lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44L0.0912041102590.3070-100000@iolanthe.rowland.org>
Date:	Fri, 4 Dec 2009 11:06:57 -0500 (EST)
From:	Alan Stern <stern@...land.harvard.edu>
To:	Greg KH <gregkh@...e.de>
cc:	stable@...nel.org, Oliver Neukum <oliver@...kum.org>,
	Rickard Bellini <rickard.bellini@...csson.com>,
	"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	Torgny Johansson <torgny.johansson@...csson.com>,
	Kernel development list <linux-kernel@...r.kernel.org>
Subject: [PATCH] Driver core: fix race in dev_driver_string

This patch (as1310) works around a race in dev_driver_string().  If
the device is unbound while the function is running, dev->driver might
become NULL after we test it and before we dereference it.

Signed-off-by: Alan Stern <stern@...land.harvard.edu>
CC: stable@...nel.org

---

Oliver:

We don't have to worry about the device structure being deallocated 
while the routine is running.  If that happens it's a bug in the 
caller: improper refcounting.

Alan Stern


Index: usb-2.6/drivers/base/core.c
===================================================================
--- usb-2.6.orig/drivers/base/core.c
+++ usb-2.6/drivers/base/core.c
@@ -56,7 +56,14 @@ static inline int device_is_not_partitio
  */
 const char *dev_driver_string(const struct device *dev)
 {
-	return dev->driver ? dev->driver->name :
+	struct device_driver *drv;
+
+	/* dev->driver can change to NULL underneath us because of unbinding,
+	 * so be careful about accessing it.  dev->bus and dev->class should
+	 * never change once they are set, so they don't need special care.
+	 */
+	drv = ACCESS_ONCE(dev->driver);
+	return drv ? drv->name :
 			(dev->bus ? dev->bus->name :
 			(dev->class ? dev->class->name : ""));
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ