RE: [PATCH] cdx: Fix atomicity violation in cdx_bus_match() and cdx_probe()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> From: Qiu-ji Chen <chenqiuji666@xxxxxxxxx>
> 
> An atomicity violation occurs during consecutive reads of the variable cdx_dev-
> >driver_override. Imagine a scenario: while evaluating the statement if (cdx_dev-
> >driver_override && strcmp(cdx_dev->driver_override,
> drv->name)), the value of cdx_dev->driver_override changes, leading to
> drv->an
> inconsistency where the value of cdx_dev->driver_override is the old value when
> passing the non-null check, but the new value when evaluated by strcmp(). This
> causes an inconsistency.
> 
> The second error occurs during the validation of cdx_dev->driver_override.
> The logic of this error is similar to the first one, as the entire process is not protected
> by a lock, leading to an inconsistency in the values of cdx_dev->driver_override
> before and after the reads.
> 
> The third error occurs in driver_override_show() when executing the statement
> return sysfs_emit(buf, "%s\n", cdx_dev->driver_override);.
> Since the string changes byte by byte, it is possible for a partially modified cdx_dev-
> >driver_override value to be used in this statement, leading to an incorrect return
> value from the program.
> 
> To fix these issues, for the first and second problems, since we need to protect the
> entire process of reading the variable cdx_dev->driver_override with a lock, we
> introduced a variable ret and an out block. For each branch in this section, we
> replaced the return statements with assignments to the variable ret, and then used a
> goto statement to directly execute the out block, making the code overall more
> concise.
> 
> For the third problem, we adopted a similar approach to the one used in the
> modalias_show() function, protecting the process of reading cdx_dev-
> >driver_override with a lock, ensuring that the program runs correctly.
> 
> This possible bug is found by an experimental static analysis tool developed by our
> team. This tool analyzes the locking APIs to extract function pairs that can be
> concurrently executed, and then analyzes the instructions in the paired functions to
> identify possible concurrency bugs including data races and atomicity violations.
> 
> Fixes: 2959ab247061 ("cdx: add the cdx bus driver")
> Fixes: 48a6c7bced2a ("cdx: add device attributes")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Qiu-ji Chen <chenqiuji666@xxxxxxxxx>
Acked-by: Nikhil Agarwal <nikhil.agarwal@xxxxxxx>
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux