| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210423122308.3883b9e7@coco.lan>
Date: Fri, 23 Apr 2021 12:23:08 +0200
From: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
To: Julia Lawall <julia.lawall@...ia.fr>
Cc: Krzysztof Kozlowski <krzysztof.kozlowski@...onical.com>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org,
"Rafael J. Wysocki" <rjw@...ysocki.net>
Subject: Re: [PATCH 009/190] Revert "media: s5p-mfc: Fix a reference count
leak"
Em Fri, 23 Apr 2021 11:42:55 +0200
Mauro Carvalho Chehab <mchehab+huawei@...nel.org> escreveu:
> (adding c/c to Rafael)
>
> Em Fri, 23 Apr 2021 10:41:32 +0200 (CEST)
> Julia Lawall <julia.lawall@...ia.fr> escreveu:
>
> > On Fri, 23 Apr 2021, Krzysztof Kozlowski wrote:
> >
> > > On 23/04/2021 10:10, Hans Verkuil wrote:
> > > > On 23/04/2021 10:07, Mauro Carvalho Chehab wrote:
> > > >> Em Fri, 23 Apr 2021 09:10:32 +0200
> > > >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> escreveu:
> > > >>
> > > >>> On Fri, Apr 23, 2021 at 09:04:27AM +0200, Krzysztof Kozlowski wrote:
> > > >>>> On 21/04/2021 14:58, Greg Kroah-Hartman wrote:
> > > >>>>> This reverts commit 78741ce98c2e36188e2343434406b0e0bc50b0e7.
> > > >>>>>
> > > >>>>> Commits from @umn.edu addresses have been found to be submitted in "bad
> > > >>>>> faith" to try to test the kernel community's ability to review "known
> > > >>>>> malicious" changes. The result of these submissions can be found in a
> > > >>>>> paper published at the 42nd IEEE Symposium on Security and Privacy
> > > >>>>> entitled, "Open Source Insecurity: Stealthily Introducing
> > > >>>>> Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> > > >>>>> of Minnesota) and Kangjie Lu (University of Minnesota).
> > > >>>>>
> > > >>>>> Because of this, all submissions from this group must be reverted from
> > > >>>>> the kernel tree and will need to be re-reviewed again to determine if
> > > >>>>> they actually are a valid fix. Until that work is complete, remove this
> > > >>>>> change to ensure that no problems are being introduced into the
> > > >>>>> codebase.
> > > >>>>>
> > > >>>>> Cc: Qiushi Wu <wu000273@....edu>
> > > >>>>> Cc: Hans Verkuil <hverkuil-cisco@...all.nl>
> > > >>>>> Cc: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
> > > >>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > > >>>>> ---
> > > >>>>> drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +---
> > > >>>>> 1 file changed, 1 insertion(+), 3 deletions(-)
> > > >>>>>
> > > >>>>
> > > >>>> This looks like a good commit but should be done now in a different way
> > > >>>> - using pm_runtime_resume_and_get(). Therefore I am fine with revert
> > > >>>> and I can submit later better fix.
> > > >>>
> > > >>> Great, thanks for letting me know, I can have someone work on the
> > > >>> "better fix" at the same time.
> > > >>
> > > >> IMO, it is better to keep the fix. I mean, there's no reason to
> > > >> revert a fix that it is known to be good.
> > > >>
> > > >> The "better fix" patch can be produced anytime. A simple coccinelle
> > > >> ruleset can replace patterns like:
> > > >>
> > > >> ret = pm_runtime_get_sync(pm->device);
> > > >> if (ret < 0) {
> > > >> pm_runtime_put_noidle(pm->device);
> > > >> return ret;
> > > >> }
> > > >>
> > > >> and the broken pattern:
> > > >>
> > > >> ret = pm_runtime_get_sync(pm->device);
> > > >> if (ret < 0)
> > > >> return ret;
> > > >>
> > > >> to:
> > > >>
> > > >> ret = pm_runtime_resume_and_get(pm->device);
> > > >> if (ret < 0)
> > > >> return ret;
> > > >
> > > > That's my preference as well.
> > >
> > > It won't be that easy because sometimes the error handling is via goto
> > > (like in other patches here) but anyway I don't mind keeping the
> > > original commits.
> >
> > I tried the following semantic patch:
> >
> > @@
> > expression ret,e;
> > @@
> >
> > - ret = pm_runtime_get_sync(e);
> > + ret = pm_resume_and_get(e);
> > if (ret < 0) {
> > ...
> > ?- pm_runtime_put_noidle(e);
> > ...
> > return ret;
> > }
> >
> > It has the following features:
> >
> > * The ? means that if pm_runtime_put_noidle is absent, the transformation
> > will happen anyway.
> >
> > * The ... before the return means that the matching will jump over a goto.
> >
> > It makes a lot of changes (in a kernel I had handy from March).
>
> I would expect lots of changes, as the pm_runtime_resume_and_get() was only
> recently introduced on this changeset:
>
> commit dd8088d5a8969dc2b42f71d7bc01c25c61a78066
> Author: Zhang Qilong <zhangqilong3@...wei.com>
> Date: Tue Nov 10 17:29:32 2020 +0800
>
> PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter
>
> In many case, we need to check return value of pm_runtime_get_sync, but
> it brings a trouble to the usage counter processing. Many callers forget
> to decrease the usage counter when it failed, which could resulted in
> reference leak. It has been discussed a lot[0][1]. So we add a function
> to deal with the usage counter for better coding.
>
> [0]https://lkml.org/lkml/2020/6/14/88
> [1]https://patchwork.ozlabs.org/project/linux-tegra/list/?series=178139
> Signed-off-by: Zhang Qilong <zhangqilong3@...wei.com>
> Acked-by: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
> Signed-off-by: Jakub Kicinski <kuba@...nel.org>
>
> > This is a
> > complicated API, however, and I don't know if there are any other issues
> > to take into account, especially in the case where the call to
> > pm_runtime_put_noidle is not present.
>
> I double-checked the code, despite its name, pm_runtime_put_noidle() just
> changes the refcount. See, the relevant code is here:
>
> static inline void pm_runtime_put_noidle(struct device *dev)
> {
> atomic_add_unless(&dev->power.usage_count, -1, 0);
> }
>
> static inline int pm_runtime_get_sync(struct device *dev)
> {
> return __pm_runtime_resume(dev, RPM_GET_PUT);
> }
>
> int __pm_runtime_resume(struct device *dev, int rpmflags)
> {
> unsigned long flags;
> int retval;
>
> might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe &&
> dev->power.runtime_status != RPM_ACTIVE);
>
> if (rpmflags & RPM_GET_PUT)
> atomic_inc(&dev->power.usage_count);
>
> spin_lock_irqsave(&dev->power.lock, flags);
> retval = rpm_resume(dev, rpmflags);
> spin_unlock_irqrestore(&dev->power.lock, flags);
>
> return retval;
> }
>
> Not being an expert at the PM runtime API, at least on my eyes,
> replacing pm_runtime_get_sync() by pm_runtime_resume_and_get()
> seems to be the right thing to do, but Rafael should know more.
The cocci recipe made some wrong error check logic on some drivers,
like, for instance: drivers/media/i2c/mt9m001.c.
On such drivers, the logic is like:
ret = pm_runtime_resume_get_sync(&client->dev);
if (ret < 0)
goto put_unlock;
ret = mt9m001_apply_selection(sd);
if (ret)
goto put_unlock;
...
put_unlock:
pm_runtime_put(&client->dev);
mutex_unlock(&mt9m001->mutex);
On those cases where there are gotos to a logic with either
pm_runtime_put() or pm_runtime_put_no_idle(), the coccinelle
receipt should probably ignore it.
Thanks,
Mauro
Powered by blists - more mailing lists