| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 May 2011 16:09:29 +0200 From: Tim Gardner <tim.gardner@...onical.com> To: Bruno Prémont <bonbons@...ux-vserver.org> CC: linux-fbdev@...r.kernel.org, lethal@...ux-sh.org, linux-kernel@...r.kernel.org, Andy Whitcroft <andy.whitcroft@...onical.com> Subject: Re: [PATCH V3] fbcon -- fix race between open and removal of framebuffers On 05/10/2011 11:44 PM, Bruno Prémont wrote: > On Tue, 10 May 2011 Tim Gardner<tim.gardner@...onical.com> wrote: >> From ca3ef33e2235c88856a6257c0be63192ab56c678 Mon Sep 17 00:00:00 2001 >> From: Andy Whitcroft<apw@...onical.com> >> Date: Thu, 29 Jul 2010 16:48:20 +0100 >> Subject: [PATCH] fbcon -- fix race between open and removal of framebuffers >> >> Currently there is no locking for updates to the registered_fb list. >> This allows an open through /dev/fbN to pick up a registered framebuffer >> pointer in parallel with it being released, as happens when a conflicting >> framebuffer is ejected or on module unload. There is also no reference >> counting on the framebuffer descriptor which is referenced from all open >> files, leading to references to released or reused memory to persist on >> these open files. >> >> This patch adds a reference count to the framebuffer descriptor to prevent >> it from being released until after all pending opens are closed. This >> allows the pending opens to detect the closed status and unmap themselves. >> It also adds locking to the framebuffer lookup path, locking it against >> the removal path such that it is possible to atomically lookup and take a >> reference to the descriptor. It also adds locking to the read and write >> paths which currently could access the framebuffer descriptor after it >> has been freed. Finally it moves the device to FBINFO_STATE_REMOVED to >> indicate that all access should be errored for this device. > > What framebuffer drivers was this patch tested with? Just x86 with > mainstream GPU (intel/amd/nvidia KMS) in compination with vgafb/vesafb or > did it see some testing with other framebuffers like those from embedded > world? > This patch is also in all of the armel (OMAP3/OMAP4) kernels. > Otherwise a much smaller (memory leaking) patch would be to just change > vesafb/vgafb to not free their fb_info after unregistration as was suggested > by Alan Cox. > Sure, I suppose thats possible, but this is the patch that I have working. <snip> > > This only partially protects the list and count as two concurrent > framebuffer registrations do still race against each other. > For the issue addressed by this patch I don't think it makes sense to > have this spinlock at all as it's only used in get_framebuffer_info() > and in put_framebuffer_info() and put_framebuffer_info() doesn't even > look at registered_fb or num_registered_fb. > Such a spinlock makes sense in a separate patch that really protects > all access to registered_fb or num_registered_fb, be it during framebuffer > (un)registration or during access from fbcon. > Our goal was merely to stop the user space open/close races. I agree that the framebuffer registration list needs more orthogonal protection, but that is going to be a much larger patch. rtg -- Tim Gardner tim.gardner@...onical.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists