lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 29 Aug 2023 08:26:37 +0200
From:   Bartosz Golaszewski <brgl@...ev.pl>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     linux-kernel@...r.kernel.org,
        Bartosz Golaszewski <bartosz.golaszewski@...aro.org>,
        Marc Zyngier <maz@...nel.org>,
        Linus Walleij <linus.walleij@...aro.org>
Subject: Re: [PATCH 2/2] genirq: proc: fix a procfs entry leak

On Mon, Aug 28, 2023 at 11:44 PM Thomas Gleixner <tglx@...utronix.de> wrote:
>
> On Mon, Aug 28 2023 at 21:03, Bartosz Golaszewski wrote:
> > On Mon, Aug 28, 2023 at 2:41 PM Thomas Gleixner <tglx@...utronix.de> wrote:
> >> > I guess you're referring to irq_alloc_descs()? Anyway, here's a
> >> > real-life example: we have the hid-cp2112 module which drives a
> >> > GPIO-and-I2C-expander-on-a-USB-stick. I plug it in and have a driver
> >> > that requests one of its GPIOs as interrupt. Now I unplug it. How has
> >> > taking the reference to the hid-cp2112 module protected me from
> >> > freeing an irq domain with interrupts in use?
> >>
> >> request_irq() does not care which module request the interrupt. It
> >> always takes a refcount on irq_desc::owner. That points to the module
> >> which created the interrupt domain and/or allocated the descriptors.
> >>
> >> IOW, this needs a mechanism to store the module which creates the
> >> interrupt domain somewhere in the domain itself and use it when
> >> allocating interrupt descriptors. So in your case this would take a
> >> refcount on the GPIO module.
> >>
> > This is still not complete. In the above example, the USB bus can
> > still unbind the GPIO device that created the domain on hot-unplug,
> > triggering its cleanup routines (.remove(), devres chain) and
> > destroying the domain and keeping the reference to the hid-cp2112
> > module will not help it. This is why I suggested tracking the irq
> > requests and freeing them in said cleanup path.
>
> Are you actually reading what I write?
>
> >> So in your case this would take a refcount on the GPIO module.
>
> That's the module which provides the interrupt domain and hid-whatever
> is the one which requests the interrupt, no?
>

Not at all! This is what I said: "we have the hid-cp2112 module which
drives a GPIO-and-I2C-expander-on-a-USB-stick". Meaning: the
hid-cp2112 module registers a USB driver for a GPIO expander on a
stick. This GPIO chip is the interrupt controller here. It's the USB
stick that provides interrupts for whatever else needs them (in real
life: it can be an IIO device on the I2C bus which signals some events
over the GPIOs). The user can get the interrupt number using the
gpiod_to_irq() function. It can be unplugged at any moment and module
references will not stop the USB bus from unbinding it.

Bartosz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ