From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752617AbbG2Lxd (ORCPT ); Wed, 29 Jul 2015 07:53:33 -0400 Received: from mail-wi0-f182.google.com ([209.85.212.182]:35752 "EHLO mail-wi0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751328AbbG2Lxa (ORCPT ); Wed, 29 Jul 2015 07:53:30 -0400 Date: Wed, 29 Jul 2015 13:53:26 +0200 From: Pali =?utf-8?B?Um9ow6Fy?= To: Andrey Konovalov Cc: Dmitry Torokhov , Hans de Goede , Mathias Gottschlag , Shailendra Verma , Rusty Russell , "Luis R. Rodriguez" , Thomas Hellstrom , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Vyukov , Kostya Serebryany , Alexander Potapenko , ktsan@googlegroups.com Subject: Re: Potential data race in psmouse_interrupt Message-ID: <20150729115326.GE13518@pali> References:

<20150723130844.GA29125@pali> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23.1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! This log looks like there can be race condition in initialization code, but not in receiving ALPS packets after initialization... On Thursday 23 July 2015 15:31:46 Andrey Konovalov wrote: > Hi Pali, > > There are a few reports in psmouse-base.c/alps.c code as well. > Here is a couple of them that are printed one right after another. > The second one tells about a race on ps2dev->cmdcnt. > > ================================================================== > ThreadSanitizer: data-race in ps2_handle_ack > > Write of size 8 by thread T6 (K6): > [] ps2_handle_ack+0xf3/0x180 drivers/input/serio/libps2.c:322 > [] psmouse_interrupt+0x207/0x690 > drivers/input/mouse/psmouse-base.c:317 > [] serio_interrupt+0x66/0xb0 drivers/input/serio/serio.c:1008 > [] i8042_interrupt+0x240/0x4d0 > drivers/input/serio/i8042.c:541 > [] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/handle.c:143 > [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192 > [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608 > [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_desc > include/linux/irqdesc.h:146 > [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81 > [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601 > [< inlined >] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350 > [] irq_exit+0x98/0xa0 kernel/softirq.c:391 > [< inlined >] smp_apic_timer_interrupt+0x63/0x80 exiting_irq > ./arch/x86/include/asm/apic.h:655 > [] smp_apic_timer_interrupt+0x63/0x80 > arch/x86/kernel/apic/apic.c:915 > [] apic_timer_interrupt+0x6b/0x70 > arch/x86/entry/entry_64.S:782 > [] _do_fork+0x133/0x500 kernel/fork.c:1719 > [] kernel_thread+0x3c/0x60 kernel/fork.c:1772 > [] __call_usermodehelper+0x5c/0x90 kernel/kmod.c:317 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > DBG: cpu = ffff88053fd9fe68 > DBG: cpu id = 3 > > Previous read of size 8 by thread T397 (K394): > [] ps2_sendbyte+0xe2/0x210 drivers/input/serio/libps2.c:45 > [] __ps2_command+0x159/0x660 drivers/input/serio/libps2.c:214 > [] ps2_command+0x35/0x60 drivers/input/serio/libps2.c:260 > [] alps_rpt_cmd+0x42/0xe0 > drivers/input/mouse/alps.c:1665 (discriminator 1) > [] alps_identify+0x36/0xc80 drivers/input/mouse/alps.c:2690 > [] alps_detect+0x28/0x150 drivers/input/mouse/alps.c:2960 > [< inlined >] psmouse_extensions+0x25e/0x4e0 psmouse_do_detect > drivers/input/mouse/psmouse-base.c:752 > [] psmouse_extensions+0x25e/0x4e0 > drivers/input/mouse/psmouse-base.c:870 > [] psmouse_switch_protocol+0x2ad/0x330 > drivers/input/mouse/psmouse-base.c:1467 > [] psmouse_connect+0x2e6/0x450 > drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > [< inlined >] serio_driver_probe+0x57/0x80 > serio_connect_driver drivers/input/serio/serio.c:65 > [] serio_driver_probe+0x57/0x80 > drivers/input/serio/serio.c:796 > [< inlined >] driver_probe_device+0x1da/0x460 really_probe > drivers/base/dd.c:308 > [] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414 > [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612 > [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314 > [] driver_attach+0x33/0x50 drivers/base/dd.c:631 > [< inlined >] serio_handle_event+0x2d3/0x3b0 > serio_attach_driver drivers/input/serio/serio.c:826 > [] serio_handle_event+0x2d3/0x3b0 > drivers/input/serio/serio.c:245 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > DBG: cpu = 0 > > DBG: addr: ffff88019a923a58 > DBG: first offset: 0, second offset: 0 > DBG: T6 clock: {T6: 2264295, T397: 174118} > DBG: T397 clock: {T397: 174122} > ================================================================== > ================================================================== > ThreadSanitizer: data-race in __ps2_command > > Read of size 1 by thread T397 (K394): > [] __ps2_command+0x270/0x660 > drivers/input/serio/libps2.c:230 (discriminator 21) > [] ps2_command+0x35/0x60 drivers/input/serio/libps2.c:260 > [] alps_rpt_cmd+0xae/0xe0 drivers/input/mouse/alps.c:1674 > [] alps_identify+0x36/0xc80 drivers/input/mouse/alps.c:2690 > [] alps_detect+0x28/0x150 drivers/input/mouse/alps.c:2960 > [< inlined >] psmouse_extensions+0x25e/0x4e0 psmouse_do_detect > drivers/input/mouse/psmouse-base.c:752 > [] psmouse_extensions+0x25e/0x4e0 > drivers/input/mouse/psmouse-base.c:870 > [] psmouse_switch_protocol+0x2ad/0x330 > drivers/input/mouse/psmouse-base.c:1467 > [] psmouse_connect+0x2e6/0x450 > drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > [< inlined >] serio_driver_probe+0x57/0x80 > serio_connect_driver drivers/input/serio/serio.c:65 > [] serio_driver_probe+0x57/0x80 > drivers/input/serio/serio.c:796 > [< inlined >] driver_probe_device+0x1da/0x460 really_probe > drivers/base/dd.c:308 > [] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414 > [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612 > [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314 > [] driver_attach+0x33/0x50 drivers/base/dd.c:631 > [< inlined >] serio_handle_event+0x2d3/0x3b0 > serio_attach_driver drivers/input/serio/serio.c:826 > [] serio_handle_event+0x2d3/0x3b0 > drivers/input/serio/serio.c:245 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > DBG: cpu = ffff88053fc9fe68 > DBG: cpu id = 1 > > Previous write of size 1 by thread T6 (K6): > [] ps2_handle_response+0x46/0x130 > drivers/input/serio/libps2.c:346 > [] psmouse_interrupt+0x4d4/0x690 > drivers/input/mouse/psmouse-base.c:321 > [] serio_interrupt+0x66/0xb0 drivers/input/serio/serio.c:1008 > [] i8042_interrupt+0x240/0x4d0 > drivers/input/serio/i8042.c:541 > [] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/handle.c:143 > [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192 > [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608 > [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_desc > include/linux/irqdesc.h:146 > [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81 > [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601 > [] apic_timer_interrupt+0x6b/0x70 > arch/x86/entry/entry_64.S:782 > [< inlined >] kvm_clock_get_cycles+0x3e/0x50 kvm_clock_read > arch/x86/kernel/kvmclock.c:85 > [] kvm_clock_get_cycles+0x3e/0x50 > arch/x86/kernel/kvmclock.c:92 > [< inlined >] ktime_get_with_offset+0x99/0x180 > timekeeping_get_delta kernel/time/timekeeping.c:210 > [< inlined >] ktime_get_with_offset+0x99/0x180 > timekeeping_get_ns kernel/time/timekeeping.c:306 > [] ktime_get_with_offset+0x99/0x180 > kernel/time/timekeeping.c:720 > [< inlined >] copy_process.part.44+0x773/0x2c40 > ktime_get_boottime include/linux/timekeeping.h:183 > [< inlined >] copy_process.part.44+0x773/0x2c40 > ktime_get_boot_ns include/linux/timekeeping.h:214 > [] copy_process.part.44+0x773/0x2c40 kernel/fork.c:1363 > [< inlined >] _do_fork+0x103/0x500 copy_process kernel/fork.c:1261 > [] _do_fork+0x103/0x500 kernel/fork.c:1709 > [] kernel_thread+0x3c/0x60 kernel/fork.c:1772 > [] __call_usermodehelper+0x5c/0x90 kernel/kmod.c:317 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > DBG: cpu = 0 > > DBG: addr: ffff88019a923a68 > DBG: first offset: 0, second offset: 0 > DBG: T397 clock: {T397: 175738, T6: 2266233} > DBG: T6 clock: {T6: 2266336} > ================================================================== > > On Thu, Jul 23, 2015 at 3:08 PM, Pali Rohár wrote: > > On Wednesday 22 July 2015 15:14:42 Andrey Konovalov wrote: > >> Hi! > >> > >> We are working on a dynamic data race detector for Linux kernel called > >> KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wiki). > >> > >> Here is a report we got while running ktsan (upstream revision > >> 21bdb584af8cca7c6df3c44cba268be050a234eb). > >> > >> ================================================================== > >> ThreadSanitizer: data-race in psmouse_interrupt > >> > >> Write of size 1 by thread T1 (K1): > >> [] psmouse_interrupt+0xd2/0x690 > >> drivers/input/mouse/psmouse-base.c:337 > >> [] serio_interrupt+0x66/0xb0 drivers/input/serio/serio.c:1008 > >> [] i8042_interrupt+0x240/0x4d0 > >> drivers/input/serio/i8042.c:541 > >> [] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/handle.c:143 > >> [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192 > >> [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608 > >> [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_desc > >> include/linux/irqdesc.h:146 > >> [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81 > >> [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > >> [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601 > >> [< inlined >] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350 > >> [] irq_exit+0x98/0xa0 kernel/softirq.c:391 > >> [< inlined >] smp_apic_timer_interrupt+0x63/0x80 exiting_irq > >> ./arch/x86/include/asm/apic.h:655 > >> [] smp_apic_timer_interrupt+0x63/0x80 > >> arch/x86/kernel/apic/apic.c:915 > >> [] apic_timer_interrupt+0x6b/0x70 > >> arch/x86/entry/entry_64.S:782 > >> [] kvasprintf+0x5d/0x90 lib/kasprintf.c:24 > >> [] kasprintf+0x4e/0x70 lib/kasprintf.c:40 > >> [< inlined >] module_add_driver+0x8f/0x180 make_driver_name > >> drivers/base/module.c:18 > >> [] module_add_driver+0x8f/0x180 drivers/base/module.c:63 > >> [] bus_add_driver+0x204/0x340 drivers/base/bus.c:713 > >> [] driver_register+0xdb/0x190 drivers/base/driver.c:168 > >> [] __hid_register_driver+0xb6/0x100 > >> drivers/hid/hid-core.c:2677 > >> [] apple_driver_init+0x24/0x31 drivers/hid/hid-apple.c:574 > >> [] do_one_initcall+0xb9/0x220 init/main.c:798 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 > >> do_initcall_level init/main.c:863 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 do_initcalls > >> init/main.c:871 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 do_basic_setup > >> init/main.c:890 > >> [] kernel_init_freeable+0x2ca/0x397 init/main.c:1013 > >> [] kernel_init+0x16/0x140 init/main.c:941 > >> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > >> DBG: cpu = ffff88053fd9fe68 > >> DBG: cpu id = 3 > >> > >> Previous read of size 1 by thread T509 (K506): > >> [< inlined >] cypress_send_ext_cmd+0x193/0x500 > >> cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123 > >> [] cypress_send_ext_cmd+0x193/0x500 > >> drivers/input/mouse/cypress_ps2.c:192 > >> [] cypress_detect+0x2a/0xb0 > >> drivers/input/mouse/cypress_ps2.c:208 > >> [] psmouse_extensions+0x1f6/0x4e0 > >> drivers/input/mouse/psmouse-base.c:849 (discriminator 1) > >> [] psmouse_switch_protocol+0x2ad/0x330 > >> drivers/input/mouse/psmouse-base.c:1467 > >> [] psmouse_connect+0x2e6/0x450 > >> drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > >> [< inlined >] serio_driver_probe+0x57/0x80 > >> serio_connect_driver drivers/input/serio/serio.c:65 > >> [] serio_driver_probe+0x57/0x80 > >> drivers/input/serio/serio.c:796 > >> [< inlined >] driver_probe_device+0x1da/0x460 really_probe > >> drivers/base/dd.c:308 > >> [] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414 > >> [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612 > >> [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314 > >> [] driver_attach+0x33/0x50 drivers/base/dd.c:631 > >> [< inlined >] serio_handle_event+0x2d3/0x3b0 > >> serio_attach_driver drivers/input/serio/serio.c:826 > >> [] serio_handle_event+0x2d3/0x3b0 > >> drivers/input/serio/serio.c:245 > >> [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036 > >> [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170 > >> [] kthread+0x15c/0x180 kernel/kthread.c:207 > >> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526 > >> DBG: cpu = 0 > >> > >> DBG: addr: ffff88019d703909 > >> DBG: first offset: 1, second offset: 1 > >> DBG: T1 clock: {T1: 17075020, T509: 142163} > >> DBG: T509 clock: {T509: 142167} > >> ================================================================== > >> > >> It seems that accessing 'psmouse->pktcnt' in > >> 'psmouse->packet[psmouse->pktcnt++] = data' in 'psmouse_interrupt()' > >> is racing with 'wait_event_timeout(ps2dev->wait, (psmouse->pktcnt >= > >> pktsize), msecs_to_jiffies(CYTP_CMD_TIMEOUT))' in > >> 'cypress_ps2_read_cmd_status()'. > >> If that's the case, it's possible that 'psmouse->pktcnt' is > >> incremented, but no data is written yet, so '(psmouse->pktcnt >= > >> pktsize)' will evaluate to true and the following 'memcpy' will access > >> invalid data. > >> > >> Could you confirm if this is a real data race? > >> > >> Thanks in advance! > >> > > > > Hi Andrey, > > > > I would like to ask you, did not you noticed some problem from Sanitizer > > with psmouse-base.c and alps.c code? > > > > There is unknown problem when alps.c receive invalid data from > > psmouse_interrupt/serio_interrupt/i8042_interrupt. > > > > And when I read your email with race condition & accesing invalid data > > in cypress driver. I'm thinking if there cannot be something like that. > > > > -- > > Pali Rohár > > pali.rohar@gmail.com -- Pali Rohár pali.rohar@gmail.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pali =?utf-8?B?Um9ow6Fy?= Subject: Re: Potential data race in psmouse_interrupt Date: Wed, 29 Jul 2015 13:53:26 +0200 Message-ID: <20150729115326.GE13518@pali> References:

<20150723130844.GA29125@pali> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: Received: from mail-wi0-f182.google.com ([209.85.212.182]:35752 "EHLO mail-wi0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751328AbbG2Lxa (ORCPT ); Wed, 29 Jul 2015 07:53:30 -0400 Content-Disposition: inline In-Reply-To: Sender: linux-input-owner@vger.kernel.org List-Id: linux-input@vger.kernel.org To: Andrey Konovalov Cc: Dmitry Torokhov , Hans de Goede , Mathias Gottschlag , Shailendra Verma , Rusty Russell , "Luis R. Rodriguez" , Thomas Hellstrom , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Vyukov , Kostya Serebryany , Alexander Potapenko , ktsan@googlegroups.com Hi! This log looks like there can be race condition in initialization code, but not in receiving ALPS packets after initialization... On Thursday 23 July 2015 15:31:46 Andrey Konovalov wrote: > Hi Pali, >=20 > There are a few reports in psmouse-base.c/alps.c code as well. > Here is a couple of them that are printed one right after another. > The second one tells about a race on ps2dev->cmdcnt. >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > ThreadSanitizer: data-race in ps2_handle_ack >=20 > Write of size 8 by thread T6 (K6): > [] ps2_handle_ack+0xf3/0x180 drivers/input/serio/l= ibps2.c:322 > [] psmouse_interrupt+0x207/0x690 > drivers/input/mouse/psmouse-base.c:317 > [] serio_interrupt+0x66/0xb0 drivers/input/serio/s= erio.c:1008 > [] i8042_interrupt+0x240/0x4d0 > drivers/input/serio/i8042.c:541 > [] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/h= andle.c:143 > [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:= 192 > [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:6= 08 > [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_desc > include/linux/irqdesc.h:146 > [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:= 81 > [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.= S:601 > [< inlined >] irq_exit+0x98/0xa0 invoke_softirq kernel/softir= q.c:350 > [] irq_exit+0x98/0xa0 kernel/softirq.c:391 > [< inlined >] smp_apic_timer_interrupt+0x63/0x80 exiting_irq > ./arch/x86/include/asm/apic.h:655 > [] smp_apic_timer_interrupt+0x63/0x80 > arch/x86/kernel/apic/apic.c:915 > [] apic_timer_interrupt+0x6b/0x70 > arch/x86/entry/entry_64.S:782 > [] _do_fork+0x133/0x500 kernel/fork.c:1719 > [] kernel_thread+0x3c/0x60 kernel/fork.c:1772 > [] __call_usermodehelper+0x5c/0x90 kernel/kmod.c:3= 17 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c= :2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:217= 0 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64= =2ES:526 > DBG: cpu =3D ffff88053fd9fe68 > DBG: cpu id =3D 3 >=20 > Previous read of size 8 by thread T397 (K394): > [] ps2_sendbyte+0xe2/0x210 drivers/input/serio/lib= ps2.c:45 > [] __ps2_command+0x159/0x660 drivers/input/serio/l= ibps2.c:214 > [] ps2_command+0x35/0x60 drivers/input/serio/libps= 2.c:260 > [] alps_rpt_cmd+0x42/0xe0 > drivers/input/mouse/alps.c:1665 (discriminator 1) > [] alps_identify+0x36/0xc80 drivers/input/mouse/al= ps.c:2690 > [] alps_detect+0x28/0x150 drivers/input/mouse/alps= =2Ec:2960 > [< inlined >] psmouse_extensions+0x25e/0x4e0 psmouse_do_detec= t > drivers/input/mouse/psmouse-base.c:752 > [] psmouse_extensions+0x25e/0x4e0 > drivers/input/mouse/psmouse-base.c:870 > [] psmouse_switch_protocol+0x2ad/0x330 > drivers/input/mouse/psmouse-base.c:1467 > [] psmouse_connect+0x2e6/0x450 > drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > [< inlined >] serio_driver_probe+0x57/0x80 > serio_connect_driver drivers/input/serio/serio.c:65 > [] serio_driver_probe+0x57/0x80 > drivers/input/serio/serio.c:796 > [< inlined >] driver_probe_device+0x1da/0x460 really_probe > drivers/base/dd.c:308 > [] driver_probe_device+0x1da/0x460 drivers/base/dd= =2Ec:414 > [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612 > [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:3= 14 > [] driver_attach+0x33/0x50 drivers/base/dd.c:631 > [< inlined >] serio_handle_event+0x2d3/0x3b0 > serio_attach_driver drivers/input/serio/serio.c:826 > [] serio_handle_event+0x2d3/0x3b0 > drivers/input/serio/serio.c:245 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c= :2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:217= 0 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64= =2ES:526 > DBG: cpu =3D 0 >=20 > DBG: addr: ffff88019a923a58 > DBG: first offset: 0, second offset: 0 > DBG: T6 clock: {T6: 2264295, T397: 174118} > DBG: T397 clock: {T397: 174122} > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > ThreadSanitizer: data-race in __ps2_command >=20 > Read of size 1 by thread T397 (K394): > [] __ps2_command+0x270/0x660 > drivers/input/serio/libps2.c:230 (discriminator 21) > [] ps2_command+0x35/0x60 drivers/input/serio/libps= 2.c:260 > [] alps_rpt_cmd+0xae/0xe0 drivers/input/mouse/alps= =2Ec:1674 > [] alps_identify+0x36/0xc80 drivers/input/mouse/al= ps.c:2690 > [] alps_detect+0x28/0x150 drivers/input/mouse/alps= =2Ec:2960 > [< inlined >] psmouse_extensions+0x25e/0x4e0 psmouse_do_detec= t > drivers/input/mouse/psmouse-base.c:752 > [] psmouse_extensions+0x25e/0x4e0 > drivers/input/mouse/psmouse-base.c:870 > [] psmouse_switch_protocol+0x2ad/0x330 > drivers/input/mouse/psmouse-base.c:1467 > [] psmouse_connect+0x2e6/0x450 > drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > [< inlined >] serio_driver_probe+0x57/0x80 > serio_connect_driver drivers/input/serio/serio.c:65 > [] serio_driver_probe+0x57/0x80 > drivers/input/serio/serio.c:796 > [< inlined >] driver_probe_device+0x1da/0x460 really_probe > drivers/base/dd.c:308 > [] driver_probe_device+0x1da/0x460 drivers/base/dd= =2Ec:414 > [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612 > [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:3= 14 > [] driver_attach+0x33/0x50 drivers/base/dd.c:631 > [< inlined >] serio_handle_event+0x2d3/0x3b0 > serio_attach_driver drivers/input/serio/serio.c:826 > [] serio_handle_event+0x2d3/0x3b0 > drivers/input/serio/serio.c:245 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c= :2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:217= 0 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64= =2ES:526 > DBG: cpu =3D ffff88053fc9fe68 > DBG: cpu id =3D 1 >=20 > Previous write of size 1 by thread T6 (K6): > [] ps2_handle_response+0x46/0x130 > drivers/input/serio/libps2.c:346 > [] psmouse_interrupt+0x4d4/0x690 > drivers/input/mouse/psmouse-base.c:321 > [] serio_interrupt+0x66/0xb0 drivers/input/serio/s= erio.c:1008 > [] i8042_interrupt+0x240/0x4d0 > drivers/input/serio/i8042.c:541 > [] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/h= andle.c:143 > [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:= 192 > [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:6= 08 > [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_desc > include/linux/irqdesc.h:146 > [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:= 81 > [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.= S:601 > [] apic_timer_interrupt+0x6b/0x70 > arch/x86/entry/entry_64.S:782 > [< inlined >] kvm_clock_get_cycles+0x3e/0x50 kvm_clock_read > arch/x86/kernel/kvmclock.c:85 > [] kvm_clock_get_cycles+0x3e/0x50 > arch/x86/kernel/kvmclock.c:92 > [< inlined >] ktime_get_with_offset+0x99/0x180 > timekeeping_get_delta kernel/time/timekeeping.c:210 > [< inlined >] ktime_get_with_offset+0x99/0x180 > timekeeping_get_ns kernel/time/timekeeping.c:306 > [] ktime_get_with_offset+0x99/0x180 > kernel/time/timekeeping.c:720 > [< inlined >] copy_process.part.44+0x773/0x2c40 > ktime_get_boottime include/linux/timekeeping.h:183 > [< inlined >] copy_process.part.44+0x773/0x2c40 > ktime_get_boot_ns include/linux/timekeeping.h:214 > [] copy_process.part.44+0x773/0x2c40 kernel/fork.c= :1363 > [< inlined >] _do_fork+0x103/0x500 copy_process kernel/fork.c= :1261 > [] _do_fork+0x103/0x500 kernel/fork.c:1709 > [] kernel_thread+0x3c/0x60 kernel/fork.c:1772 > [] __call_usermodehelper+0x5c/0x90 kernel/kmod.c:3= 17 > [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c= :2036 > [] worker_thread+0xbf/0x710 kernel/workqueue.c:217= 0 > [] kthread+0x15c/0x180 kernel/kthread.c:207 > [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64= =2ES:526 > DBG: cpu =3D 0 >=20 > DBG: addr: ffff88019a923a68 > DBG: first offset: 0, second offset: 0 > DBG: T397 clock: {T397: 175738, T6: 2266233} > DBG: T6 clock: {T6: 2266336} > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > On Thu, Jul 23, 2015 at 3:08 PM, Pali Roh=C3=A1r wrote: > > On Wednesday 22 July 2015 15:14:42 Andrey Konovalov wrote: > >> Hi! > >> > >> We are working on a dynamic data race detector for Linux kernel ca= lled > >> KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wik= i). > >> > >> Here is a report we got while running ktsan (upstream revision > >> 21bdb584af8cca7c6df3c44cba268be050a234eb). > >> > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >> ThreadSanitizer: data-race in psmouse_interrupt > >> > >> Write of size 1 by thread T1 (K1): > >> [] psmouse_interrupt+0xd2/0x690 > >> drivers/input/mouse/psmouse-base.c:337 > >> [] serio_interrupt+0x66/0xb0 drivers/input/seri= o/serio.c:1008 > >> [] i8042_interrupt+0x240/0x4d0 > >> drivers/input/serio/i8042.c:541 > >> [] handle_irq_event_percpu+0x62/0x2a0 kernel/ir= q/handle.c:143 > >> [] handle_irq_event+0xa2/0xf0 kernel/irq/handle= =2Ec:192 > >> [] handle_edge_irq+0x104/0x380 kernel/irq/chip.= c:608 > >> [< inlined >] handle_irq+0xf6/0x220 generic_handle_irq_des= c > >> include/linux/irqdesc.h:146 > >> [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64= =2Ec:81 > >> [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223 > >> [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_= 64.S:601 > >> [< inlined >] irq_exit+0x98/0xa0 invoke_softirq kernel/sof= tirq.c:350 > >> [] irq_exit+0x98/0xa0 kernel/softirq.c:391 > >> [< inlined >] smp_apic_timer_interrupt+0x63/0x80 exiting_i= rq > >> ./arch/x86/include/asm/apic.h:655 > >> [] smp_apic_timer_interrupt+0x63/0x80 > >> arch/x86/kernel/apic/apic.c:915 > >> [] apic_timer_interrupt+0x6b/0x70 > >> arch/x86/entry/entry_64.S:782 > >> [] kvasprintf+0x5d/0x90 lib/kasprintf.c:24 > >> [] kasprintf+0x4e/0x70 lib/kasprintf.c:40 > >> [< inlined >] module_add_driver+0x8f/0x180 make_driver_nam= e > >> drivers/base/module.c:18 > >> [] module_add_driver+0x8f/0x180 drivers/base/mo= dule.c:63 > >> [] bus_add_driver+0x204/0x340 drivers/base/bus.= c:713 > >> [] driver_register+0xdb/0x190 drivers/base/driv= er.c:168 > >> [] __hid_register_driver+0xb6/0x100 > >> drivers/hid/hid-core.c:2677 > >> [] apple_driver_init+0x24/0x31 drivers/hid/hid-= apple.c:574 > >> [] do_one_initcall+0xb9/0x220 init/main.c:798 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 > >> do_initcall_level init/main.c:863 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 do_initcall= s > >> init/main.c:871 > >> [< inlined >] kernel_init_freeable+0x2ca/0x397 do_basic_se= tup > >> init/main.c:890 > >> [] kernel_init_freeable+0x2ca/0x397 init/main.c= :1013 > >> [] kernel_init+0x16/0x140 init/main.c:941 > >> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry= _64.S:526 > >> DBG: cpu =3D ffff88053fd9fe68 > >> DBG: cpu id =3D 3 > >> > >> Previous read of size 1 by thread T509 (K506): > >> [< inlined >] cypress_send_ext_cmd+0x193/0x500 > >> cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123 > >> [] cypress_send_ext_cmd+0x193/0x500 > >> drivers/input/mouse/cypress_ps2.c:192 > >> [] cypress_detect+0x2a/0xb0 > >> drivers/input/mouse/cypress_ps2.c:208 > >> [] psmouse_extensions+0x1f6/0x4e0 > >> drivers/input/mouse/psmouse-base.c:849 (discriminator 1) > >> [] psmouse_switch_protocol+0x2ad/0x330 > >> drivers/input/mouse/psmouse-base.c:1467 > >> [] psmouse_connect+0x2e6/0x450 > >> drivers/input/mouse/psmouse-base.c:1554 (discriminator 4) > >> [< inlined >] serio_driver_probe+0x57/0x80 > >> serio_connect_driver drivers/input/serio/serio.c:65 > >> [] serio_driver_probe+0x57/0x80 > >> drivers/input/serio/serio.c:796 > >> [< inlined >] driver_probe_device+0x1da/0x460 really_probe > >> drivers/base/dd.c:308 > >> [] driver_probe_device+0x1da/0x460 drivers/base= /dd.c:414 > >> [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:= 612 > >> [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.= c:314 > >> [] driver_attach+0x33/0x50 drivers/base/dd.c:63= 1 > >> [< inlined >] serio_handle_event+0x2d3/0x3b0 > >> serio_attach_driver drivers/input/serio/serio.c:826 > >> [] serio_handle_event+0x2d3/0x3b0 > >> drivers/input/serio/serio.c:245 > >> [] process_one_work+0x2a9/0x6d0 kernel/workqueu= e.c:2036 > >> [] worker_thread+0xbf/0x710 kernel/workqueue.c:= 2170 > >> [] kthread+0x15c/0x180 kernel/kthread.c:207 > >> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry= _64.S:526 > >> DBG: cpu =3D 0 > >> > >> DBG: addr: ffff88019d703909 > >> DBG: first offset: 1, second offset: 1 > >> DBG: T1 clock: {T1: 17075020, T509: 142163} > >> DBG: T509 clock: {T509: 142167} > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >> > >> It seems that accessing 'psmouse->pktcnt' in > >> 'psmouse->packet[psmouse->pktcnt++] =3D data' in 'psmouse_interrup= t()' > >> is racing with 'wait_event_timeout(ps2dev->wait, (psmouse->pktcnt = >=3D > >> pktsize), msecs_to_jiffies(CYTP_CMD_TIMEOUT))' in > >> 'cypress_ps2_read_cmd_status()'. > >> If that's the case, it's possible that 'psmouse->pktcnt' is > >> incremented, but no data is written yet, so '(psmouse->pktcnt >=3D > >> pktsize)' will evaluate to true and the following 'memcpy' will ac= cess > >> invalid data. > >> > >> Could you confirm if this is a real data race? > >> > >> Thanks in advance! > >> > > > > Hi Andrey, > > > > I would like to ask you, did not you noticed some problem from Sani= tizer > > with psmouse-base.c and alps.c code? > > > > There is unknown problem when alps.c receive invalid data from > > psmouse_interrupt/serio_interrupt/i8042_interrupt. > > > > And when I read your email with race condition & accesing invalid d= ata > > in cypress driver. I'm thinking if there cannot be something like t= hat. > > > > -- > > Pali Roh=C3=A1r > > pali.rohar@gmail.com --=20 Pali Roh=C3=A1r pali.rohar@gmail.com -- To unsubscribe from this list: send the line "unsubscribe linux-input" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html