[CHECKER] Race condition in i2o

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [CHECKER] Race condition in i2o_core.c
@ 2004-04-02  1:46 Ken Ashcraft
  2004-04-02  2:08 ` Randy.Dunlap
  2004-04-02  9:19 ` Alan Cox
  0 siblings, 2 replies; 3+ messages in thread
From: Ken Ashcraft @ 2004-04-02  1:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: alan, mc

Looks like there is a race condition in i2o_core_reply involving the 
variable "evt_in".  Notice that the increment of evt_in is protected by the 
lock, but the reads are not protected.  It looks like "events" should also 
be protected by the lock.  If this is not a race condition, the increment 
should not be inside the critical section.

Feedback is appreciated.

thanks,
Ken Ashcraft
-----------------------------------
/home/kash/interface/linux-2.6.3/drivers/message/i2o/i2o_core.c:264:i2o_core_reply: 
ERROR:RACE: 264:264:Possible race condition on variable "evt_in", No locks 
held on read on line 264, Locks {&i2o_evt_lock } held on write on line 268 
[COUNTER=i2o_handler.reply] [fit=1] [fit_fn=1] [fn_ex=0] [fn_counter=1] 
[ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -4.35889894354067]

                 return;
         }

         if(m->function == I2O_CMD_UTIL_EVT_REGISTER)
         {

Error --->
                 memcpy(events[evt_in].msg, msg, (msg[0]>>16)<<2);
                 events[evt_in].iop = c;

                 spin_lock(&i2o_evt_lock);
                 MODINC(evt_in, I2O_EVT_Q_LEN);
                 if(evt_q_len == I2O_EVT_Q_LEN)
                         MODINC(evt_out, I2O_EVT_Q_LEN);
                 else
                         evt_q_len++;
                 spin_unlock(&i2o_evt_lock);

                 up(&evt_sem);
                 wake_up_interruptible(&evt_wait);
                 return;



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [CHECKER] Race condition in i2o_core.c
  2004-04-02  1:46 [CHECKER] Race condition in i2o_core.c Ken Ashcraft
@ 2004-04-02  2:08 ` Randy.Dunlap
  2004-04-02  9:19 ` Alan Cox
  1 sibling, 0 replies; 3+ messages in thread
From: Randy.Dunlap @ 2004-04-02  2:08 UTC (permalink / raw)
  To: Ken Ashcraft; +Cc: linux-kernel, alan, mc

On Thu, 01 Apr 2004 17:46:00 -0800 Ken Ashcraft wrote:

| Looks like there is a race condition in i2o_core_reply involving the 
| variable "evt_in".  Notice that the increment of evt_in is protected by the 
| lock, but the reads are not protected.  It looks like "events" should also 
| be protected by the lock.  If this is not a race condition, the increment 
| should not be inside the critical section.
| 
| Feedback is appreciated.
| 
| thanks,
| Ken Ashcraft
| -----------------------------------
| /home/kash/interface/linux-2.6.3/drivers/message/i2o/i2o_core.c:264:i2o_core_reply: 
| ERROR:RACE: 264:264:Possible race condition on variable "evt_in", No locks 
| held on read on line 264, Locks {&i2o_evt_lock } held on write on line 268 
| [COUNTER=i2o_handler.reply] [fit=1] [fit_fn=1] [fn_ex=0] [fn_counter=1] 
| [ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -4.35889894354067]
| 
|                  return;
|          }
| 
|          if(m->function == I2O_CMD_UTIL_EVT_REGISTER)
|          {
| 
| Error --->
|                  memcpy(events[evt_in].msg, msg, (msg[0]>>16)<<2);

static int evt_in;
Access to <int> is (considered to be) atomic.
However, the MODINC() macro is nowhere close to atomic.
Does that help?

|                  events[evt_in].iop = c;
| 
|                  spin_lock(&i2o_evt_lock);
|                  MODINC(evt_in, I2O_EVT_Q_LEN);
|                  if(evt_q_len == I2O_EVT_Q_LEN)
|                          MODINC(evt_out, I2O_EVT_Q_LEN);
|                  else
|                          evt_q_len++;
|                  spin_unlock(&i2o_evt_lock);
| 
|                  up(&evt_sem);
|                  wake_up_interruptible(&evt_wait);
|                  return;


--
~Randy
(Again.  Sometimes I think ln -s /usr/src/linux/.config .signature)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [CHECKER] Race condition in i2o_core.c
  2004-04-02  1:46 [CHECKER] Race condition in i2o_core.c Ken Ashcraft
  2004-04-02  2:08 ` Randy.Dunlap
@ 2004-04-02  9:19 ` Alan Cox
  1 sibling, 0 replies; 3+ messages in thread
From: Alan Cox @ 2004-04-02  9:19 UTC (permalink / raw)
  To: Ken Ashcraft; +Cc: linux-kernel, alan, mc

On Thu, Apr 01, 2004 at 05:46:00PM -0800, Ken Ashcraft wrote:
> Looks like there is a race condition in i2o_core_reply involving the 
> variable "evt_in".  Notice that the increment of evt_in is protected by the 
> lock, but the reads are not protected.  It looks like "events" should also 
> be protected by the lock.  If this is not a race condition, the increment 
> should not be inside the critical section.
> 
> Feedback is appreciated.

Looks a fair catch to me.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-04-02  9:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-02  1:46 [CHECKER] Race condition in i2o_core.c Ken Ashcraft
2004-04-02  2:08 ` Randy.Dunlap
2004-04-02  9:19 ` Alan Cox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox