From nobody Sat Feb 7 08:13:47 2026 Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6C5C25D1E9 for ; Tue, 27 Jan 2026 07:20:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769498409; cv=none; b=psgaA4Rdl3j9fUFPDeXjPVE2DIPawhA+QmjIRIHxYf5h92IZR7E64DWGct7jtYux2aKTYQhNSQ79XcYbOsIE+iiKGi6M/N5hGEBUpSGX2O3GxbU0NmFMKCqi7Psk4AFZ3M0vcYFhzVeLunpVw1ib6WJswDeCd8TSSYyXcsJtwlo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769498409; c=relaxed/simple; bh=81F3rTIPutz/0pH4tf433mr/DXtLcwyzVIfphouJJyo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=HP90oIcs6Xdkc5utBlzs1k4sojmvstHF1zggTojjnXNV8DsXuji9nB7sOgPI09235hxn24EP0ne7/ETN7QLD6RXPPwDicYH9d2rM37E8N1I5i7j5OdjHEFCeRegZtXflMg0jgYpwhAfZPZrcwAJdX53oqpQ9RlpmfsTnS4O8caw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iYUw6I9L; arc=none smtp.client-ip=209.85.222.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iYUw6I9L" Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8c6af798a83so588869985a.0 for ; Mon, 26 Jan 2026 23:20:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769498406; x=1770103206; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9QEx1C/oYB7PurQl6mZb4VXQ4WDvvLW28qJrv7K/l7M=; b=iYUw6I9LyOSS05NWO+oYkRbPJ1ObRAQzujwp3VrnduGsaDLL/gvUX6ogWVmOgayp2M TRZpvMUPMpBFQDmVKUolm9b88y/cHV4foDmsO7mQuBkrCD+se/fiiMaun2o+fiQZa66K Kr0IuOUWWIuh8VV6qBhqbQESSuBJ+iSCNWxP2xU1/siwswDkRADdbR5al4o6NbIMb/40 2uf1SGcOpKYgyjs7QsNhDA/hvhl+NzsdMDrV0ChkxF7auAYpAAFwRZPaJRjv+dyA5ZHE JDML/8piF0KwqKOIzrSasN/oh54Y3YhJmdcIE22rin9jz76IHPdoGdj63SSUUdRMV8sF wj0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769498406; x=1770103206; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9QEx1C/oYB7PurQl6mZb4VXQ4WDvvLW28qJrv7K/l7M=; b=rd944akqWuxX3tdsgmmWQy6KMaSw4fHkc2wPT86T8Qhb+/lD4khhLWM0RfZNtlQAiJ Ep03BXOL6OmvjX4AOunVOcA+a++WbJgNLcB4O4fJkHVwbxswr7RZy50OYO+oC5W51L7v KP676D6xe1c4FLNIfgs4X3aySMxOn+likNcMjCdrWnsbYy+IV5imfW8A6b1eIViXNOWt hD4Dd1i9xXBdiGs+e0d9xUYRPVzQvLz/HIakAnkLWNlrRrphGGDIHUPSYyFPFKLpWGPg IEDmfPESPJ8/s+6f3Ut00cBQPGmvq2it8N8uIlbHO0KRuF/SRgC8NZev9CEOMT0fgQfc 2P1w== X-Gm-Message-State: AOJu0YzFkLesa9BIWbWAKdWpZfxuaE2bhG12EVRGeskf05l/S7WZDhFJ o2PI/rFZzprhI8T9yolMBm3iKHBCPH+GZOAKQwFxmz0u6QkDWtHQn1Yb X-Gm-Gg: AZuq6aL/7yFw3rmjFfs7tDN3qF7/weBtnC3s//ZwaRcip1I57oxOYtbDQXJ8U5vRcKV 4JMk3Ih4ZQqy95KJryXEAjyY41phSLCWhnKWkAej5jevb4LTdL1MN+XmQ7O4TxEl+do4R2X2eCv Q5fO5f4bD2F5+VEk+fTIBsJPgS58dFsst4V54y4dQm6Nt89fRTzj82QSrPBfaAkKV+K7WE/Z4jp pWDf81RcBeSsWoKT+oi26l84HSIdUPPT6YAmWnTtwL9XXQiQVpHomCSWXggans89quPDRnco2Bz neGxgHH1EwD6qkYYez7K7Nn8GdLbQC222SvKhed+cvH1ukj/rIZzhLziNa4PQXfJ3HPaR+mE7hD hTY3OEUhiSluSgXmeuI5x3gT+IVLqGXIQpQFxXGxUslrwsmaomQtcFZwc5esd5ZlI+GOpKv0= X-Received: by 2002:a05:620a:1788:b0:8c3:7f27:a65d with SMTP id af79cd13be357-8c70b855dbcmr92270485a.28.1769498405679; Mon, 26 Jan 2026 23:20:05 -0800 (PST) Received: from r730.. ([46.110.19.170]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-894ac89dc43sm73935596d6.46.2026.01.26.23.20.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Jan 2026 23:20:05 -0800 (PST) From: Henry Zhang X-Google-Original-From: Henry Zhang To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, tglx@linutronix.de, mingo@kernel.org, syzbot+c6e7bcea7ffb7ff46acb@syzkaller.appspotmail.com, Henry Zhang Subject: [PATCH net] mISDN: Fix data race in timer handling Date: Tue, 27 Jan 2026 02:19:27 -0500 Message-Id: <20260127071927.1520272-1-zeri@umich.edu> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" KCSAN reported a data race where misdn_add_timer() writes dev->work while mISDN_read() reads it without holding the spinlock: write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] ... read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 ... dev->work is read locklessly in wait_event_interruptible() and mISDN_poll(). In mISDN_read(), the result is rechecked under dev->lock. In mISDN_poll(), a stale value may cause a spurious EPOLLIN or a missed wake, but wake_up_interruptible() will correct this. In both cases, the race is benign, so we can annotate these with READ_ONCE/WRITE_ONCE. Reported-by: syzbot+c6e7bcea7ffb7ff46acb@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dc6e7bcea7ffb7ff46acb Signed-off-by: Henry Zhang --- drivers/isdn/mISDN/timerdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c index df98144a9539..f98f2e0cfb9f 100644 --- a/drivers/isdn/mISDN/timerdev.c +++ b/drivers/isdn/mISDN/timerdev.c @@ -109,7 +109,7 @@ mISDN_read(struct file *filep, char __user *buf, size_t= count, loff_t *off) spin_unlock_irq(&dev->lock); if (filep->f_flags & O_NONBLOCK) return -EAGAIN; - wait_event_interruptible(dev->wait, (dev->work || + wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || !list_empty(list))); if (signal_pending(current)) return -ERESTARTSYS; @@ -143,11 +143,11 @@ mISDN_poll(struct file *filep, poll_table *wait) if (dev) { poll_wait(filep, &dev->wait, wait); mask =3D 0; - if (dev->work || !list_empty(&dev->expired)) + if (READ_ONCE(dev->work) || !list_empty(&dev->expired)) mask |=3D (EPOLLIN | EPOLLRDNORM); if (*debug & DEBUG_TIMER) printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, - dev->work, list_empty(&dev->expired)); + READ_ONCE(dev->work), list_empty(&dev->expired)); } return mask; } @@ -172,7 +172,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) struct mISDNtimer *timer; =20 if (!timeout) { - dev->work =3D 1; + WRITE_ONCE(dev->work, 1); wake_up_interruptible(&dev->wait); id =3D 0; } else { --=20 2.34.1