lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 12 Feb 2014 19:01:56 -0600
From:	Josh Cartwright <joshc@...eaurora.org>
To:	Geert Uytterhoeven <geert@...ux-m68k.org>
Cc:	Arnd Bergmann <arnd@...db.de>,
	Laurent Pinchart <laurent.pinchart@...asonboard.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
	Grant Likely <grant.likely@...aro.org>,
	Rob Herring <robh+dt@...nel.org>
Subject: Re: [PATCH] of: Turn of_match_node into a static inline when
 CONFIG_OF isn't set

On Wed, Feb 12, 2014 at 10:54:37PM +0100, Geert Uytterhoeven wrote:
> On Tue, Feb 11, 2014 at 9:06 PM, Arnd Bergmann <arnd@...db.de> wrote:
> > On Tuesday 11 February 2014 19:29:19 Geert Uytterhoeven wrote:
[..]
> > You can't reorder the fields because they are shared with user
> > space in form of the module-init-tools.
> 
> Sure, that's part of the ABI.
> 
> But that doesn't mean we can't change the ID as stored in the platform_device.
> Many drivers don't want to know the ID, only the driver_data part.
> Having that in a uniform way across the different ID types would help.

I think I convinced myself that the existing platform_device::id_entry
manipulation has the same issue as the device::of_match_ptr had before
it was reverted[1], it's just gone unnoticed.

The codepath in question is the platform_driver_register()/driver_attach(), and
as far as I can tell there is nothing in place to prevent the following
scenario:

  Thread 1                                      Thread 2
  platform_driver_register(pdrv1)
    driver_attach(drv1)
     driver_match_device(drv1, dev)
      platform_match(drv1, dev)
       platform_match_id(drv1->id_table, pdev)
        pdev->id_entry = id1;
                                                platform_driver_register(pdrv2)
                                                 driver_attach(drv2)
                                                  driver_match_device(drv2, dev)
                                                   platform_match(drv2, dev)
                                                    platform_match_id(drv2->id_table, pdev)
                                                     pdev->id_entry = id2;
     device_lock(dev)
     driver_probe_device(drv1, dev)
     device_unlock(dev)

So, in this scenario, it's possible that even though 'drv1' is bound to 'dev',
it's id_entry is pointing to somewhere pdrv2's id_table :(.

Fortunately, the chances we'd hit this are slim, as it would require at least
two drivers which match the same device, and at least one of those drivers
would have to make use of id_entry.  However, relying on this still seems
broken.

I suspect it's not generally advisable for a bus to be touching device state
during ->match().

[1]: Thanks to Rob for pointing me at b1608d69cb80 ("drivercore: revert
     addition of of_match to struct device")
-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists