[PATCH] rtc: add data_race() in rtc_dev_poll()

Next message: Huang, Kai: "Re: [PATCH v2] KVM: x86: Use gfn_to_pfn_cache for record_steal_time"
Previous message: Ted Logan: "[PATCH] vfio: selftests: Build tests on aarch64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mauricio Faria de Oliveira

Date: Tue Mar 17 2026 - 19:27:19 EST

The unlocked read of rtc->irq_data in rtc_dev_poll() can race with
the write in rtc_handle_legacy_irq() and also, theoretically, with
the write in rtc_dev_read().

These races should be safe (see inline comment), thus annotate the
read with data_race() for KCSAN.

Reported-by: syzbot+2d4127acca35ed7b31ad@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzbot.org/bug?extid=2d4127acca35ed7b31ad
Signed-off-by: Mauricio Faria de Oliveira <mfo@xxxxxxxxxx>
---
Compile-tested on next-20260317.
---
drivers/rtc/dev.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c
index baf1a8ca8b2b1ea806c56b06926a03975b3636a8..8ba7c25d2565ef4139594976881aaee18e16a048 100644
--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -195,7 +195,16 @@ static __poll_t rtc_dev_poll(struct file *file, poll_table *wait)

poll_wait(file, &rtc->irq_queue, wait);

- data = rtc->irq_data;
+ /*
+ * This read can race with the write in rtc_handle_legacy_irq().
+ *
+ * - If this check misses a zero to non-zero transition the next check
+ * will pick it up (rtc_handle_legacy_irq() wakes up rtc->irq_queue).
+ * - Non-zero to non-zero transition misses do not change return value.
+ * - And a non-zero to zero transition is unlikely to be missed, since
+ * it occurs on rtc_dev_read(), during which polling is not expected.
+ */
+ data = data_race(rtc->irq_data);

return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0;
}

---
base-commit: 8e5a478b6d6a5bb0a3d52147862b15e4d826af19
change-id: 20260317-irq_data-e0fcd79d533c

Best regards,
--
Mauricio Faria de Oliveira <mfo@xxxxxxxxxx>