lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f52892e-ca86-33e4-25da-eb0b40f45b04@i2se.com>
Date:   Thu, 30 Dec 2021 22:39:58 +0100
From:   Stefan Wahren <stefan.wahren@...e.com>
To:     Padmanabha Srinivasaiah <treasure4paddy@...il.com>,
        linux-rpi-kernel@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc:     gregkh@...uxfoundation.org, nsaenz@...nel.org,
        Gaston Gonzalez <gascoar@...il.com>,
        Ojaswin Mujoo <ojaswin98@...il.com>,
        Arnd Bergmann <arnd@...db.de>,
        Phil Elwell <phil@...pberrypi.com>,
        bcm-kernel-feedback-list@...adcom.com
Subject: Re: [PATCH v2] staging: vc04_services: Fix RCU dereference check

Hi Padmanabha,

Am 30.12.21 um 15:54 schrieb Padmanabha Srinivasaiah:
> In service_callback path RCU dereferenced pointer struct vchiq_service
> need to be accessed inside rcu read-critical section.
>
> Accessing same with rcu_read_[lock/unlock] fixes the issue.
>
> [   32.201659] =============================
> [   32.201664] WARNING: suspicious RCU usage
> [   32.201670] 5.15.11-rt24-v8+ #3 Not tainted
> [   32.201680] -----------------------------
> [   32.201685] drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.h:529 suspicious rcu_dereference_check() usage!
> [   32.201695]
> [   32.201695] other info that might help us debug this:
> [   32.201695]
> [   32.201700]
> [   32.201700] rcu_scheduler_active = 2, debug_locks = 1
> [   32.201708] no locks held by vchiq-slot/0/98.
> [   32.201715]
> [   32.201715] stack backtrace:
> [   32.201723] CPU: 1 PID: 98 Comm: vchiq-slot/0 Not tainted 5.15.11-rt24-v8+ #3
> [   32.201733] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
> [   32.201739] Call trace:
> [   32.201742]  dump_backtrace+0x0/0x1b8
> [   32.201772]  show_stack+0x20/0x30
> [   32.201784]  dump_stack_lvl+0x8c/0xb8
> [   32.201799]  dump_stack+0x18/0x34
> [   32.201808]  lockdep_rcu_suspicious+0xe4/0xf8
> [   32.201817]  service_callback+0x124/0x400
> [   32.201830]  slot_handler_func+0xf60/0x1e20
> [   32.201839]  kthread+0x19c/0x1a8
> [   32.201849]  ret_from_fork+0x10/0x20
>
> Signed-off-by: Padmanabha Srinivasaiah <treasure4paddy@...il.com>
> ---
> Changes in v2:
> 	RCU dereferenced pointer need to be accessed inside rcu
> read-side critical section.
>
>  .../vc04_services/interface/vchiq_arm/vchiq_arm.c      | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> index 6759a6261500..8ddd400ab2c3 100644
> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> @@ -1053,24 +1053,30 @@ service_callback(enum vchiq_reason reason, struct vchiq_header *header,
>  	struct vchiq_service *service;
>  	struct vchiq_instance *instance;
>  	bool skip_completion = false;
> +	unsigned int localport;
>  
>  	DEBUG_INITIALISE(g_state.local);
>  
>  	DEBUG_TRACE(SERVICE_CALLBACK_LINE);
>  
> +	rcu_read_lock();
>  	service = handle_to_service(handle);
> -	if (WARN_ON(!service))
> +	if (WARN_ON(!service)) {
> +		rcu_read_unlock();
>  		return VCHIQ_SUCCESS;
> +	}
>  
>  	user_service = (struct user_service *)service->base.userdata;

user_service is part of the service struct and it's modification below
in this function is protected by a spinlock ( msg_queue_spinlock ). So i
would expected that all read accesses to user_service before the
spinlock are protected by RCU. After applying this patch there would be
still the check for "user_service->is_vchi" unprotected. But i'm not
sure about this.

Best regards

>  	instance = user_service->instance;
> +	localport = service->localport;
> +	rcu_read_unlock();
>  
>  	if (!instance || instance->closing)
>  		return VCHIQ_SUCCESS;
>  
>  	vchiq_log_trace(vchiq_arm_log_level,
>  			"%s - service %lx(%d,%p), reason %d, header %lx, instance %lx, bulk_userdata %lx",
> -			__func__, (unsigned long)user_service, service->localport,
> +			__func__, (unsigned long)user_service, (int)localport,
>  			user_service->userdata, reason, (unsigned long)header,
>  			(unsigned long)instance, (unsigned long)bulk_userdata);
>  

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ