| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Oct 2020 11:27:29 -0700
From: Kees Cook <keescook@...omium.org>
To: Shuah Khan <skhan@...uxfoundation.org>
Cc: arnd@...db.de, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 10/11] drivers/misc/vmw_vmci: convert num guest
devices counter to counter_atomic32
On Tue, Oct 06, 2020 at 02:44:41PM -0600, Shuah Khan wrote:
> counter_atomic* is introduced to be used when a variable is used as
> a simple counter and doesn't guard object lifetimes. This clearly
> differentiates atomic_t usages that guard object lifetimes.
>
> counter_atomic* variables will wrap around to 0 when it overflows and
> should not be used to guard resource lifetimes, device usage and
> open counts that control state changes, and pm states.
>
> atomic_t variable used to count number of vmci guest devices is used
> as just as counter and it doesn't control object lifetimes or state
> management. Overflow doesn't appear to be problem for this use.
>
> Convert it to use counter_atomic32.
>
> This conversion doesn't change the overflow wrap around behavior.
>
> Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Signed-off-by: Shuah Khan <skhan@...uxfoundation.org>
I'm not convinced this isn't both managing lifetime and already buggy.
Specifically, I'm looking at how vmci_guest_code_active() is used --
it's being tested before making calls? Is this safe?
> ---
> drivers/misc/vmw_vmci/vmci_guest.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/misc/vmw_vmci/vmci_guest.c b/drivers/misc/vmw_vmci/vmci_guest.c
> index cc8eeb361fcd..86ae27b05fc2 100644
> --- a/drivers/misc/vmw_vmci/vmci_guest.c
> +++ b/drivers/misc/vmw_vmci/vmci_guest.c
> @@ -20,6 +20,7 @@
> #include <linux/smp.h>
> #include <linux/io.h>
> #include <linux/vmalloc.h>
> +#include <linux/counters.h>
>
> #include "vmci_datagram.h"
> #include "vmci_doorbell.h"
> @@ -68,11 +69,11 @@ struct pci_dev *vmci_pdev;
> static struct vmci_guest_device *vmci_dev_g;
> static DEFINE_SPINLOCK(vmci_dev_spinlock);
>
> -static atomic_t vmci_num_guest_devices = ATOMIC_INIT(0);
> +static struct counter_atomic32 vmci_num_guest_devices = COUNTER_ATOMIC_INIT(0);
>
> bool vmci_guest_code_active(void)
> {
> - return atomic_read(&vmci_num_guest_devices) != 0;
> + return counter_atomic32_read(&vmci_num_guest_devices) != 0;
Shouldn't this be "> 0" ?
> }
>
> u32 vmci_get_vm_context_id(void)
> @@ -624,7 +625,7 @@ static int vmci_guest_probe_device(struct pci_dev *pdev,
>
> dev_dbg(&pdev->dev, "Registered device\n");
>
> - atomic_inc(&vmci_num_guest_devices);
> + counter_atomic32_inc(&vmci_num_guest_devices);
>
> /* Enable specific interrupt bits. */
> cmd = VMCI_IMR_DATAGRAM;
> @@ -684,7 +685,7 @@ static void vmci_guest_remove_device(struct pci_dev *pdev)
>
> dev_dbg(&pdev->dev, "Removing device\n");
>
> - atomic_dec(&vmci_num_guest_devices);
> + counter_atomic32_dec(&vmci_num_guest_devices);
If there is a bug elsewhere and vmci_guest_remove_device() (or probe)
gets called too many times, shouldn't we protect the rest of this stack
from having vmci_num_guest_devices go negative (and therefore non-zero)?
This really seems like it should be refcount_t to me, though I have no
idea what the races between the dec() and the read() might mean in this
code generally.
--
Kees Cook
Powered by blists - more mailing lists