Potential race condition in drivers/ata/sata_mv.ko

From: Pavel Andrianov
Date: Fri Aug 05 2016 - 08:44:46 EST

Next message: Vladimir Zapolskiy: "Re: [RFC][PATCH 0/4] SRAM based reboot reason driver for HiKey"
Previous message: Lee Jones: "Re: [PATCH 1/1] mfd: Use gpio-ich driver for 8-series and 9-series Intel PCH devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

In drivers/ata/sata_mv.ko function mv_set_main_irq_mask is called several times. Twice with a spinlock, twice from init function and once without any protection. The call without protection rises to several handlers from ata_port_operations. The structure with the ata_port_operations is included into a structure 'host' in mv_platform_probe and in mv_pci_init_one. At the end of these functions ata_host operations are activated together with interrupt handler. The conclusion is: interrupt handler may be executed in parallel with handlers from ata_port_operations, or, more formally, it may interrupt its execution.

In mv_set_main_irq_mask and in interrupt handler mv_interrupt the interrupt mask is modified, but, as I said, handlers from ata_port_operations do not acquire any lock. Thus, the interrupt mask may be set incorrectly if the are two conflicting modifications.

--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@xxxxxxxxx

Next message: Vladimir Zapolskiy: "Re: [RFC][PATCH 0/4] SRAM based reboot reason driver for HiKey"
Previous message: Lee Jones: "Re: [PATCH 1/1] mfd: Use gpio-ich driver for 8-series and 9-series Intel PCH devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]