| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Feb 2020 16:42:35 +0000
From: Taehee Yoo <ap420073@...il.com>
To: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org
Cc: ap420073@...il.com
Subject: [PATCH net v3 0/7] netdevsim: fix several bugs in netdevsim module
This patchset fixes several bugs in netdevsim module.
1. The first patch fixes using uninitialized resources
This patch fixes two similar problems, which is to use uninitialized
resources.
a) In the current code, {new/del}_device_store() use resource,
they are initialized by __init().
But, these functions could be called before __init() is finished.
So, accessing uninitialized data could occur and it eventually makes panic.
b) In the current code, {new/del}_port_store() uses resource,
they are initialized by new_device_store().
But thes functions could be called before new_device_store() is finished.
2. The second patch fixes another race condition.
The main problem is a race condition in {new/del}_port() and devlink reload
function.
These functions would allocate and remove resources. So these functions
should not be executed concurrently.
3. The third patch fixes a panic in nsim_dev_take_snapshot_write().
nsim_dev_take_snapshot_write() uses nsim_dev and nsim_dev->dummy_region.
But these data could be removed by both reload routine and
del_device_store(). And these functions could be executed concurrently.
4. The fourth patch fixes stack-out-of-bound in nsim_dev_debugfs_init().
nsim_dev_debugfs_init() provides only 16bytes for name pointer.
But, there are some case the name length is over 16bytes.
So, stack-out-of-bound occurs.
5. The fifth patch uses IS_ERR instead of IS_ERR_OR_NULL.
debugfs_create_{dir/file} doesn't return NULL.
So, IS_ERR() is more correct.
6. The sixth patch avoids kmalloc warning.
When too large memory allocation is requested by user-space, kmalloc
internally prints warning message.
That warning message is not necessary.
In order to avoid that, it adds __GFP_NOWARN.
7. The last patch removes an unused sdev.c file
Change log:
v2 -> v3:
- Use smp_load_acquire() and smp_store_release() for flag variables.
- Change variable names.
- Fix deadlock in second patch.
- Update lock variable comment.
- Add new patch for fixing panic in snapshot_write().
- Include Reviewed-by tags.
- Update some log messages and comment.
v1 -> v2:
- Splits a fixing race condition patch into two patches.
- Fix incorrect Fixes tags.
- Update comments
- Fix use-after-free
- Add a new patch, which removes an unused sdev.c file.
- Remove a patch, which tries to avoid debugfs warning.
Taehee Yoo (7):
netdevsim: fix using uninitialized resources
netdevsim: disable devlink reload when resources are being used
netdevsim: fix panic in nsim_dev_take_snapshot_write()
netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init()
netdevsim: use IS_ERR instead of IS_ERR_OR_NULL for debugfs
netdevsim: use __GFP_NOWARN to avoid memalloc warning
netdevsim: remove unused sdev code
drivers/net/netdevsim/bpf.c | 10 +++--
drivers/net/netdevsim/bus.c | 64 ++++++++++++++++++++++++++--
drivers/net/netdevsim/dev.c | 31 +++++++++-----
drivers/net/netdevsim/health.c | 6 +--
drivers/net/netdevsim/netdevsim.h | 4 ++
drivers/net/netdevsim/sdev.c | 69 -------------------------------
6 files changed, 93 insertions(+), 91 deletions(-)
delete mode 100644 drivers/net/netdevsim/sdev.c
--
2.17.1
Powered by blists - more mailing lists