| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jan 2016 14:35:16 +0800
From: Pan Xinhui <xinhui.pan@...ux.vnet.ibm.com>
To: xinhui <mnipxh@....com>,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>,
"yanmin_zhang@...ux.intel.com" <yanmin_zhang@...ux.intel.com>
Subject: Re: [PATCH resend ] tty/n_gsm.c: use gsm->num to remove mux itself
from gsm_mux[]
Hi, Alan
thanks for your reply :)
On 2015/12/18 21:17, xinhui wrote:
> hi, Alan
> this is xinhui. My eyes got badly hurt, and i am ooo this whole week and next coming week. sorry for late responce.
> I just review the codes in my mind. gsm ioctl callback might change gsm->num, so you are right.
> i still have many confusion. but tears came out several times:( when i am back, i will reply you again.
>
> thx
> xinhui
>
>
>
> On 2015-12-14 23:40 , One Thousand Gnomes Wrote:
>
> On Mon, 14 Dec 2015 15:08:03 +0800
> Pan Xinhui <xinhui.pan@...ux.vnet.ibm.com> wrote:
>
>> From: Pan Xinhui <xinhui.pan@...ux.vnet.ibm.com>
>>
>> There is one filed gsm->num to store mux's index of gsm_mux[]. So use
>> gsm->num to remove itself from gsm_mux[] instead of the for-loop
>> traverse in gsm_cleanup_mux().
>>
>> Signed-off-by: Pan Xinhui <xinhui.pan@...ux.vnet.ibm.com>
>> ---
>> drivers/tty/n_gsm.c | 14 +++++---------
>> 1 files changed, 5 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
>> index 9aff371..cf28054 100644
>> --- a/drivers/tty/n_gsm.c
>> +++ b/drivers/tty/n_gsm.c
>> @@ -2037,18 +2037,14 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm)
>>
>> gsm->dead = 1;
>>
>> - spin_lock(&gsm_mux_lock);
>> - for (i = 0; i < MAX_MUX; i++) {
>> - if (gsm_mux[i] == gsm) {
>> - gsm_mux[i] = NULL;
>> - break;
>> - }
>> - }
>> - spin_unlock(&gsm_mux_lock);
>> /* open failed before registering => nothing to do */
>> - if (i == MAX_MUX)
>> + if (gsm_mux[gsm->num] != gsm)
>> return;
>>
>> + spin_lock(&gsm_mux_lock);
>> + gsm_mux[gsm->num] = NULL;
>> + spin_unlock(&gsm_mux_lock);
>
> Its a highly theoretical and probably impossible corner case but I can't
> help thinking the lock should be held for the if () as well as NULLing
> this out.
>
yes, gsm_mux[] must be touched with gsm_mux_lock held.
I am still wondering if it's possible that two gsm_cleanup_mux() run on the same mux.
seems gsmld_config() -> gsm_cleanup_mux() might have race with gsmld_detach_gsm() -> gsm_cleanup_mux().
what's more, we need make sure gsm_mux[gsm->num] == gsm, as if there is a new mux put into gsm_mux[], we might NULL this new mux out.
here is one possible race.
CPUA CPUB CPUC
in cleanup() in cleanup() in activate()
if (gsm_mux[gsm->num] != gsm) if (gsm_mux[gsm->num] != gsm)
.. ...
spin_lock(&gsm_mux_lock);
gsm_mux[gsm->num] = NULL;
spin_unlock(&gsm_mux_lock);
spin_lock(&gsm_mux_lock);
...
gsm->num = i;
gsm_mux[i] = gsm;
...
spin_unlock(&gsm_mux_lock);
spin_lock(&gsm_mux_lock);
gsm_mux[gsm->num] = NULL;//this NULLing might cause BUGS!!
spin_unlock(&gsm_mux_lock);
I will send out patch V2 to avoid any possible race.
thanks for pointing it out.
thanks
xinhui
> Alan
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists