lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250510150945.18387-1-aha310510@gmail.com>
Date: Sun, 11 May 2025 00:09:44 +0900
From: Jeongjun Park <aha310510@...il.com>
To: alexandre.belloni@...tlin.com
Cc: gregkh@...uxfoundation.org,
	akpm@...ux-foundation.org,
	linux-rtc@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	stable@...r.kernel.org,
	Jeongjun Park <aha310510@...il.com>
Subject: [PATCH] rtc: fix data race in rtc_dev_poll()

I found data-race in my fuzzer:

==================================================================
BUG: KCSAN: data-race in rtc_dev_poll / rtc_handle_legacy_irq

write to 0xffff88800b307380 of 8 bytes by interrupt on cpu 1:
 rtc_handle_legacy_irq+0x58/0xb0 drivers/rtc/interface.c:624
 rtc_pie_update_irq+0x75/0x90 drivers/rtc/interface.c:672
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x2c4/0x5d0 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x214/0x4a0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
....

read to 0xffff88800b307380 of 8 bytes by task 11566 on cpu 0:
 rtc_dev_poll+0x6c/0xa0 drivers/rtc/dev.c:198
 vfs_poll include/linux/poll.h:82 [inline]
 select_poll_one fs/select.c:480 [inline]
 do_select+0x95f/0x1030 fs/select.c:536
 core_sys_select+0x284/0x6d0 fs/select.c:677
 do_pselect.constprop.0+0x118/0x150 fs/select.c:759
....

value changed: 0x00000000000801c0 -> 0x00000000000802c0
==================================================================

rtc_dev_poll() is reading rtc->irq_data without a spinlock for some
unknown reason. This causes a data-race, so we need to add a spinlock
to fix it.

Cc: <stable@...r.kernel.org>
Fixes: e824290e5dcf ("[PATCH] RTC subsystem: dev interface")
Signed-off-by: Jeongjun Park <aha310510@...il.com>
---
 drivers/rtc/dev.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c
index 0eeae5bcc3aa..a6570a5a938a 100644
--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -195,7 +195,9 @@ static __poll_t rtc_dev_poll(struct file *file, poll_table *wait)
 
 	poll_wait(file, &rtc->irq_queue, wait);
 
+	spin_lock_irq(&rtc->irq_lock);
 	data = rtc->irq_data;
+	spin_unlock_irq(&rtc->irq_lock);
 
 	return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0;
 }
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ