313183608.2646-1-logang@xxxxxxxxxxxx Acked-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx> Not because I understand and have reviewed this, but because I trust you to do the right thing and it belongs with the rest of the series. > --- > drivers/pci/switch/switchtec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c > index a823b4b8ef8a..81dc7ac01381 100644 > --- a/drivers/pci/switch/switchtec.c > +++ b/drivers/pci/switch/switchtec.c > @@ -175,7 +175,7 @@ static int mrpc_queue_cmd(struct switchtec_user *stuser) > kref_get(&stuser->kref); > stuser->read_len = sizeof(stuser->data); > stuser_set_state(stuser, MRPC_QUEUED); > - init_completion(&stuser->comp); > + reinit_completion(&stuser->comp); > list_add_tail(&stuser->list, &stdev->mrpc_queue); > > mrpc_cmd_submit(stdev); > -- > 2.20.1 > >