lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200909292208.18203.rjw@sisk.pl>
Date:	Tue, 29 Sep 2009 22:08:18 +0200
From:	"Rafael J. Wysocki" <rjw@...k.pl>
To:	Danny Feng <dfeng@...hat.com>
Cc:	Alex Chiang <achiang@...com>, lenb@...nel.org,
	bjorn.helgaas@...com, andrew.patterson@...com,
	jbarnes@...tuousgeek.org, linux-acpi@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] acpi: pci_root: fix NULL pointer deref after resume from suspend

On Tuesday 29 September 2009, Danny Feng wrote:
> On 09/29/2009 06:50 AM, Rafael J. Wysocki wrote:
> > On Tuesday 29 September 2009, Alex Chiang wrote:
> >> * Rafael J. Wysocki<rjw@...k.pl>:
> >>> On Monday 28 September 2009, Rafael J. Wysocki wrote:
> >>>> On Monday 28 September 2009, Alex Chiang wrote:
> >>>>> * Xiaotian Feng<dfeng@...hat.com>:
> >>>>>> --- a/drivers/acpi/pci_root.c
> >>>>>> +++ b/drivers/acpi/pci_root.c
> >>>>>> @@ -387,7 +387,11 @@ struct pci_dev *acpi_get_pci_dev(acpi_handle handle)
> >>>>>>   		if (!pdev || hnd == handle)
> >>>>>>   			break;
> >>>>>>
> >>>>>> -		pbus = pdev->subordinate;
> >>>>>> +		if (pdev->subordinate)
> >>>>>> +			pbus = pdev->subordinate;
> >>>>>> +		else
> >>>>>> +			pbus = pdev->bus;
> >>>>>> +
> >>>>>
> >>>>> I'm a little confused by this. If we start from the PCI root
> >>>>> bridge and walk back down the hierarchy, shouldn't everything
> >>>>> between the root and the device be a P2P bridge?
> >>>>
> >>>> Well, if my reading of the code is correct, there's no guarantee that
> >>>> pci_get_slot() will always return either the right device or a bridge.
> >>>
> >>> I should have been more precise.
> >>>
> >>> If devfn of node happens to be the same as devfn of a non-bridge device on
> >>> pbus, the pci_get_slot() will return a valid pointer to it, but
> >>> pdev->subordinate will be NULL.  Is it impossible for some reason?
> >>
> >> Hm, that's a good thought, but I'm still confused. Here's the
> >> first part of the full function (acpi_get_pci_dev):
> >>
> >>          phandle = handle;
> >>          while (!acpi_is_root_bridge(phandle)) {
> >>                  node = kzalloc(sizeof(struct acpi_handle_node), GFP_KERNEL);
> >>                  if (!node)
> >>                          goto out;
> >>
> >>                  INIT_LIST_HEAD(&node->node);
> >>                  node->handle = phandle;
> >>                  list_add(&node->node,&device_list);
> >>
> >>                  status = acpi_get_parent(phandle,&phandle);
> >>                  if (ACPI_FAILURE(status))
> >>                          goto out;
> >>          }
> >>
> >> phandle starts off as the input parameter, and we make successive
> >> calls to acpi_get_parent() to walk up the ACPI device tree until
> >> we get to a root bridge.
> >>
> >> My assumption here is that all those ACPI devices must be P2P
> >> bridges.
> >>
> >>          root = acpi_pci_find_root(phandle);
> >>          if (!root)
> >>                  goto out;
> >>
> >>          pbus = root->bus;
> >>
> >> Now we've got an acpi_pci_root() which has a struct pci_bus, and
> >> we can start walking back down the PCI tree. Except what we're
> >> really doing is iterating across the device_list which we created
> >> above.
> >>
> >> device_list should only contain P2P bridges, based on my
> >> assumption above.
> >>
> >>          list_for_each_entry(node,&device_list, node) {
> >>                  acpi_handle hnd = node->handle;
> >>                  status = acpi_evaluate_integer(hnd, "_ADR", NULL,&adr);
> >>                  if (ACPI_FAILURE(status))
> >>                          goto out;
> >>                  dev = (adr>>  16)&  0xffff;
> >>                  fn  = adr&  0xffff;
> >>
> >>                  pdev = pci_get_slot(pbus, PCI_DEVFN(dev, fn));
> >>                  if (!pdev || hnd == handle)
> >>                          break;
> >>
> >>                  pbus = pdev->subordinate;
> >>                  pci_dev_put(pdev);
> >>          }
> >>
> >> The point you raise about collision between the devfn of 'node'
> >> and some non-bridge device returned by pci_get_slot() seems like
> >> it really shouldn't happen, because we evaluate _ADR for each
> >> node on device_list, in the reverse order that we found them, and
> >> based on my assumption, all those nodes should be bridges.
> >
> > You seem to be right, but if the Xiaotian's patch actually fixes the NULL
> > pointer deref, one of the assumptions is clearly wrong.
> >
> >> I'm not saying that Xiaotian's patch is wrong. I'm saying I'd
> >> like to be educated as to why my basic assumption was wrong,
> >> because now you're making me think that this code is pretty
> >> fragile. :-/
> >
> > Perhaps Xiaotian can add some printk()s on top of his patch that will show us
> > exactly in what conditions pbus becomes NULL.
> >
> > Thanks,
> > Rafael
> >
> Is there any cases that pdev->subordinate is NULL while pdev is bridge 
> device?
>  From pci_slot.c::walk_p2p_bridge, there's code like following:
> 
>          dev = pci_get_slot(pci_bus, PCI_DEVFN(device, function));
>          if (!dev || !dev->subordinate)
>                  goto out;
> 
> It looks like dev->subordinate can be NULL even if in p2p bridge, right?

Right, in general, but in this particular case each device we inspect is
supposed to be a parent of another device, which implies that there's a bus
below it (given that it's a PCI device).

Thanks,
Rafael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ