lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZD5tG45rXLemtkrX@fedora>
Date:   Tue, 18 Apr 2023 06:12:43 -0400
From:   William Breathitt Gray <william.gray@...aro.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
        Jonathan Cameron <jic23@...nel.org>, stable@...r.kernel.org
Subject: Re: [RESEND PATCH 5.15 v3 5/5] counter: 104-quad-8: Fix race
 condition between FLAG and CNTR reads

On Tue, Apr 18, 2023 at 11:41:29AM +0200, Greg Kroah-Hartman wrote:
> On Mon, Apr 17, 2023 at 09:40:52AM -0400, William Breathitt Gray wrote:
> > On Tue, Apr 11, 2023 at 11:52:20AM -0400, William Breathitt Gray wrote:
> > > commit 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed upstream.
> > > 
> > > The Counter (CNTR) register is 24 bits wide, but we can have an
> > > effective 25-bit count value by setting bit 24 to the XOR of the Borrow
> > > flag and Carry flag. The flags can be read from the FLAG register, but a
> > > race condition exists: the Borrow flag and Carry flag are instantaneous
> > > and could change by the time the count value is read from the CNTR
> > > register.
> > > 
> > > Since the race condition could result in an incorrect 25-bit count
> > > value, remove support for 25-bit count values from this driver.
> > > 
> > > Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8")
> > > Cc: <stable@...r.kernel.org> # 5.15.x
> > > Signed-off-by: William Breathitt Gray <william.gray@...aro.org>
> > > ---
> > >  drivers/counter/104-quad-8.c | 18 +++---------------
> > >  1 file changed, 3 insertions(+), 15 deletions(-)
> > > 
> > > diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
> > > index 0caa60537b..643aae0c9f 100644
> > > --- a/drivers/counter/104-quad-8.c
> > > +++ b/drivers/counter/104-quad-8.c
> > > @@ -61,10 +61,6 @@ struct quad8 {
> > >  #define QUAD8_REG_CHAN_OP 0x11
> > >  #define QUAD8_REG_INDEX_INPUT_LEVELS 0x16
> > >  #define QUAD8_DIFF_ENCODER_CABLE_STATUS 0x17
> > > -/* Borrow Toggle flip-flop */
> > > -#define QUAD8_FLAG_BT BIT(0)
> > > -/* Carry Toggle flip-flop */
> > > -#define QUAD8_FLAG_CT BIT(1)
> > >  /* Error flag */
> > >  #define QUAD8_FLAG_E BIT(4)
> > >  /* Up/Down flag */
> > > @@ -121,17 +117,9 @@ static int quad8_count_read(struct counter_device *counter,
> > >  {
> > >  	struct quad8 *const priv = counter->priv;
> > >  	const int base_offset = priv->base + 2 * count->id;
> > > -	unsigned int flags;
> > > -	unsigned int borrow;
> > > -	unsigned int carry;
> > >  	int i;
> > >  
> > > -	flags = inb(base_offset + 1);
> > > -	borrow = flags & QUAD8_FLAG_BT;
> > > -	carry = !!(flags & QUAD8_FLAG_CT);
> > > -
> > > -	/* Borrow XOR Carry effectively doubles count range */
> > > -	*val = (unsigned long)(borrow ^ carry) << 24;
> > > +	*val = 0;
> > >  
> > >  	mutex_lock(&priv->lock);
> > >  
> > > @@ -699,8 +687,8 @@ static ssize_t quad8_count_ceiling_read(struct counter_device *counter,
> > >  
> > >  	mutex_unlock(&priv->lock);
> > >  
> > > -	/* By default 0x1FFFFFF (25 bits unsigned) is maximum count */
> > > -	return sprintf(buf, "33554431\n");
> > > +	/* By default 0xFFFFFF (24 bits unsigned) is maximum count */
> > > +	return sprintf(buf, "16777215\n");
> > >  }
> > >  
> > >  static ssize_t quad8_count_ceiling_write(struct counter_device *counter,
> > > 
> > > base-commit: d86dfc4d95cd218246b10ca7adf22c8626547599
> > > -- 
> > > 2.39.2
> > 
> > Greg,
> > 
> > This patch will no longer apply to 5.15.x when the "counter: Internalize
> > sysfs interface code" patch in the stable-queue tree is merged [0].
> > However, I believe the 6.1 backport [1] will apply instead at that
> > point. What is the best way to handle this situation? Should I resend
> > the 6.1 backport with the stable list Cc tag adjusted for 5.15.x, or are
> > you able to apply the 6.1 backport patch directly to the 5.15.x tree?
> 
> The 6.1.y backport didn't apply either :(
> 
> Can you resend all of these rebased against the next round of stable
> releases when they are released later this week?
> 
> thanks,
> 
> greg k-h

Sure, I'll rebase and resend these after the next round of stable
releases is available.

William Breathitt Gray

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ