lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 1 Mar 2023 16:16:01 -0800
From:   Guenter Roeck <linux@...ck-us.net>
To:     Jakob Koschel <jkl820.git@...il.com>
Cc:     Wim Van Sebroeck <wim@...ux-watchdog.org>,
        linux-watchdog@...r.kernel.org, linux-kernel@...r.kernel.org,
        Pietro Borrello <borrello@...g.uniroma1.it>,
        Cristiano Giuffrida <c.giuffrida@...nl>,
        "Bos, H.J." <h.j.bos@...nl>
Subject: Re: [PATCH] watchdog: avoid usage of iterator after loop

On 3/1/23 14:42, Jakob Koschel wrote:
> On 23/03/01 10:31AM, Guenter Roeck wrote:
>> On 3/1/23 09:17, Jakob Koschel wrote:
>>> If potentially no valid element is found, 'p' would contain an invalid
>>> pointer past the iterator loop. To ensure 'p' is valid under any
>>> circumstances, the kfree() should be within the loop body.
>>>
>>> Additionally, Linus proposed to avoid any use of the list iterator
>>> variable after the loop, in the attempt to move the list iterator
>>> variable declaration into the marcro to avoid any potential misuse after
>>
>> macro
>>
>>> the loop [1].
>>>
>>> Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
>>> Signed-off-by: Jakob Koschel <jkl820.git@...il.com>
>>> ---
>>>    drivers/watchdog/watchdog_pretimeout.c | 6 +++---
>>>    1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/watchdog/watchdog_pretimeout.c b/drivers/watchdog/watchdog_pretimeout.c
>>> index 376a495ab80c..d8c78696eaf5 100644
>>> --- a/drivers/watchdog/watchdog_pretimeout.c
>>> +++ b/drivers/watchdog/watchdog_pretimeout.c
>>> @@ -207,10 +207,10 @@ void watchdog_unregister_pretimeout(struct watchdog_device *wdd)
>>>    	list_for_each_entry_safe(p, t, &pretimeout_list, entry) {
>>>    		if (p->wdd == wdd) {
>>>    			list_del(&p->entry);
>>> -			break;
>>> +			spin_unlock_irq(&pretimeout_lock);
>>> +			kfree(p);
>>> +			return;
>>
>> Please just make it
>> 			kfree(p);
>> 			break;
>>
>> There is no need to drop the spinlock here and/or to return
>> directly.
> 
> Ok great, I'll fix that in v2. I wasn't sure if something breaks if 'p' is released if the spinlock is still hold.
> 

Ah, interesting question. Looking into it, I don't think that is a problem.
Just to be sure, I wrote a little coccinelle script to find calls to kfree()
under spinlock_irq() and found several instances.

Guenter

Powered by blists - more mailing lists