From: Jean Delvare <jdelvare@suse.de>
To: linux-s390@vger.kernel.org
Subject: Re: [PATCH 1/2] s390: qeth: Fix potential array overrun in cmd/rc lookup
Date: Mon, 10 Sep 2018 14:37:15 +0000 [thread overview]
Message-ID: <20180910163715.24f5cddc@endymion> (raw)
In-Reply-To: <12375fbf-56b2-2b2b-9b60-f17ce60c3672@linux.ibm.com>
Hi Ursula,
On Mon, 10 Sep 2018 16:03:23 +0200, Ursula Braun wrote:
> On 09/10/2018 11:09 AM, Jean Delvare wrote:
> > Functions qeth_get_ipa_msg and qeth_get_ipa_cmd_name are modifying
> > the last member of global arrays without any locking that I can see.
> > If two instances of either function are running at the same time,
> > it could cause a race ultimately leading to an array overrun (the
> > contents of the last entry of the array is the only guarantee that
> > the loop will ever stop).
> >
> > Performing the lookups without modifying the arrays is admittedly
> > slower (two comparisons per iteration instead of one) but these
> > are operations which are rare (should only be needed in error
> > cases or when debugging, not during successful operation) and it
> > seems still less costly than introducing a mutex to protect the
> > arrays in question.
> >
> > As a side bonus, it allows us to declare both arrays as const data.
> >
> > Signed-off-by: Jean Delvare <jdelvare@suse.de>
> > Cc: Julian Wiedmann <jwi@linux.ibm.com>
> > Cc: Ursula Braun <ubraun@linux.ibm.com>
> > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
> > Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> > ---
> > Note: build-tested only.
> > (...)
> > -static struct ipa_cmd_names qeth_ipa_cmd_names[] = {
> > +static const struct ipa_cmd_names qeth_ipa_cmd_names[] = {
> > {IPA_CMD_STARTLAN, "startlan"},
> > {IPA_CMD_STOPLAN, "stoplan"},
> > {IPA_CMD_SETVMAC, "setvmac"},
> > @@ -263,14 +264,14 @@ static struct ipa_cmd_names qeth_ipa_cmd
> > {IPA_CMD_REGISTER_LOCAL_ADDR, "register_local_addr"},
> > {IPA_CMD_UNREGISTER_LOCAL_ADDR, "unregister_local_addr"},
> > {IPA_CMD_ADDRESS_CHANGE_NOTIF, "address_change_notification"},
> > - {IPA_CMD_UNKNOWN, "unknown"},
>
> Why is this line removed? Doesn't the last line of function qeth_get_ipa_cmd_name()
> still refer to this line?
> And if IPA_CMD_UNKNOWN is really removed, then make sure its definition is removed
> from qeth_core_mpc.h as well.
That's a bug in the patch, sorry about that, I will resend :(
In an earlier version of the patch, IPA_CMD_UNKNOWN was removed, but
then I found it was more elegant to keep it so that the code in
qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() would be the same. I
restored the definition in qeth_core_mpc.h but forgot to also restore
the last entry of qeth_ipa_cmd_names[].
Thanks for catching it and sorry again,
--
Jean Delvare
SUSE L3 Support
parent reply other threads:[~2018-09-10 14:37 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <12375fbf-56b2-2b2b-9b60-f17ce60c3672@linux.ibm.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180910163715.24f5cddc@endymion \
--to=jdelvare@suse.de \
--cc=linux-s390@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.