lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220328093933.xa37n4dmq6o6tpel@vireshk-i7>
Date:   Mon, 28 Mar 2022 15:09:33 +0530
From:   Viresh Kumar <viresh.kumar@...aro.org>
To:     Xiaomeng Tong <xiam0nd.tong@...il.com>
Cc:     linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org, nm@...com,
        rafael.j.wysocki@...el.com, sboyd@...nel.org,
        stable@...r.kernel.org, vireshk@...nel.org
Subject: Re: [PATCH] opp: fix a missing check on list iterator

On 28-03-22, 17:13, Xiaomeng Tong wrote:
> On Mon, 28 Mar 2022 14:20:57 +0530, Viresh Kumar wrote:
> > On 28-03-22, 15:43, Xiaomeng Tong wrote:
> > > No. the conditon to call opp_migrate_dentry(opp_dev, opp_table); is:
> > > if (!list_is_singular(&opp_table->dev_list)), 
> > > 
> > > while list_is_singlular is: !list_empty(head) && (head->next == head->prev);
> > > 
> > > so the condition is: list_empty(head) || (head->next != head->prev)
> > > 
> > > if the list is empty, the bug can be triggered.
> > 
> > List can't be empty here by design. It will be a huge bug in that
> > case, which should lead to crash somewhere.
> > 
> 
> There is anther condition to trigger this bug: the list is not empty and
> no element found (if (iter != opp_dev)).

I suggest reading the code again, considering opp_debug_unregister()
as well.

What's happening here is this:

- Several devices share the OPP table.
- One of them (devX) is going away and opp_debug_unregister() is called for this device.
- If devX is the last device for this OPP table, then we don't migrate
  and just release all resources.
- Otherwise, we migrate it to the next element in the list. i.e. any
  device which != devX.

Please tell based on this where do you see a possibility of a bug.
Surely there can be one, but I fail to see it at the moment and need
more detail of the same.

Thanks Xiaomeng.

-- 
viresh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ