lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220415174932.6c85d5ab@ceranb> Date: Fri, 15 Apr 2022 17:49:32 +0200 From: Ivan Vecera <ivecera@...hat.com> To: Michal Schmidt <mschmidt@...hat.com> Cc: netdev@...r.kernel.org, Petr Oros <poros@...hat.com>, Jesse Brandeburg <jesse.brandeburg@...el.com>, Tony Nguyen <anthony.l.nguyen@...el.com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Shiraz Saleem <shiraz.saleem@...el.com>, Dave Ertman <david.m.ertman@...el.com>, "moderated list:INTEL ETHERNET DRIVERS" <intel-wired-lan@...ts.osuosl.org>, open list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH net] ice: Fix race during aux device (un)plugging On Fri, 15 Apr 2022 13:12:03 +0200 Michal Schmidt <mschmidt@...hat.com> wrote: > On Thu, Apr 14, 2022 at 6:39 PM Ivan Vecera <ivecera@...hat.com> wrote: > > > Function ice_plug_aux_dev() assigns pf->adev field too early prior > > aux device initialization and on other side ice_unplug_aux_dev() > > starts aux device deinit and at the end assigns NULL to pf->adev. > > This is wrong and can causes a crash when ice_send_event_to_aux() > > call occurs during these operations because that function depends > > on non-NULL value of pf->adev and does not assume that aux device > > is half-initialized or half-destroyed. > > > > Modify affected functions so pf->adev field is set after aux device > > init and prior aux device destroy. > > > [...] > > > @@ -320,12 +319,14 @@ int ice_plug_aux_dev(struct ice_pf *pf) > > */ > > void ice_unplug_aux_dev(struct ice_pf *pf) > > { > > - if (!pf->adev) > > + struct auxiliary_device *adev = pf->adev; > > + > > + if (!adev) > > return; > > > > - auxiliary_device_delete(pf->adev); > > - auxiliary_device_uninit(pf->adev); > > pf->adev = NULL; > > + auxiliary_device_delete(adev); > > + auxiliary_device_uninit(adev); > > } > > > > Hi Ivan, > What prevents ice_unplug_aux_dev() from running immediately after > ice_send_event_to_aux() gets past its "if (!pf->adev)" test ? > Michal ice_send_event_to_aux() takes aux device lock. ice_unplug_aux_dev() calls auxiliary_device_delete() that calls device_del(). device_del() takes device_lock() prior kill_device(). So if ice_send_event_to_aux() is in progress then device_del() waits for its completion. Thanks, Ivan
Powered by blists - more mailing lists