lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20230927165517.45066-1-dg573847474@gmail.com>
Date:   Wed, 27 Sep 2023 16:55:17 +0000
From:   Chengfeng Ye <dg573847474@...il.com>
To:     kherbst@...hat.com, lyude@...hat.com, airlied@...il.com,
        daniel@...ll.ch, bskeggs@...hat.com
Cc:     dri-devel@...ts.freedesktop.org, nouveau@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org, Chengfeng Ye <dg573847474@...il.com>
Subject: [PATCH] drm/nouveau/flcn/msgq: fix potential deadlock on &msgq->lock

As &msgq->lock is acquired under both irq context from
gp102_sec2_intr() and softirq context from gm20b_pmu_recv(),
thus irq should be disabled while acquiring that lock, otherwise
there would be potential deadlock.

gm20b_pmu_recv()
--> nvkm_falcon_msgq_recv()
--> nvkm_falcon_msgq_open()
--> spin_lock(&msgq->lock)
<interrupt>
   --> gp102_sec2_intr()
   --> nvkm_falcon_msgq_recv()
   --> nvkm_falcon_msgq_open()
   --> spin_lock(&msgq->lock)

This flaw was found by an experimental static analysis tool I am
developing for irq-related deadlock.

To prevent the potential problem, I change to spin_lock_irq() and
spin_unlock_irq() on the lock.

Signed-off-by: Chengfeng Ye <dg573847474@...il.com>
---
 drivers/gpu/drm/nouveau/nvkm/falcon/msgq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/falcon/msgq.c b/drivers/gpu/drm/nouveau/nvkm/falcon/msgq.c
index 16b246fda666..5c3b43216ee8 100644
--- a/drivers/gpu/drm/nouveau/nvkm/falcon/msgq.c
+++ b/drivers/gpu/drm/nouveau/nvkm/falcon/msgq.c
@@ -25,7 +25,7 @@
 static void
 nvkm_falcon_msgq_open(struct nvkm_falcon_msgq *msgq)
 {
-	spin_lock(&msgq->lock);
+	spin_lock_irq(&msgq->lock);
 	msgq->position = nvkm_falcon_rd32(msgq->qmgr->falcon, msgq->tail_reg);
 }
 
@@ -37,7 +37,7 @@ nvkm_falcon_msgq_close(struct nvkm_falcon_msgq *msgq, bool commit)
 	if (commit)
 		nvkm_falcon_wr32(falcon, msgq->tail_reg, msgq->position);
 
-	spin_unlock(&msgq->lock);
+	spin_unlock_irq(&msgq->lock);
 }
 
 bool
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ