lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1174877836.4782.6.camel@concordia.ozlabs.ibm.com>
Date:	Mon, 26 Mar 2007 12:57:16 +1000
From:	Michael Ellerman <michael@...erman.id.au>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	linux-pci@...ey.karlin.mff.cuni.cz,
	Greg Kroah-Hartman <greg@...ah.com>,
	"David S. Miller" <davem@...emloft.net>,
	Benjamin Herrenschmidt <benh@...nel.crashing.org>,
	linux-kernel@...r.kernel.org, Andrew Morton <akpm@...l.org>,
	daniel.e.wolstenholme@...el.com
Subject: Re: [PATCH 17/21] MSI: Clear the irq_desc's msi pointer on free

On Thu, 2007-03-22 at 21:00 -0600, Eric W. Biederman wrote:
> Michael Ellerman <michael@...erman.id.au> writes:
> 
> > On Thu, 2007-03-22 at 08:23 -0600, Eric W. Biederman wrote:
> >> Michael Ellerman <michael@...erman.id.au> writes:
> >> 
> >> > Currently we never clear the msi_desc pointer in the irq_desc. This
> >> > leaves us with a pointer to free'ed memory hanging around. No one seems
> >> > to have hit this, so presumably other parts of the code are protecting
> >> > us from ever using the stale pointer .. or we're just lucky, we should
> >> > still clear it.
> >> 
> >> Hmm.  Maybe.  Currently this is done in dynamic_irq_cleanup,
> >> at least for everything except sparc64.
> >
> > OK, I missed that. I still think we should do it here, otherwise there's
> > a window, however small, where the msi_desc pointer is pointing at freed
> > memory.
> 
> After following the code through the current cleanup happens before you are
> proposing, and in fact the irq is return to the set of irq's that can
> be allocated before you are calling set_irq_msi(irq, NULL).

We don't call dynamic_irq_cleanup(), so it never gets done. Perhaps we
should be using your dynamic_irq_init/cleanup.

> Therefore you are doing this too late and we need to ensure the
> architecture code does this in arch_teardown_msi_irq.

As long as the arch teardown routine somehow calls dynamic_irq_cleanup()
it should be fine. But I guess it's probably safer to just have all
archs do set_msi_irq(irq, NULL) in the teardown.

cheers

-- 
Michael Ellerman
OzLabs, IBM Australia Development Lab

wwweb: http://michael.ellerman.id.au
phone: +61 2 6212 1183 (tie line 70 21183)

We do not inherit the earth from our ancestors,
we borrow it from our children. - S.M.A.R.T Person

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ