lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 9 Feb 2011 16:10:55 -0800
From:	"Ira W. Snyder" <iws@...o.caltech.edu>
To:	Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:	linuxppc-dev@...ts.ozlabs.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] misc: add CARMA DATA-FPGA Access Driver

On Wed, Feb 09, 2011 at 03:42:31PM -0800, Dmitry Torokhov wrote:
> On Wed, Feb 09, 2011 at 03:35:45PM -0800, Ira W. Snyder wrote:
> > On Wed, Feb 09, 2011 at 10:27:40AM -0800, Dmitry Torokhov wrote:
> > 
> > [ snip stuff I've already fixed in the next version ]
> > 
> > > > 
> > > > The requirement is that the device stay open during reconfiguration.
> > > > This provides for that. Readers just block for as long as the device is
> > > > not producing data.
> > > 
> > > OK, you still need to make sure you do not touch free/used buffer while
> > > device is disabled. Also, you need to kick readers if you unbind the
> > > driver, so maybe a new flag priv->exists should be introduced and
> > > checked.
> > > 
> > 
> > I don't understand what you mean by "kick readers if you unbind the
> > driver". The kernel automatically increases the refcount on a module
> > when a process is using the module. This shows up in the "Used by"
> > column of lsmod's output.
> > 
> > The kernel will not let you rmmod a module with a non-zero refcount. You
> > cannot get into the situation where you have rmmod'ed the module and a
> > reader is still blocking in read()/poll().
> 
> However you can still unbind the driver from the device by writing into
> driver's sysfs 'unbind' attribute.
> 
> See drivers/base/bus.c::driver_unbind().
> 

I was completely unaware of that "feature". I hunch that many drivers
are incapable of dealing with an unbind while they are still open.

Matter of fact, I don't see how this can EVER be safe. The driver core
automatically calls the data_of_remove() routine while there are still
blocked readers. This kfree()s the private data structure, which
contains the suggested priv->exists flag. What happens if the memory
allocator re-allocates that memory to a different driver before the
reader process is woken up to check the priv->exists flag?

The only way to solve this is to count the number of open()s and
close()s, and block the unbind until all users have close()d the device.

Thanks,
Ira
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ