| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <490467CD.3000402@uniscape.net>
Date: Sun, 26 Oct 2008 20:51:25 +0800
From: Yu Zhao <yu.zhao@...scape.net>
To: Matthew Wilcox <matthew@....cx>
CC: Jesse Barnes <jbarnes@...tuousgeek.org>, linux-pci@...r.kernel.org,
greg@...ah.com, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org, stable@...nel.org,
Rakib Mullick <rakib.mullick@...il.com>
Subject: Re: [PATCH] pci: Fixing drivers/pci/search.c compilation warning.
Matthew Wilcox wrote:
> This patch seems to have been overlooked. It also seems to have had
> some kind of midair collision with a patch from Greg that ignored the
> real bug I found.
>
> Here's an updated version. I think it should also be applied to
> -stable.
>
> ----
>
> Subject: [PCI] Fix reference counting bug
>
> pci_get_subsys() will decrement the reference count of the device that
> it starts searching from. Unfortunately, the pci_find_device() interface
> will already have decremented the reference count of the device earlier,
> so the device will end up losing all reference counts and be freed.
>
> We can fix this by incrementing the reference count of the device to
> start searching from before calling pci_get_subsys().
>
> Signed-off-by: Matthew Wilcox <willy@...ux.intel.com>
>
> diff --git a/drivers/pci/search.c b/drivers/pci/search.c
> index 4edfc47..5af8bd5 100644
> --- a/drivers/pci/search.c
> +++ b/drivers/pci/search.c
> @@ -166,6 +166,7 @@ struct pci_dev *pci_find_device(unsigned int vendor, unsigned int device,
> {
> struct pci_dev *pdev;
>
> + pci_dev_get(from);
> pdev = pci_get_subsys(vendor, device, PCI_ANY_ID, PCI_ANY_ID, from);
> pci_dev_put(pdev);
> return pdev;
> @@ -270,12 +271,8 @@ static struct pci_dev *pci_get_dev_by_id(const struct pci_device_id *id,
> struct pci_dev *pdev = NULL;
>
> WARN_ON(in_interrupt());
> - if (from) {
> - /* FIXME
> - * take the cast off, when bus_find_device is made const.
> - */
> - dev_start = (struct device *)&from->dev;
> - }
> + if (from)
> + dev_start = &from->dev;
> dev = bus_find_device(&pci_bus_type, dev_start, (void *)id,
> match_pci_dev_by_id);
> if (dev)
This reminds me of other problems of PCI search functions.
The 'dev_start' is passed to bus_find_device(), and its 'knode_bus'
reference count is decreased by klist_iter_init_node() in that function.
The problem is the reference count may be already decrease to 0 because
the PCI device 'from' is hot-plugged off (e.g., pci_remove_bus) when the
search goes. A warning is fired when klist_iter_init_node() detects the
reference count becomes 0.
Some code uses pci_find_device() in a way that is not safe with the
hotplug, because a device may be destroyed after bus_find_device()
returns it and before it's held by pci_dev_get() in the next round.
Following is an example from a random grep:
for ( ;; )
{
if ((dev_netjet = pci_find_device(PCI_VENDOR_ID_TIGERJET,
PCI_DEVICE_ID_TIGERJET_300, dev_netjet))) {
ret = njs_pci_probe(dev_netjet, cs);
...
}
...
}
And some others use pci_get_bus_and_slot(), which has similar problem as
above.
Thanks,
Yu
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists