lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220217205147.35586-1-davispuh@gmail.com>
Date:   Thu, 17 Feb 2022 22:51:47 +0200
From:   Dāvis Mosāns <davispuh@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     Vinod Koul <vkoul@...nel.org>,
        Dāvis Mosāns <davispuh@...il.com>
Subject: [PATCH] dmaengine: fix dma_issue_pending_all to work with async channel removal

dma channels can be removed asynchronously while we iterate over them so fix that.

Without this fix we would dereference null pointer when dma_issue_pending_all
is invoked while some different device is being unloaded.

kernel: BUG: kernel NULL pointer dereference, address: 0000000000000018
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 0 P4D 0
kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI
kernel: RIP: 0010:dma_issue_pending_all (drivers/dma/dmaengine.c:562)
All code
========
   0:   48 8b 45 20             mov    0x20(%rbp),%rax
   4:   48 8d 68 e0             lea    -0x20(%rax),%rbp
   8:   48 3d 60 36 35 bc       cmp    $0xffffffffbc353660,%rax
   e:   74 4d                   je     0x5d
  10:   48 8b 45 48             mov    0x48(%rbp),%rax
  14:   f6 c4 02                test   $0x2,%ah
  17:   75 e7                   jne    0x0
  19:   48 8b 45 10             mov    0x10(%rbp),%rax
  1d:   4c 8d 65 10             lea    0x10(%rbp),%r12
  21:   48 8d 58 c8             lea    -0x38(%rax),%rbx
  25:   49 39 c4                cmp    %rax,%r12
  28:   74 d6                   je     0x0
  2a:*  8b 43 50                mov    0x50(%rbx),%eax          <-- trapping instruction
  2d:   85 c0                   test   %eax,%eax
  2f:   74 0f                   je     0x40
  31:   48 8b 85 88 01 00 00    mov    0x188(%rbp),%rax
  38:   48 89 df                mov    %rbx,%rdi
  3b:   0f ae e8                lfence
  3e:   ff d0                   call   *%rax

kernel: RSP: 0018:ffffbc5004897de8 EFLAGS: 00010282
kernel: RAX: 0000000000000000 RBX: ffffffffffffffc8 RCX: 0000000000000000
kernel: RDX: ffff9c2300e36a28 RSI: 0000000000000202 RDI: ffff9c2300e36a10
kernel: RBP: ffff9c24473a3970 R08: 0000000000000001 R09: 0000000000000000
kernel: R10: ffff9c23ab165ea9 R11: 0000000000000000 R12: ffff9c24473a3980
kernel: R13: ffff9c2367bca000 R14: ffff9c23112ae000 R15: 0000000000000000
kernel: FS:  0000000000000000(0000) GS:ffff9c2a5d500000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000018 CR3: 0000000700d0a000 CR4: 00000000003506e0
kernel: Call Trace:
kernel:  <TASK>
kernel: raid5d (drivers/md/raid5.c:6563) raid456
kernel: ? schedule (arch/x86/include/asm/preempt.h:85 (discriminator 1) kernel/sched/core.c:6370 (discriminator 1))
kernel: md_thread (drivers/md/md.c:7923) md_mod
kernel: ? do_wait_intr (kernel/sched/wait.c:415)
kernel: ? md_submit_bio (drivers/md/md.c:7887) md_mod
kernel: kthread (kernel/kthread.c:377)
kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)
kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)
kernel:  </TASK>

Signed-off-by: Dāvis Mosāns <davispuh@...il.com>
---
 drivers/dma/dmaengine.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 2cfa8458b51b..9465dc89b945 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -553,13 +553,13 @@ EXPORT_SYMBOL(dma_find_channel);
 void dma_issue_pending_all(void)
 {
 	struct dma_device *device;
-	struct dma_chan *chan;
+	struct dma_chan *chan, *n;
 
 	rcu_read_lock();
 	list_for_each_entry_rcu(device, &dma_device_list, global_node) {
 		if (dma_has_cap(DMA_PRIVATE, device->cap_mask))
 			continue;
-		list_for_each_entry(chan, &device->channels, device_node)
+		list_for_each_entry_safe(chan, n, &device->channels, device_node)
 			if (chan->client_count)
 				device->device_issue_pending(chan);
 	}
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ