| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200402161650.GB26696@madhuparna-HP-Notebook>
Date: Thu, 2 Apr 2020 21:46:50 +0530
From: Madhuparna Bhowmik <madhuparnabhowmik10@...il.com>
To: Alan Stern <stern@...land.harvard.edu>
Cc: Madhuparna Bhowmik <madhuparnabhowmik10@...il.com>,
gregkh@...uxfoundation.org, hariprasad.kelam@...il.com,
colin.king@...onical.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
andrianov@...ras.ru
Subject: Re: [PATCH] usb: host: u132-hcd: Traverse u132_static_list under
mutex lock in u132_hcd_exit
On Thu, Apr 02, 2020 at 10:18:58AM -0400, Alan Stern wrote:
> On Thu, 2 Apr 2020 madhuparnabhowmik10@...il.com wrote:
>
> > From: Madhuparna Bhowmik <madhuparnabhowmik10@...il.com>
> >
> > The global list u132_static_list is protected by u132_module_lock.
> > Elements are added to this list in the probe function and this list is
> > traversed in u132_hcd_exit() to unregister devices.
> >
> > If probe and exit execute simultaneously there can be a race condition
> > between writing to this list in probe and reading the list in exit as
> > u132_module_lock is not held in exit function.
> >
> > Even though u132_exiting variable is used in probe to detect if the module is
> > exiting, it is ineffective as the probe function may read the value
> > before it is updated in exit and thus leading to a race condition.
> >
> > Therefore, hold u132_module_lock while traversing u132_static_list in
> > exit function.
> >
> > Found by Linux Driver Verification project (linuxtesting.org).
> >
> > Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@...il.com>
> > ---
> > drivers/usb/host/u132-hcd.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c
> > index e9209e3e6248..1cadc4e0c9b2 100644
> > --- a/drivers/usb/host/u132-hcd.c
> > +++ b/drivers/usb/host/u132-hcd.c
> > @@ -3217,10 +3217,10 @@ static void __exit u132_hcd_exit(void)
> > struct u132 *temp;
> > mutex_lock(&u132_module_lock);
> > u132_exiting += 1;
> > - mutex_unlock(&u132_module_lock);
> > list_for_each_entry_safe(u132, temp, &u132_static_list, u132_list) {
> > platform_device_unregister(u132->platform_dev);
> > }
> > + mutex_unlock(&u132_module_lock);
>
> How about just getting rid of this loop entirely, along with the
> u132_static_list? As far as I can see, that list doesn't do anything.
>
Yes, that makes sense. I will send an updated patch soon.
Thank you,
Madhuparna
> Not to mention that this driver has no business calling
> platform_device_unregister() here, since it didn't call
> platform_device_register() in the first place. The call to
> platform_driver_unregister() below should do all the necessary work.
>
> Alan Stern
>
> > platform_driver_unregister(&u132_platform_driver);
> > printk(KERN_INFO "u132-hcd driver deregistered\n");
> > wait_event(u132_hcd_wait, u132_instances == 0);
>
Powered by blists - more mailing lists