lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <617c5fc1-ecc5-c825-ecb9-eeae2b637dfd@fb.com>
Date:	Wed, 27 Jul 2016 18:04:12 -0700
From:	Calvin Owens <calvinowens@...com>
To:	"James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@...cle.com>
CC:	<linux-scsi@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ses: Fix racy cleanup of /sys in remove_dev()

On 06/15/2016 01:24 PM, Calvin Owens wrote:
> On Thursday 06/02 at 15:50 -0700, Calvin Owens wrote:
>> On 05/13/2016 01:28 PM, Calvin Owens wrote:
>>> Currently we free the resources backing the enclosure device before we
>>> call device_unregister(). This is racy: during rmmod of low-level SCSI
>>> drivers that hook into enclosure, we end up with a small window of time
>>> during which writing to /sys can OOPS. Example trace with mpt3sas:
>>
>> Ping?
>
> Any thoughts? Squinting at this more it still seems racy, but a narrow race
> is surely better than just blatantly freeing everything while the file is
> still exposed in /sys? Is there a better way you'd prefer I accomplish this?
>
> (I have boxes that OOPS all the time from monitoring code reading the /sys
> files, with this patch I haven't seen a single one.)
>
> Thanks,
> Calvin

Ping? Thoughts, comments?

>>>    general protection fault: 0000 [#1] SMP KASAN
>>>    Modules linked in: mpt3sas(-) <...>
>>>    RIP: [<ffffffffa0388a98>] ses_get_page2_descriptor.isra.6+0x38/0x220 [ses]
>>>    Call Trace:
>>>     [<ffffffffa0389d14>] ses_set_fault+0xf4/0x400 [ses]
>>>     [<ffffffffa0361069>] set_component_fault+0xa9/0xf0 [enclosure]
>>>     [<ffffffff8205bffc>] dev_attr_store+0x3c/0x70
>>>     [<ffffffff81677df5>] sysfs_kf_write+0x115/0x180
>>>     [<ffffffff81675725>] kernfs_fop_write+0x275/0x3a0
>>>     [<ffffffff8151f810>] __vfs_write+0xe0/0x3e0
>>>     [<ffffffff8152281f>] vfs_write+0x13f/0x4a0
>>>     [<ffffffff81526731>] SyS_write+0x111/0x230
>>>     [<ffffffff828b401b>] entry_SYSCALL_64_fastpath+0x13/0x94
>>>
>>> Fortunately the solution is extremely simple: call device_unregister()
>>> before we free the resources, and the race no longer exists. The driver
>>> core holds a reference over ->remove_dev(), so AFAICT this is safe.
>>>
>>> Signed-off-by: Calvin Owens <calvinowens@...com>
>>> ---
>>>   drivers/scsi/ses.c | 3 ++-
>>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
>>> index 53ef1cb..0e8601a 100644
>>> --- a/drivers/scsi/ses.c
>>> +++ b/drivers/scsi/ses.c
>>> @@ -778,6 +778,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>>>   	if (!edev)
>>>   		return;
>>>
>>> +	enclosure_unregister(edev);
>>> +
>>>   	ses_dev = edev->scratch;
>>>   	edev->scratch = NULL;
>>>
>>> @@ -789,7 +791,6 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>>>   	kfree(edev->component[0].scratch);
>>>
>>>   	put_device(&edev->edev);
>>> -	enclosure_unregister(edev);
>>>   }
>>>
>>>   static void ses_intf_remove(struct device *cdev,
>>>
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ