lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230304074316.736922-1-suweifeng1@huawei.com>
Date:   Sat, 4 Mar 2023 15:43:16 +0800
From:   Su Weifeng <suweifeng1@...wei.com>
To:     <gregkh@...uxfoundation.org>, <mst@...hat.com>
CC:     <linux-kernel@...r.kernel.org>, <shikemeng@...wei.com>,
        <liuzhiqiang26@...wei.com>, <linfeilong@...wei.com>,
        <zhanghongtao22@...wei.com>, Weifeng Su <suweifeng1@...wei.com>
Subject: [PATCH v3] uio:uio_pci_generic:Don't clear master bit when the process does not exit

From: Weifeng Su <suweifeng1@...wei.com>

The /dev/uioX device has concurrent operations in a few scenarios.

For example, when a process is operating the uio0 device, someone executes
like "cat /dev/uio0" command. In this case, the bus master bit is cleared
unconditionally. As a result, the running program cannot work commands
or I/Os, which is usually unaware of. This happens after
865a11f("uio/uio_pci_generic: Disable bus-mastering on release");
The restriction on the process that uses the PCI device is added. The new
process can be used only after the process that uses the PCI device exits.
Otherwise, the system returns a message indicating that the device is busy.

Signed-off-by: Weifeng Su <suweifeng1@...wei.com>
---

Change v2 -> v3:
  The process is restricted from using the PCI device. Before the process 
that uses the PCI device exits, the device returns EBUSY.
After the process exits, the master bit is cleared unconditionally 
to ensure DMA security.

 drivers/uio/uio_pci_generic.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/uio/uio_pci_generic.c b/drivers/uio/uio_pci_generic.c
index e03f9b532..19bf5ead9 100644
--- a/drivers/uio/uio_pci_generic.c
+++ b/drivers/uio/uio_pci_generic.c
@@ -31,6 +31,7 @@
 struct uio_pci_generic_dev {
 	struct uio_info info;
 	struct pci_dev *pdev;
+	atomic_t	refcnt;
 };
 
 static inline struct uio_pci_generic_dev *
@@ -39,10 +40,21 @@ to_uio_pci_generic_dev(struct uio_info *info)
 	return container_of(info, struct uio_pci_generic_dev, info);
 }
 
+static int open(struct uio_info *info, struct inode *inode)
+{
+	struct uio_pci_generic_dev *gdev = to_uio_pci_generic_dev(info);
+
+	if (atomic_add_unless(&gdev->refcnt, 1, 1))
+		return 0;
+	else
+		return -EBUSY;
+}
+
 static int release(struct uio_info *info, struct inode *inode)
 {
 	struct uio_pci_generic_dev *gdev = to_uio_pci_generic_dev(info);
 
+	atomic_dec(&gdev->refcnt);
 	/*
 	 * This driver is insecure when used with devices doing DMA, but some
 	 * people (mis)use it with such devices.
@@ -93,7 +105,9 @@ static int probe(struct pci_dev *pdev,
 	gdev->info.name = "uio_pci_generic";
 	gdev->info.version = DRIVER_VERSION;
 	gdev->info.release = release;
+	gdev->info.open = open;
 	gdev->pdev = pdev;
+	atomic_set(&gdev->refcnt, 0);
 	if (pdev->irq && (pdev->irq != IRQ_NOTCONNECTED)) {
 		gdev->info.irq = pdev->irq;
 		gdev->info.irq_flags = IRQF_SHARED;
-- 
2.33.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ