Discussion:
A potential race in drivers/staging/speakup/speakup.ko
Samuel Thibault
2016-09-05 09:43:17 UTC
Permalink
Hello,
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global pointers buff_in and buff_out are performed
without any locks. Thus, a simultaneous write (via synth_buffer_clear or
synth_buffer_add) to the pointers may lead to inconsistent data.
Should a local lock be used here?
AIUI, all callers of these functions have speakup_info.spinlock held.

Samuel
Samuel Thibault
2016-09-05 09:56:38 UTC
Permalink
Post by Samuel Thibault
There is a potential race in drivers/staging/speakup/speakup.ko.
All operations with global pointers buff_in and buff_out are performed
without any locks. Thus, a simultaneous write (via synth_buffer_clear or
synth_buffer_add) to the pointers may lead to inconsistent data.
Should a local lock be used here?
AIUI, all callers of these functions have speakup_info.spinlock held.
Regard a call stack
-> synth_direct_store
-> synth_printf
-> synth_buffer_add
The functions have not held speakup_info.spinlock.
Apparently there is currently no caller of synth_direct_store and
synth_store. But taking the lock here would be needed indeed.

Samuel
Samuel Thibault
2016-09-05 10:38:01 UTC
Permalink
synth_direct_store may be called via device_attributes interface.
Ah, right.
In which function the lock should be added?
That'd be synth_direct_store then, around the while loop.

Samuel

Loading...