lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220415174932.6c85d5ab@ceranb>
Date:   Fri, 15 Apr 2022 17:49:32 +0200
From:   Ivan Vecera <ivecera@...hat.com>
To:     Michal Schmidt <mschmidt@...hat.com>
Cc:     netdev@...r.kernel.org, Petr Oros <poros@...hat.com>,
        Jesse Brandeburg <jesse.brandeburg@...el.com>,
        Tony Nguyen <anthony.l.nguyen@...el.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Shiraz Saleem <shiraz.saleem@...el.com>,
        Dave Ertman <david.m.ertman@...el.com>,
        "moderated list:INTEL ETHERNET DRIVERS" 
        <intel-wired-lan@...ts.osuosl.org>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] ice: Fix race during aux device (un)plugging

On Fri, 15 Apr 2022 13:12:03 +0200
Michal Schmidt <mschmidt@...hat.com> wrote:

> On Thu, Apr 14, 2022 at 6:39 PM Ivan Vecera <ivecera@...hat.com> wrote:
> 
> > Function ice_plug_aux_dev() assigns pf->adev field too early prior
> > aux device initialization and on other side ice_unplug_aux_dev()
> > starts aux device deinit and at the end assigns NULL to pf->adev.
> > This is wrong and can causes a crash when ice_send_event_to_aux()
> > call occurs during these operations because that function depends
> > on non-NULL value of pf->adev and does not assume that aux device
> > is half-initialized or half-destroyed.
> >
> > Modify affected functions so pf->adev field is set after aux device
> > init and prior aux device destroy.
> >  
> [...]
> 
> > @@ -320,12 +319,14 @@ int ice_plug_aux_dev(struct ice_pf *pf)
> >   */
> >  void ice_unplug_aux_dev(struct ice_pf *pf)
> >  {
> > -       if (!pf->adev)
> > +       struct auxiliary_device *adev = pf->adev;
> > +
> > +       if (!adev)
> >                 return;
> >
> > -       auxiliary_device_delete(pf->adev);
> > -       auxiliary_device_uninit(pf->adev);
> >         pf->adev = NULL;
> > +       auxiliary_device_delete(adev);
> > +       auxiliary_device_uninit(adev);
> >  }
> >  
> 
> Hi Ivan,
> What prevents ice_unplug_aux_dev() from running immediately after
> ice_send_event_to_aux() gets past its "if (!pf->adev)" test ?
> Michal

ice_send_event_to_aux() takes aux device lock. ice_unplug_aux_dev()
calls auxiliary_device_delete() that calls device_del(). device_del()
takes device_lock() prior kill_device(). So if ice_send_event_to_aux()
is in progress then device_del() waits for its completion.

Thanks,
Ivan

Powered by blists - more mailing lists