lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0bfd847b-c70e-8299-8e75-d9d1491c91fa@wanadoo.fr>
Date:   Fri, 12 Nov 2021 18:05:06 +0100
From:   Christophe JAILLET <christophe.jaillet@...adoo.fr>
To:     Ioanna Alifieraki <ioanna-maria.alifieraki@...onical.com>,
        linux-kernel@...r.kernel.org,
        openipmi-developer@...ts.sourceforge.net, minyard@....org,
        ioanna.alifieraki@...il.com
Subject: Re: [PATCH] ipmi: Move remove_work to dedicated workqueue

Le 12/11/2021 à 17:54, Ioanna Alifieraki a écrit :
> Currently when removing an ipmi_user the removal is deferred as a work on
> the system's workqueue. Although this guarantees the free operation will
> occur in non atomic context, it can race with the ipmi_msghandler module
> removal (see [1]) . In case a remove_user work is scheduled for removal
> and shortly after ipmi_msghandler module is removed we can end up in a
> situation where the module is removed fist and when the work is executed
> the system crashes with :
> BUG: unable to handle page fault for address: ffffffffc05c3450
> PF: supervisor instruction fetch in kernel mode
> PF: error_code(0x0010) - not-present page
> because the pages of the module are gone. In cleanup_ipmi() there is no
> easy way to detect if there are any pending works to flush them before
> removing the module. This patch creates a separate workqueue and schedules
> the remove_work works on it. When removing the module the workqueue is
> flushed to avoid the race.
> 
> [1] https://bugs.launchpad.net/bugs/1950666
> 
> Cc: stable@...r.kernel.org
> Fixes: 3b9a907223d7 (ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier)
> Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@...onical.com>
> ---
>   drivers/char/ipmi/ipmi_msghandler.c | 9 ++++++++-
>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
> index deed355422f4..9e0ad2ccd3e0 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -191,6 +191,8 @@ struct ipmi_user {
>   	struct work_struct remove_work;
>   };
>   
> +struct workqueue_struct *remove_work_wq;
> +
>   static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index)
>   	__acquires(user->release_barrier)
>   {
> @@ -1297,7 +1299,7 @@ static void free_user(struct kref *ref)
>   	struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount);
>   
>   	/* SRCU cleanup must happen in task context. */
> -	schedule_work(&user->remove_work);
> +	queue_work(remove_work_wq, &user->remove_work);
>   }
>   
>   static void _ipmi_destroy_user(struct ipmi_user *user)
> @@ -5383,6 +5385,8 @@ static int ipmi_init_msghandler(void)
>   
>   	atomic_notifier_chain_register(&panic_notifier_list, &panic_block);
>   
> +	remove_work_wq = create_singlethread_workqueue("ipmi-msghandler-remove-wq");
> +
>   	initialized = true;
>   
>   out:
> @@ -5408,6 +5412,9 @@ static void __exit cleanup_ipmi(void)
>   	int count;
>   
>   	if (initialized) {
> +		flush_workqueue(remove_work_wq);
> +		destroy_workqueue(remove_work_wq);
> +

Hi,

there is no need to call 'flush_workqueue()' before 'destroy_workqueue()'.
'destroy_workqueue()' already drains the queue before destroying it, so
there is no need to flush it explicitly.

Just my 2c.

CJ

>   		atomic_notifier_chain_unregister(&panic_notifier_list,
>   						 &panic_block);
>   
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ