| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250327145543.GC3152277@black.fi.intel.com>
Date: Thu, 27 Mar 2025 16:55:43 +0200
From: Mika Westerberg <mika.westerberg@...ux.intel.com>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: Andreas Noever <andreas.noever@...il.com>,
Michael Jamet <michael.jamet@...el.com>,
Mika Westerberg <westeri@...nel.org>,
Yehezkel Bernat <YehezkelShB@...il.com>, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCHv2] thunderbolt: do not double dequeue a request
Hi,
On Thu, Mar 27, 2025 at 11:37:35PM +0900, Sergey Senozhatsky wrote:
> On (25/03/27 16:20), Mika Westerberg wrote:
> > > On (25/03/27 15:37), Mika Westerberg wrote:
> > > > > Another possibility can be tb_cfg_request_sync():
> > > > >
> > > > > tb_cfg_request_sync()
> > > > > tb_cfg_request()
> > > > > schedule_work(&req->work) -> tb_cfg_request_dequeue()
> > > > > tb_cfg_request_cancel()
> > > > > schedule_work(&req->work) -> tb_cfg_request_dequeue()
> > > >
> > > > Not sure about this one because &req->work will only be scheduled once the
> > > > second schedule_work() should not queue it again (as far as I can tell).
> > >
> > > If the second schedule_work() happens after a timeout, that's what
> > > !wait_for_completion_timeout() does, then the first schedule_work()
> > > can already execute the work by that time, and then we can schedule
> > > the work again (but the request is already dequeued). Am I missing
> > > something?
> >
> > schedule_work() does not schedule the work again if it is already
> > scheduled.
>
> Yes, if it's scheduled. If it's already executed then we can schedule
> again.
>
> tb_cfg_request_sync() {
> tb_cfg_request()
> schedule_work()
This point it runs tb_cfg_request_work() which then calls the callback
(tb_cfg_request_complete()) before it dequeues so "done" is completed.
> executes tb_cfg_request_dequeue
> wait_for_completion_timeout()
so this will return > 0 as "done" completed..
> schedule_work()
> executes tb_cfg_request_dequeue again
..and we don't call this one.
> }
>
> I guess there can be enough delay (for whatever reason, not only
> wait_for_completion_timeout(), but maybe also preemption) between
> two schedule_work calls?
>
> > > The 0xdead000000000122 deference is a LIST_POISON on x86_64, which
> > > is set explicitly in list_del(), so I'd say I'm fairly confident
> > > that we have a double list_del() in tb_cfg_request_dequeue().
> >
> > Yes, I agree but since I have not seen any similar reports (sans what I saw
> > ages ago), I would like to be sure the issue you see is actually fixed with
> > the patch (and that there are no unexpected side-effects). ;-)
>
> Let me see what I can do (we don't normally apply patches that
> were not in the corresponding subsystem tree).
>
> In the meantime, do you have a subsystem/driver tree that is exposed
> to linux-next? If so, would be cool if you can pick up the patch so
> that it can get some extra testing via linux-next.
Yes I do, see [1] but it does not work like that. First you should make
sure you patch works by testing it yourself and then we can pick it up for
others to test.
[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt.git/
Powered by blists - more mailing lists