From: Qiu-ji Chen chenqiuji666@gmail.com
An atomicity violation occurs during consecutive reads of the variable cdx_dev-
driver_override. Imagine a scenario: while evaluating the statement if (cdx_dev- driver_override && strcmp(cdx_dev->driver_override,
drv->name)), the value of cdx_dev->driver_override changes, leading to drv->an inconsistency where the value of cdx_dev->driver_override is the old value when passing the non-null check, but the new value when evaluated by strcmp(). This causes an inconsistency.
The second error occurs during the validation of cdx_dev->driver_override. The logic of this error is similar to the first one, as the entire process is not protected by a lock, leading to an inconsistency in the values of cdx_dev->driver_override before and after the reads.
The third error occurs in driver_override_show() when executing the statement return sysfs_emit(buf, "%s\n", cdx_dev->driver_override);. Since the string changes byte by byte, it is possible for a partially modified cdx_dev-
driver_override value to be used in this statement, leading to an incorrect return
value from the program.
To fix these issues, for the first and second problems, since we need to protect the entire process of reading the variable cdx_dev->driver_override with a lock, we introduced a variable ret and an out block. For each branch in this section, we replaced the return statements with assignments to the variable ret, and then used a goto statement to directly execute the out block, making the code overall more concise.
For the third problem, we adopted a similar approach to the one used in the modalias_show() function, protecting the process of reading cdx_dev-
driver_override with a lock, ensuring that the program runs correctly.
This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations.
Fixes: 2959ab247061 ("cdx: add the cdx bus driver") Fixes: 48a6c7bced2a ("cdx: add device attributes") Cc: stable@vger.kernel.org Signed-off-by: Qiu-ji Chen chenqiuji666@gmail.com
Acked-by: Nikhil Agarwal nikhil.agarwal@amd.com