lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 6 May 2020 18:30:48 +0200
From:   Ulf Hansson <ulf.hansson@...aro.org>
To:     "yanxiaoyong5@...il.com" <yanxiaoyong5@...il.com>
Cc:     Raul Rangel <rrangel@...omium.org>,
        Avri Altman <avri.altman@....com>,
        kstewart <kstewart@...uxfoundation.org>,
        tglx <tglx@...utronix.de>, linux-mmc <linux-mmc@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Re: [PATCH] mmc/core:fix mmc_sd_hw_reset oops mmc_sd_hw_reset
 function may be oops if the ejection of sd and the reset of sd simultaneously occur

On Fri, 1 May 2020 at 19:18, yanxiaoyong5@...il.com
<yanxiaoyong5@...il.com> wrote:
>
>  it is a race condition,the situation as follows:
>         a                                                                           b
>  mmc_rescan
>      mmc_sd_detect
>           mmc_get_card
>               __mmc_reclaim_host
>           card is not present                                       __mmc_reclaim_host
>           mmc_put_card                                                 wait a __mmc_release_host
>               __mmc_release_host
>                     set b TASK_RUNNING
>           mmc_sd_remove

mmc_sd_remove() calls mmc_remove_card(), which calls device_del() on
the corresponding card->dev.

That leads to ->remove() callback gets invoked for card->dev (see
mmc_blk_remove()), which ideally should clean up everything mmc block
device related. In other words, beyond this point there should be no
thread/user that can call mmc_hw_reset() (which invokes
mmc_sd_hw_reset().

>                host->card =NULL
>                                                                                (b starts to run)
>                                                                                mmc_sd_hw_reset
>                                                                                    finds host->cards is NULL,then oops

So, from the above reasoning I need to ask, have you really seen the
NULL pointer exception happening? (then we need to look more closely
at mmc_blk_remove()) Or do you think there is a problem from a
code-inspection point of view?

Kind regards
Uffe

Powered by blists - more mailing lists