From: Mauricio Faria de Oliveira <mfo@igalia.com>
Date: Tue, 17 Mar 2026 23:22:16 +0000 (-0300)
Subject: rtc: add data_race() in rtc_dev_poll()
X-Git-Tag: v7.1-rc1~5^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b47bcab6ee92d5ca6ba55c06b9a503e2663e942f;p=thirdparty%2Fkernel%2Fstable.git

rtc: add data_race() in rtc_dev_poll()

The unlocked read of rtc->irq_data in rtc_dev_poll() can race with
the write in rtc_handle_legacy_irq() and also, theoretically, with
the write in rtc_dev_read().

These races should be safe (see inline comment), thus annotate the
read with data_race() for KCSAN.

Reported-by: syzbot+2d4127acca35ed7b31ad@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=2d4127acca35ed7b31ad
Signed-off-by: Mauricio Faria de Oliveira <mfo@igalia.com>
Link: https://patch.msgid.link/20260317-irq_data-v1-1-a2741002be60@igalia.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
---

diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c
index baf1a8ca8b2b1..8ba7c25d2565e 100644
--- a/drivers/rtc/dev.c
+++ b/drivers/rtc/dev.c
@@ -195,7 +195,16 @@ static __poll_t rtc_dev_poll(struct file *file, poll_table *wait)
 
 	poll_wait(file, &rtc->irq_queue, wait);
 
-	data = rtc->irq_data;
+	/*
+	 * This read can race with the write in rtc_handle_legacy_irq().
+	 *
+	 * - If this check misses a zero to non-zero transition the next check
+	 *   will pick it up (rtc_handle_legacy_irq() wakes up rtc->irq_queue).
+	 * - Non-zero to non-zero transition misses do not change return value.
+	 * - And a non-zero to zero transition is unlikely to be missed, since
+	 *   it occurs on rtc_dev_read(), during which polling is not expected.
+	 */
+	data = data_race(rtc->irq_data);
 
 	return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0;
 }