lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 01 Jun 2017 09:07:32 +0800
From:   Jia-Ju Bai <baijiaju1990@....com>
To:     Larry Finger <Larry.Finger@...inger.net>
CC:     Michael Büsch <m@...s.ch>,
        Kalle Valo <kvalo@...eaurora.org>, netdev@...r.kernel.org,
        linux-wireless@...r.kernel.org, b43-dev@...ts.infradead.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] b43legacy: Fix a sleep-in-atomic bug in b43legacy_op_bss_info_changed

On 06/01/2017 08:07 AM, Larry Finger wrote:
> On 05/31/2017 10:32 AM, Michael Büsch wrote:
>> On Wed, 31 May 2017 13:26:43 +0300
>> Kalle Valo <kvalo@...eaurora.org> wrote:
>>
>>> Jia-Ju Bai <baijiaju1990@....com> writes:
>>>
>>>> The driver may sleep under a spin lock, and the function call path is:
>>>> b43legacy_op_bss_info_changed (acquire the lock by spin_lock_irqsave)
>>>>    b43legacy_synchronize_irq
>>>>      synchronize_irq --> may sleep
>>>>
>>>> To fix it, the lock is released before b43legacy_synchronize_irq, 
>>>> and the
>>>> lock is acquired again after this function.
>>>>
>>>> Signed-off-by: Jia-Ju Bai <baijiaju1990@....com>
>>>> ---
>>>>   drivers/net/wireless/broadcom/b43legacy/main.c |    2 ++
>>>>   1 file changed, 2 insertions(+)
>>>>
>>>> diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c 
>>>> b/drivers/net/wireless/broadcom/b43legacy/main.c
>>>> index f1e3dad..31ead21 100644
>>>> --- a/drivers/net/wireless/broadcom/b43legacy/main.c
>>>> +++ b/drivers/net/wireless/broadcom/b43legacy/main.c
>>>> @@ -2859,7 +2859,9 @@ static void 
>>>> b43legacy_op_bss_info_changed(struct ieee80211_hw *hw,
>>>>       b43legacy_write32(dev, B43legacy_MMIO_GEN_IRQ_MASK, 0);
>>>>         if (changed & BSS_CHANGED_BSSID) {
>>>> +        spin_unlock_irqrestore(&wl->irq_lock, flags);
>>>>           b43legacy_synchronize_irq(dev);
>>>> +        spin_lock_irqsave(&wl->irq_lock, flags);
>>>
>>> To me this looks like a fragile workaround and not a real fix. You can
>>> easily add new race conditions with releasing the lock like this.
>>>
>>
>>
>> I think releasing the lock possibly is fine. It certainly is better than
>> sleeping with a lock held.
>> We disabled the device interrupts just before this line.
>>
>> However I think the synchronize_irq should be outside of the
>> conditional right after the write to B43legacy_MMIO_GEN_IRQ_MASK. (So
>> two lines above)
>> I don't think it makes sense to only synchronize if BSS_CHANGED_BSSID
>> is set.
>>
>>
>> On the other hand b43 does not have this irq-disabling foobar anymore.
>> So somebody must have removed it. Maybe you can find the commit that
>> removed this stuff from b43 and port it to b43legacy?
>>
>>
>> So I would vote for moving the synchronize_irq up outside of the
>> conditional and put the unlock/lock sequence around it.
>> And as a second patch on top of that try to remove this stuff
>> altogether like b43 did.
>
> The patch that removed it in b43 is
>
> commit 36dbd9548e92268127b0c31b0e121e63e9207108
> Author: Michael Buesch <mb@...sch.de>
> Date:   Fri Sep 4 22:51:29 2009 +0200
>
>     b43: Use a threaded IRQ handler
>
>     Use a threaded IRQ handler to allow locking the mutex and
>     sleeping while executing an interrupt.
>     This removes usage of the irq_lock spinlock, but introduces
>     a new hardirq_lock, which is _only_ used for the PCI/SSB lowlevel
>     hard-irq handler. Sleeping busses (SDIO) will use mutex instead.
>
>     Signed-off-by: Michael Buesch <mb@...sch.de>
>     Tested-by: Larry Finger <Larry.Finger@...inger.net>
>     Signed-off-by: John W. Linville <linville@...driver.com>
>
> I vaguely remember this patch. Although it is roughly a 1000-line fix, 
> I will try to port it to b43legacy. I still have an old BCM4306 PCMCIA 
> card that I can test in a PowerBook G4.
>
> I agree with Michael that this is the way to go. Both of Jia-Ju's 
> patches should be rejected.
>
> Larry
>
>

It is fine to me to fix the bug by porting this former patch.

Thanks,
Jia-Ju Bai

Powered by blists - more mailing lists