| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8d7d8958-1a77-7c39-d008-fb6362e15d57@ispras.ru> Date: Fri, 5 Aug 2016 15:43:30 +0300 From: Pavel Andrianov <andrianov@...ras.ru> To: Tejun Heo <tj@...nel.org> Cc: linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org, Vaishali Thakkar <vaishali.thakkar@...cle.com> Subject: Potential race condition in drivers/ata/sata_mv.ko Hi! In drivers/ata/sata_mv.ko function mv_set_main_irq_mask is called several times. Twice with a spinlock, twice from init function and once without any protection. The call without protection rises to several handlers from ata_port_operations. The structure with the ata_port_operations is included into a structure 'host' in mv_platform_probe and in mv_pci_init_one. At the end of these functions ata_host operations are activated together with interrupt handler. The conclusion is: interrupt handler may be executed in parallel with handlers from ata_port_operations, or, more formally, it may interrupt its execution. In mv_set_main_irq_mask and in interrupt handler mv_interrupt the interrupt mask is modified, but, as I said, handlers from ata_port_operations do not acquire any lock. Thus, the interrupt mask may be set incorrectly if the are two conflicting modifications. -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andrianov@...ras.ru
Powered by blists - more mailing lists