rtc: add data_race() in rtc_dev_poll()

The unlocked read of rtc->irq_data in rtc_dev_poll() can race with
the write in rtc_handle_legacy_irq() and also, theoretically, with
the write in rtc_dev_read().

These races should be safe (see inline comment), thus annotate the
read with data_race() for KCSAN.

Reported-by: syzbot+2d4127acca35ed7b31ad@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=2d4127acca35ed7b31ad
Signed-off-by: Mauricio Faria de Oliveira <mfo@igalia.com>
Link: https://patch.msgid.link/20260317-irq_data-v1-1-a2741002be60@igalia.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c
index baf1a8ca8b2b1ea806c56b06926a03975b3636a8..8ba7c25d2565ef4139594976881aaee18e16a048 100644 (file)
--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -195,7 +195,16 @@ static __poll_t rtc_dev_poll(struct file *file, poll_table *wait)
 
        poll_wait(file, &rtc->irq_queue, wait);
 
-       data = rtc->irq_data;
+       /*
+        * This read can race with the write in rtc_handle_legacy_irq().
+        *
+        * - If this check misses a zero to non-zero transition the next check
+        *   will pick it up (rtc_handle_legacy_irq() wakes up rtc->irq_queue).
+        * - Non-zero to non-zero transition misses do not change return value.
+        * - And a non-zero to zero transition is unlikely to be missed, since
+        *   it occurs on rtc_dev_read(), during which polling is not expected.
+        */
+       data = data_race(rtc->irq_data);
 
        return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0;
 }