lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 31 Mar 2022 10:10:22 +0800
From:   Xiaomeng Tong <xiam0nd.tong@...il.com>
To:     viresh.kumar@...aro.org
Cc:     linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org, nm@...com,
        rafael.j.wysocki@...el.com, sboyd@...nel.org,
        stable@...r.kernel.org, vireshk@...nel.org, xiam0nd.tong@...il.com
Subject: Re: [PATCH] opp: fix a missing check on list iterator

On Mon, 28 Mar 2022 15:09:33 +0530, Viresh Kumar wrote:
> On 28-03-22, 17:13, Xiaomeng Tong wrote:
> > On Mon, 28 Mar 2022 14:20:57 +0530, Viresh Kumar wrote:
> > > On 28-03-22, 15:43, Xiaomeng Tong wrote:
> > > > No. the conditon to call opp_migrate_dentry(opp_dev, opp_table); is:
> > > > if (!list_is_singular(&opp_table->dev_list)), 
> > > > 
> > > > while list_is_singlular is: !list_empty(head) && (head->next == head->prev);
> > > > 
> > > > so the condition is: list_empty(head) || (head->next != head->prev)
> > > > 
> > > > if the list is empty, the bug can be triggered.
> > > 
> > > List can't be empty here by design. It will be a huge bug in that
> > > case, which should lead to crash somewhere.
> > > 
> > 
> > There is anther condition to trigger this bug: the list is not empty and
> > no element found (if (iter != opp_dev)).
> 
> I suggest reading the code again, considering opp_debug_unregister()
> as well.
> 
> What's happening here is this:
> 
> - Several devices share the OPP table.
> - One of them (devX) is going away and opp_debug_unregister() is called for this device.
> - If devX is the last device for this OPP table, then we don't migrate
>   and just release all resources.
> - Otherwise, we migrate it to the next element in the list. i.e. any
>   device which != devX.
> 
> Please tell based on this where do you see a possibility of a bug.
> Surely there can be one, but I fail to see it at the moment and need
> more detail of the same.
> 

Perhaps you are right. Anyway, It is a good choise to use list iterator
only inside the loop as linus suggested [1], to avoid potential risk.
I have also repost another patch with changed commit message. Please
check it, thank you.

[1]:https://lore.kernel.org/lkml/20220301075839.4156-1-xiam0nd.tong@gmail.com/

--
Xiaomeng Tong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ