lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <A24743AB-F844-48B6-BE83-8CEF4E8A6264@brocade.com>
Date:	Mon, 8 Jun 2015 21:07:30 +0100
From:	Brian Russell <brussell@...cade.com>
To:	Guenter Roeck <linux@...ck-us.net>
CC:	Brian Russell <brian.russell@...cade.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	"Hans J. Koch" <hjk@...sjkoch.de>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v9 2/2] uio: Fix uio driver to refcount device


> On 8 Jun 2015, at 20:25, Guenter Roeck <linux@...ck-us.net> wrote:
> 
>> On Tue, Mar 24, 2015 at 12:59:22PM +0000, Brian Russell wrote:
>> 
>> 
>>> On 23/03/15 20:41, Greg Kroah-Hartman wrote:
>>>> On Fri, Mar 20, 2015 at 02:54:44PM +0000, Brian Russell wrote:
>>>> Protect uio driver from its owner being unplugged while there are open fds.
>>>> Embed struct device in struct uio_device, use refcounting on device, free
>>>> uio_device on release.
>>>> info struct passed in uio_register_device can be freed on unregister, so null
>>>> out the field in uio_unregister_device and check accesses.
>>> 
>>> That's really not protecting anything except heavy-handed problems...
>>> 
>>> Look at the code:
>>> 
>>>> @@ -493,7 +499,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
>>>>    struct uio_listener *listener = filep->private_data;
>>>>    struct uio_device *idev = listener->dev;
>>>> 
>>>> -    if (!idev->info->irq)
>>>> +    if (!idev->info || !idev->info->irq)
>>>>        return -EIO;
>>> 
>>> Great, you checked the irq value, but what if it changes the very next
>>> line:
>>> 
>>>>    poll_wait(filep, &idev->wait, wait);
>>> 
>>> Or any other line within this function?  Or any other function that you
>>> try to check the value for in the beginning...
>>> 
>>> This really isn't protecting anything "properly", sorry.  Either we
>>> don't care about it (hint, I don't think we really do), or we need to
>>> properly lock things and check, and protect, things that way.
>> 
>> The checks for irq value are already there. I added the checks for the
>> idev->info ptr and deliberately nulled it in uio_unregister_device as
>> the caller module may free uio_info after unregistering (dpdk's igb_uio
>> does anyway) and then release will be called later when fds are closed.
>> 
>> So I think I definitely need the check in uio_release. I didn't think
>> it hurt to return early from poll/read/write if we know the device
>> has been unregistered?
> 
> What is the final verdict on this patch ? We are seeing the crash in our
> system, and I would like to apply a 'final' patch if possible to get it
> fixed.
> 
It needs a bit more work. uio_info needs to live as long as the corresponding uio_device. Since they seem to always be 1:1, uio_info could embedded within uio_device (but then all the users of uio need changed) or uio_info could be a refcounted object.

Brian

> Thanks,
> Guenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ