lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1317930914.15807.64.camel@nimitz>
Date:	Thu, 06 Oct 2011 12:55:14 -0700
From:	Dave Hansen <dave@...ux.vnet.ibm.com>
To:	Seth Jennings <sjenning@...ux.vnet.ibm.com>
Cc:	gregkh@...e.de, cascardo@...oscopio.com,
	dan.magenheimer@...cle.com, rdunlap@...otime.net,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	rcj@...ux.vnet.ibm.com, brking@...ux.vnet.ibm.com,
	ngupta@...are.org
Subject: Re: [PATCH] staging: zcache: fix crash on cpu remove

On Thu, 2011-10-06 at 14:28 -0500, Seth Jennings wrote:
> In the case that a cpu is taken offline before zcache_do_preload() is
> ever called on the cpu, the per-cpu zcache_preloads structure will
> be uninitialized.  In the CPU_DEAD case for zcache_cpu_notifier(),
> kp->obj is not checked before calling kmem_cache_free() on it.
> If it is NULL, a crash results.
> 
> This patch ensures that both kp->obj and kp->page are not NULL before
> calling the respective free functions. In practice, just checking
> one or the other should be sufficient since they are assigned together
> in zcache_do_preload(), but I check both for safety.

zcache_objnode_alloc() and zcache_obj_alloc() seem to do the same thing:
dereference 'kp' without checking it for NULL.  That's fine, but it
requires that preemption be off between zcache_do_preload() and calling
those functions.  That seems to be the case today, but it worries me.

I can see another user getting added that does zcache_obj_alloc() but
forgot to disable preemption.  

We at least need a BUG_ON(!in_atomic()) near the dereferences.  The
enable/disable paths out of zcache_do_preload() look OK to me, but
they're not trivial.

Was there another purpose behind the preempt_disabling()?  We have a
number of spots on the kernel that do preloads but *don't* protect the
percpu buffers in the same way.  The radix-tree code, for instance, uses
preempt_disable() to provide the guarantee that an allocation does not
occur, but its data structures are safe to access without preempt.

IOW, with the radix code, a missed preempt_disable() costs you an
-ENOMEM.  With zcache it costs you an oops.

-- Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ