| Message ID | 1516146473-18234-1-git-send-email-kieran.bingham@ideasonboard.com (mailing list archive) |
|---|---|
| State | Rejected, archived |
| Delegated to: | Hans Verkuil |
| Headers |
Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from <linux-media-owner@vger.kernel.org>) id 1ebaxU-0004L6-E9; Tue, 16 Jan 2018 23:48:00 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750885AbeAPXr6 (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Tue, 16 Jan 2018 18:47:58 -0500 Received: from o1682455182.outbound-mail.sendgrid.net ([168.245.5.182]:50253 "EHLO o1682455182.outbound-mail.sendgrid.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750750AbeAPXr5 (ORCPT <rfc822;linux-media@vger.kernel.org>); Tue, 16 Jan 2018 18:47:57 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me; h=from:to:cc:subject; s=smtpapi; bh=xr/6KIxVDPULfoGh3qlOwCaaTL0=; b=udDnl1K3Dt6xnqZtBrOPR6WaMlnf2Ntw7lxAiMxKXNlYGquMP/2dGugMwO1WIj TGHJYya4y/qkvIVzt3eSHiLeTBqQOkn/T87BbuTugmu5o9802uG62rb0N6JIwAOZ urtX8dw4cb6UekbgPO4h/Ez+L+YGUKeF+urDpd/UfWIn4= Received: by filter0025p3mdw1.sendgrid.net with SMTP id filter0025p3mdw1-9550-5A5E8F2C-26 2018-01-16 23:47:56.533338282 +0000 UTC Received: from localhost.localdomain (cpc89242-aztw30-2-0-cust488.18-1.cable.virginm.net [86.31.129.233]) by ismtpd0004p1lon1.sendgrid.net (SG) with ESMTP id O-Ek2d-1TleChkz2rvl8QQ Tue, 16 Jan 2018 23:47:56.240 +0000 (UTC) From: Kieran Bingham <kieran.bingham@ideasonboard.com> To: linux-media@vger.kernel.org, sakari.ailus@iki.fi Cc: niklas.soderlund@ragnatech.se, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, hans.verkuil@cisco.com, mchehab@kernel.org, linux-renesas-soc@vger.kernel.org, Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> Subject: [PATCH v2] v4l: async: Protect against double notifier registrations Date: Tue, 16 Jan 2018 23:47:56 +0000 (UTC) Message-Id: <1516146473-18234-1-git-send-email-kieran.bingham@ideasonboard.com> X-Mailer: git-send-email 2.7.4 X-SG-EID: Tfq0zQjjJFmIKL8hyrOr6KT7wyjsEm7XZZskPfLyBPKVcqn08EY5JacnOGaWsjU3GO2DTB5uudxra+ /oyexE4DT0vBCE6s+6qYH/QOvm+hlZBYWjA0MT4XI68uwGDYjKSjwwt/7KxYx/U6Rt8j2HijiP7hmS sG+u1RG3FmwNzer425irZhg84JV9la8NPH2KEqYHhJKu8JCcPZLIRy2oOjozg8ZydxpkfPMzRSrOgQ 9iiZprMP17xOQ2+eFXF+fI Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org |
Commit Message
Kieran Bingham
Jan. 16, 2018, 11:47 p.m. UTC
From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> It can be easy to attempt to register the same notifier twice in mis-handled error cases such as working with -EPROBE_DEFER. This results in odd kernel crashes where the notifier_list becomes corrupted due to adding the same entry twice. Protect against this so that a developer has some sense of the pending failure, and use a WARN_ON to identify the fault. Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> --- v2: - Reduce verbosity - use WARN_ON() - Move notifier list initialisation after registration check drivers/media/v4l2-core/v4l2-async.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
Comments
Hi Kieran, On Wed, Jan 17, 2018 at 12:47 AM, Kieran Bingham <kieran.bingham@ideasonboard.com> wrote: > From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> > > It can be easy to attempt to register the same notifier twice > in mis-handled error cases such as working with -EPROBE_DEFER. > > This results in odd kernel crashes where the notifier_list becomes > corrupted due to adding the same entry twice. > > Protect against this so that a developer has some sense of the pending > failure, and use a WARN_ON to identify the fault. > > Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> Thanks for your patch! However, I have several comments: 1. Instead of walking notifier_list (O(n)), can't you just check if notifier.list is part of a list or not (O(1))? 2. Isn't notifier usually (always?) allocated dynamically, so if will be a different pointer after a previous -EPROBE_DEFER anyway? 3. If you enable CONFIG_DEBUG_LIST, it should scream, too. > --- a/drivers/media/v4l2-core/v4l2-async.c > +++ b/drivers/media/v4l2-core/v4l2-async.c > @@ -374,17 +374,26 @@ static int __v4l2_async_notifier_register(struct v4l2_async_notifier *notifier) > struct device *dev = > notifier->v4l2_dev ? notifier->v4l2_dev->dev : NULL; > struct v4l2_async_subdev *asd; > + struct v4l2_async_notifier *n; > int ret; > int i; > > if (notifier->num_subdevs > V4L2_MAX_SUBDEVS) > return -EINVAL; > > + mutex_lock(&list_lock); > + > + /* Avoid re-registering a notifier. */ > + list_for_each_entry(n, ¬ifier_list, list) { > + if (WARN_ON(n == notifier)) { > + ret = -EEXIST; > + goto err_unlock; > + } > + } > + > INIT_LIST_HEAD(¬ifier->waiting); > INIT_LIST_HEAD(¬ifier->done); > > - mutex_lock(&list_lock); > - > for (i = 0; i < notifier->num_subdevs; i++) { > asd = notifier->subdevs[i]; Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
Hi Geert, Thanks for the review On 17/01/18 08:00, Geert Uytterhoeven wrote: > Hi Kieran, > > On Wed, Jan 17, 2018 at 12:47 AM, Kieran Bingham > <kieran.bingham@ideasonboard.com> wrote: >> From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> >> >> It can be easy to attempt to register the same notifier twice >> in mis-handled error cases such as working with -EPROBE_DEFER. >> >> This results in odd kernel crashes where the notifier_list becomes >> corrupted due to adding the same entry twice. >> >> Protect against this so that a developer has some sense of the pending >> failure, and use a WARN_ON to identify the fault. >> >> Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> > > Thanks for your patch! > > However, I have several comments: > 1. Instead of walking notifier_list (O(n)), can't you just check if > notifier.list is part of a list or not (O(1))? Not safely as far as I can see: (unless you know better) Looks like I'd have to at least check something like the following: notifier->next != LIST_POISON1 && notifier->next != NULL && notifier->prev != LIST_POISON2 && notifier->prev != NULL && notifier->next != notifier->prev Although - that doesn't count the possibility that the struct list_head in the object being added is essentially un-initialised before being added to the list - so it could technically contain any value ... (Looking forward to being told I'm completely missing something obvious here...) > 2. Isn't notifier usually (always?) allocated dynamically, so if will be a > different pointer after a previous -EPROBE_DEFER anyway? Nope. The notifier can be part of the device context structure to reduce allocations. > 3. If you enable CONFIG_DEBUG_LIST, it should scream, too. Aha - maybe that was my missing link. -E_NOT_ENOUGH_DEBUG_ENABLED. Although I've just looked through the code that checks against a double entry. It may have helped me find my bug in fact, but I think that would only fire if the entry tried to add twice consecutively, which certainly wouldn't be guaranteed if a driver returned with -EPROBE_DEFER. So - I've just tested that if you have A B C and HEAD, list_add(A, HEAD); list_add(A, HEAD); // would fire in __list_add_valid as (new == prev || new == next) However, list_add(A, HEAD); list_add(B, HEAD); list_add(C, HEAD); list_add(B, HEAD); Will not catch this double-add-B in __list_add_valid(), and will generate an infinitely looping list if you try to then walk it with list_for_each_entry() (As demonstrated by the attached list-test.c module which I used to test this) Oh what fun :D -- Kieran > >> --- a/drivers/media/v4l2-core/v4l2-async.c >> +++ b/drivers/media/v4l2-core/v4l2-async.c >> @@ -374,17 +374,26 @@ static int __v4l2_async_notifier_register(struct v4l2_async_notifier *notifier) >> struct device *dev = >> notifier->v4l2_dev ? notifier->v4l2_dev->dev : NULL; >> struct v4l2_async_subdev *asd; >> + struct v4l2_async_notifier *n; >> int ret; >> int i; >> >> if (notifier->num_subdevs > V4L2_MAX_SUBDEVS) >> return -EINVAL; >> >> + mutex_lock(&list_lock); >> + >> + /* Avoid re-registering a notifier. */ >> + list_for_each_entry(n, ¬ifier_list, list) { >> + if (WARN_ON(n == notifier)) { >> + ret = -EEXIST; >> + goto err_unlock; >> + } >> + } >> + >> INIT_LIST_HEAD(¬ifier->waiting); >> INIT_LIST_HEAD(¬ifier->done); >> >> - mutex_lock(&list_lock); >> - >> for (i = 0; i < notifier->num_subdevs; i++) { >> asd = notifier->subdevs[i]; > > Gr{oetje,eeting}s, > > Geert > > -- > Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org > > In personal conversations with technical people, I call myself a hacker. But > when I'm talking to journalists I just say "programmer" or something like that. > -- Linus Torvalds >
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c index 2b08d03b251d..17a779440ae3 100644 --- a/drivers/media/v4l2-core/v4l2-async.c +++ b/drivers/media/v4l2-core/v4l2-async.c @@ -374,17 +374,26 @@ static int __v4l2_async_notifier_register(struct v4l2_async_notifier *notifier) struct device *dev = notifier->v4l2_dev ? notifier->v4l2_dev->dev : NULL; struct v4l2_async_subdev *asd; + struct v4l2_async_notifier *n; int ret; int i; if (notifier->num_subdevs > V4L2_MAX_SUBDEVS) return -EINVAL; + mutex_lock(&list_lock); + + /* Avoid re-registering a notifier. */ + list_for_each_entry(n, ¬ifier_list, list) { + if (WARN_ON(n == notifier)) { + ret = -EEXIST; + goto err_unlock; + } + } + INIT_LIST_HEAD(¬ifier->waiting); INIT_LIST_HEAD(¬ifier->done); - mutex_lock(&list_lock); - for (i = 0; i < notifier->num_subdevs; i++) { asd = notifier->subdevs[i];