| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110801111824.GB23131@hmsreliant.think-freely.org> Date: Mon, 1 Aug 2011 07:18:24 -0400 From: Neil Horman <nhorman@...driver.com> To: netdev@...r.kernel.org Cc: Divy Le Ray <divy@...lsio.com>, Steve Wise <swise@...lsio.com>, "David S. Miller" <davem@...emloft.net> Subject: Re: [PATCH] cxgb3i: ref count cdev access to prevent modification while in use On Mon, Jul 25, 2011 at 03:56:57PM -0400, Neil Horman wrote: > This oops was reported recently: > d:mon> e > cpu 0xd: Vector: 300 (Data Access) at [c0000000fd4c7120] > pc: d00000000076f194: .t3_l2t_get+0x44/0x524 [cxgb3] > lr: d000000000b02108: .init_act_open+0x150/0x3d4 [cxgb3i] > sp: c0000000fd4c73a0 > msr: 8000000000009032 > dar: 0 > dsisr: 40000000 > current = 0xc0000000fd640d40 > paca = 0xc00000000054ff80 > pid = 5085, comm = iscsid > d:mon> t > [c0000000fd4c7450] d000000000b02108 .init_act_open+0x150/0x3d4 [cxgb3i] > [c0000000fd4c7500] d000000000e45378 .cxgbi_ep_connect+0x784/0x8e8 [libcxgbi] > [c0000000fd4c7650] d000000000db33f0 .iscsi_if_rx+0x71c/0xb18 > [scsi_transport_iscsi2] > [c0000000fd4c7740] c000000000370c9c .netlink_data_ready+0x40/0xa4 > [c0000000fd4c77c0] c00000000036f010 .netlink_sendskb+0x4c/0x9c > [c0000000fd4c7850] c000000000370c18 .netlink_sendmsg+0x358/0x39c > [c0000000fd4c7950] c00000000033be24 .sock_sendmsg+0x114/0x1b8 > [c0000000fd4c7b50] c00000000033d208 .sys_sendmsg+0x218/0x2ac > [c0000000fd4c7d70] c00000000033f55c .sys_socketcall+0x228/0x27c > [c0000000fd4c7e30] c0000000000086a4 syscall_exit+0x0/0x40 > --- Exception: c01 (System Call) at 00000080da560cfc > > The root cause was an EEH error, which sent us down the offload_close path in > the cxgb3 driver, which in turn sets cdev->lldev to NULL, without regard for > upper layer driver (like the cxgbi drivers) which might have execution contexts > in the middle of its use. The result is the oops above, when t3_l2t_get attempts > to dereference cdev->lldev right after the EEH error handler sets it to NULL. > > The fix is to reference count the cdev structure. When an EEH error occurs, the > shutdown path: > t3_adapter_error->offload_close->cxgb3i_remove_clients->cxgb3i_dev_close > will now block until such time as the cdev pointer has a use count of zero. > This coupled with the fact that lookups will now skip finding any registered > cdev's in cxgbi_device_find_by_[lldev|netdev] with the CXGBI_FLAG_ADAPTER_RESET > bit set ensures that on an EEH, the setting of lldev to NULL in offload_close > will only happen after there are no longer any active users of the data > structure. > > This has been tested by the reporter and shown to fix the reproted oops > > Signed-off-by: Neil Horman <nhorman@...driver.com> > CC: Divy Le Ray <divy@...lsio.com> > CC: Steve Wise <swise@...lsio.com> > CC: "David S. Miller" <davem@...emloft.net> Divy, Steve, I think Dave is waiting for an ACK from one of you to, since you're the listed maintainers. Neil -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists