lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 13 Jan 2010 13:45:45 -0200
From:	Thadeu Lima de Souza Cascardo <cascardo@...oscopio.com>
To:	Jean Delvare <khali@...ux-fr.org>
Cc:	linux-i2c@...r.kernel.org,
	"Ben Dooks (embedded platforms)" <ben-linux@...ff.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] i2c: do not use device name after device_unregister

On Wed, Jan 13, 2010 at 11:25:15AM +0100, Jean Delvare wrote:
> Hi Thadeu,
> 
> On Tue, 12 Jan 2010 19:36:43 -0200, Thadeu Lima de Souza Cascardo wrote:
> > dev_dbg outputs dev_name, which is released with device_unregister. This bug
> > resulted in output like this:
> > 
> > [ 7860.470713] i2c Xy2�0: adapter [SMBus I801 adapter at 1880] unregistered
> > 
> > The right output would be:
> > [   60.639233] i2c i2c-0: adapter [SMBus I801 adapter at 1880] unregistered
> 
> I can't reproduce this bug. Do you have a specific memory poisoning
> option enabled by any chance? And which kernel version are you running
> exactly?
> 

I'm not using any memory poisoning option that I'm aware of. However, I've been
using SLOB as an allocator, which may make a pretty difference, I guess.

I was running some of Linus' latest published git versions, something on top of
v2.6.33-rc3, commit 2c1f1895ef2aa8f0e5497893eff71304aef332e1.

> > 
> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...oscopio.com>
> > ---
> >  drivers/i2c/i2c-core.c |    5 +++--
> >  1 files changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
> > index 0ac2f90..d5db0f4 100644
> > --- a/drivers/i2c/i2c-core.c
> > +++ b/drivers/i2c/i2c-core.c
> > @@ -843,6 +843,9 @@ int i2c_del_adapter(struct i2c_adapter *adap)
> >  				 adap->dev.parent);
> >  #endif
> >  
> > +	/* device name is gone after device_unregister */
> > +	dev_dbg(&adap->dev, "adapter [%s] unregistered\n", adap->name);
> > +
> >  	/* clean up the sysfs representation */
> >  	init_completion(&adap->dev_released);
> >  	device_unregister(&adap->dev);
> > @@ -855,8 +858,6 @@ int i2c_del_adapter(struct i2c_adapter *adap)
> >  	idr_remove(&i2c_adapter_idr, adap->nr);
> >  	mutex_unlock(&core_lock);
> >  
> > -	dev_dbg(&adap->dev, "adapter [%s] unregistered\n", adap->name);
> > -
> >  	/* Clear the device structure in case this adapter is ever going to be
> >  	   added again */
> >  	memset(&adap->dev, 0, sizeof(adap->dev));
> 
> The device structure is embedded in struct i2c_adapter, so its memory
> can't be reused before the i2c_adapter itself is freed, which can't
> happen before the end of function i2c_del_adapter(). Until recently,
> the device name was embedded in the device structure so the code above
> was fine. But apparently this changed some 9 months ago...
> 

The device may not be reused, but it's name is in its kobject, which allocates
memory using kvasprintf, and releases it when device_del ends up calling
kobject_put. So, anyway, we should not access memory that has been released. I
guess trying some poisoning option or changing to SLOB may help you hit the
bug.

> -- 
> Jean Delvare

Best Regards,
Cascardo.

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ