lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJTXvSgFf3+AtTjbLXE3EExFzWTfUsYEoUVRy-NWppqpZuXsuA@mail.gmail.com>
Date:	Tue, 27 Oct 2015 16:12:50 -0400
From:	Jean-François Dagenais <jeff.dagenais@...il.com>
To:	Brian Russell <brussell@...cade.com>
Cc:	Guenter Roeck <linux@...ck-us.net>,
	Brian Russell <brian.russell@...cade.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	"Hans J. Koch" <hjk@...sjkoch.de>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v9 2/2] uio: Fix uio driver to refcount device

Hi guys,

We have hot-removal scenarios here which require exactly this fix. The
app above has open fds on /dev/uioN
and the current uio.c makes the kernel OOPS.

Any updates? I'd be happy to test a new patch.

On Mon, Jun 8, 2015 at 4:07 PM, Brian Russell <brussell@...cade.com> wrote:
>
>> On 8 Jun 2015, at 20:25, Guenter Roeck <linux@...ck-us.net> wrote:
>>
>>> On Tue, Mar 24, 2015 at 12:59:22PM +0000, Brian Russell wrote:
>>>
>>>
>>>> On 23/03/15 20:41, Greg Kroah-Hartman wrote:
>>>>> On Fri, Mar 20, 2015 at 02:54:44PM +0000, Brian Russell wrote:
>>>>> Protect uio driver from its owner being unplugged while there are open fds.
>>>>> Embed struct device in struct uio_device, use refcounting on device, free
>>>>> uio_device on release.
>>>>> info struct passed in uio_register_device can be freed on unregister, so null
>>>>> out the field in uio_unregister_device and check accesses.
>>>>
>>>> That's really not protecting anything except heavy-handed problems...
>>>>
>>>> Look at the code:
>>>>
>>>>> @@ -493,7 +499,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
>>>>>    struct uio_listener *listener = filep->private_data;
>>>>>    struct uio_device *idev = listener->dev;
>>>>>
>>>>> -    if (!idev->info->irq)
>>>>> +    if (!idev->info || !idev->info->irq)
>>>>>        return -EIO;
>>>>
>>>> Great, you checked the irq value, but what if it changes the very next
>>>> line:
>>>>
>>>>>    poll_wait(filep, &idev->wait, wait);
>>>>
>>>> Or any other line within this function?  Or any other function that you
>>>> try to check the value for in the beginning...
>>>>
>>>> This really isn't protecting anything "properly", sorry.  Either we
>>>> don't care about it (hint, I don't think we really do), or we need to
>>>> properly lock things and check, and protect, things that way.
>>>
>>> The checks for irq value are already there. I added the checks for the
>>> idev->info ptr and deliberately nulled it in uio_unregister_device as
>>> the caller module may free uio_info after unregistering (dpdk's igb_uio
>>> does anyway) and then release will be called later when fds are closed.
>>>
>>> So I think I definitely need the check in uio_release. I didn't think
>>> it hurt to return early from poll/read/write if we know the device
>>> has been unregistered?
>>
>> What is the final verdict on this patch ? We are seeing the crash in our
>> system, and I would like to apply a 'final' patch if possible to get it
>> fixed.
>>
> It needs a bit more work. uio_info needs to live as long as the corresponding uio_device. Since they seem to always be 1:1, uio_info could embedded within uio_device (but then all the users of uio need changed) or uio_info could be a refcounted object.
>
> Brian
>
>> Thanks,
>> Guenter
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ