lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 4 Jan 2023 09:28:13 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Deepak R Varma <drv@...lo.com>
Cc:     Jiri Slaby <jirislaby@...nel.org>,
        "Maciej W. Rozycki" <macro@...am.me.uk>,
        linux-serial@...r.kernel.org, linux-kernel@...r.kernel.org,
        Saurabh Singh Sengar <ssengar@...rosoft.com>,
        Praveen Kumar <kumarpraveen@...ux.microsoft.com>
Subject: Re: [PATCH v4 1/2] tty: serial: dz: convert atomic_* to refcount_*
 APIs for map_guard

On Tue, Jan 03, 2023 at 03:35:15PM +0530, Deepak R Varma wrote:
> On Tue, Jan 03, 2023 at 09:59:52AM +0100, Jiri Slaby wrote:
> > On 26. 12. 22, 7:21, Deepak R Varma wrote:
> > > The refcount_* APIs are designed to address known issues with the
> > > atomic_t APIs for reference counting. They provide following distinct
> > > advantages
> > >     - protect the reference counters from overflow/underflow
> > >     - avoid use-after-free errors
> > >     - provide improved memory ordering guarantee schemes
> > >     - neater and safer.
> >
> > Really? (see below)
> >
> > > --- a/drivers/tty/serial/dz.c
> > > +++ b/drivers/tty/serial/dz.c
> > ...
> > > @@ -687,23 +686,19 @@ static int dz_map_port(struct uart_port *uport)
> > >   static int dz_request_port(struct uart_port *uport)
> > >   {
> > >   	struct dz_mux *mux = to_dport(uport)->mux;
> > > -	int map_guard;
> > >   	int ret;
> > >
> > > -	map_guard = atomic_add_return(1, &mux->map_guard);
> > > -	if (map_guard == 1) {
> > > -		if (!request_mem_region(uport->mapbase, dec_kn_slot_size,
> > > -					"dz")) {
> > > -			atomic_add(-1, &mux->map_guard);
> > > -			printk(KERN_ERR
> > > -			       "dz: Unable to reserve MMIO resource\n");
> > > +	refcount_inc(&mux->map_guard);
> > > +	if (refcount_read(&mux->map_guard) == 1) {
> >
> > This is now racy, right?
> 
> Hello Jiri,
> Thank you for the feedback. You are correct. I have split a single instruction
> in two (or more?) instructions potentially resulting in race conditions. I
> looked through the refcount_* APIs but did not find a direct match.
> 
> 
> Can you please comment if the the following variation will avoid race condition?
> 
> 	if (!refcount_add_not_zero(1, &mux->map_guard)) {
> 		refcount_inc(&mux->map_guard);
> 		...
> 	}

What do you think?  The onus is on you to prove the conversion is
correct, otherwise, why do the conversion at all?

Actually, why do this at all, what is the goal here?  And how was this
tested?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ