lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Thu,  4 Jun 2015 01:27:55 +0300
From:	Alexey Khoroshilov <khoroshilov@...ras.ru>
To:	Stefan Richter <stefanr@...6.in-berlin.de>
Cc:	Alexey Khoroshilov <khoroshilov@...ras.ru>,
	linux1394-devel@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org
Subject: [PATCH] firewire: cdev: fix potential data race in dequeue_event()

When wait_event happens in dequeue_event(), it checks if event_list is empty
without acquiring client->lock. A potential race can happen as follows:
     T1                   T2                   T3
  sleep in             sleep in
dequeue_event()      dequeue_event()
                                          enque_event()
  wake up, check
if event_list is empty
and is preempted
                                        device is shut down
                      wake up and
                       list_del()
try to dequeue event
 from empty list

The patch moves acquiring client->lock before checking the event_list.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
---
 drivers/firewire/core-cdev.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 2a3973a7c441..7010dc2f02f2 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -314,11 +314,13 @@ static int dequeue_event(struct client *client,
 	if (ret < 0)
 		return ret;
 
+	spin_lock_irq(&client->lock);
 	if (list_empty(&client->event_list) &&
-		       fw_device_is_shutdown(client->device))
+		       fw_device_is_shutdown(client->device)) {
+		spin_unlock_irq(&client->lock);
 		return -ENODEV;
+	}
 
-	spin_lock_irq(&client->lock);
 	event = list_first_entry(&client->event_list, struct event, link);
 	list_del(&event->link);
 	spin_unlock_irq(&client->lock);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ