[Bug Report] Potential atomicity violation bug in drivers/misc/sgi-xp/xpc_uv.c, between 'xpc_send_activate_IRQ_uv()' and 'xpc_teardown_partitions_uv()'

Next message: Dmitry Baryshkov: "Re: [PATCH v4 3/5] phy: qcom: edp: Add SC7280/SC8180X swing/pre-emphasis tables"
Previous message: YoungJun Park: "Re: [PATCH v6 4/4] mm: swap: filter swap allocation by memcg tier mask"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ginger

Date: Thu Apr 23 2026 - 00:44:43 EST

Dear Linux kernel maintainers,

My research-based static analyzer found a potential atomicity bug
within the 'drivers/misc/sgi-xp' subsystem, more specifically, in
'drivers/misc/sgi-xp/xpc_uv.c'.

Kernel version: long-term kernel v6.18.9

Potential concurrent triggering executions:
T0:
xpc_send_activate_IRQ_uv
--> read part_uv->flags & XPC_P_CACHED_ACTIVATE_GRU_MQ_DESC_UV
--> access part_uv->cached_activate_gru_mq_desc

T1:
xpc_teardown_partitions_uv
--> spin_lock_irqsave(&part_uv->flags_lock, irq_flags)
--> part_uv->flags &= ~XPC_P_CACHED_ACTIVATE_GRU_MQ_DESC_UV;
--> spin_unlock_irqrestore(&part_uv->flags_lock, irq_flags);

In T0, the read to part_uv->flags is not protected by the flags_lock,
causing potential partial reads and data race scenarios.

Please kindly check at your convenience. Thank you for your time and
consideration.

Best regards,
Ginger