From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 075921382C5 for ; Tue, 1 Dec 2020 16:56:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EE2D0E0855; Tue, 1 Dec 2020 16:56:44 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C1423E0855 for ; Tue, 1 Dec 2020 16:56:44 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 58C93340ED7 for ; Tue, 1 Dec 2020 16:56:43 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DB8CE448 for ; Tue, 1 Dec 2020 16:56:41 +0000 (UTC) From: "Thomas Deutschmann" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" Message-ID: <1606841796.d3f2cba10c86d044abad85e9b00b539e365eca8f.whissi@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch dev-libs/nss/nss-3.59-r1.ebuild dev-libs/nss/nss-3.59.ebuild X-VCS-Directories: dev-libs/nss/files/ dev-libs/nss/ X-VCS-Committer: whissi X-VCS-Committer-Name: Thomas Deutschmann X-VCS-Revision: d3f2cba10c86d044abad85e9b00b539e365eca8f X-VCS-Branch: master Date: Tue, 1 Dec 2020 16:56:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 75639d5a-ec11-4008-a645-9c522fb75991 X-Archives-Hash: 54943156f4aa2ce56defd10dd2e7b0e8 commit: d3f2cba10c86d044abad85e9b00b539e365eca8f Author: Thomas Deutschmann gentoo org> AuthorDate: Tue Dec 1 16:53:52 2020 +0000 Commit: Thomas Deutschmann gentoo org> CommitDate: Tue Dec 1 16:56:36 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f2cba1 dev-libs/nss: don't hold slot lock when taking session lock Closes: https://bugs.gentoo.org/756244 Package-Manager: Portage-3.0.10, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann gentoo.org> ...t-hold-slot-lock-when-taking-session-lock.patch | 93 ++++++++++++++++++++++ .../nss/{nss-3.59.ebuild => nss-3.59-r1.ebuild} | 1 + 2 files changed, 94 insertions(+) diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch new file mode 100644 index 00000000000..be4ebfe4796 --- /dev/null +++ b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch @@ -0,0 +1,93 @@ + +# HG changeset patch +# User Kevin Jacobs +# Date 1606813429 0 +# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9 +# Parent f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e +Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche + +[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. + +This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. + +Differential Revision: https://phabricator.services.mozilla.com/D98247 + +diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c +--- a/lib/dev/devslot.c ++++ b/lib/dev/devslot.c +@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent( + if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { + if (!slot->token) { + /* token was never present */ + isPresent = PR_FALSE; + goto done; /* slot lock held */ + } + session = nssToken_GetDefaultSession(slot->token); + if (session) { ++ nssSlot_ExitMonitor(slot); + nssSession_EnterMonitor(session); + /* token is not present */ + if (session->handle != CK_INVALID_HANDLE) { + /* session is valid, close and invalidate it */ + CKAPI(epv) + ->C_CloseSession(session->handle); + session->handle = CK_INVALID_HANDLE; + } + nssSession_ExitMonitor(session); ++ nssSlot_EnterMonitor(slot); ++ if (!slot->token) { ++ /* Check token presence after re-acquiring lock */ ++ isPresent = PR_FALSE; ++ goto done; /* slot lock held */ ++ } + } + if (slot->token->base.name[0] != 0) { + /* notify the high-level cache that the token is removed */ + slot->token->base.name[0] = 0; /* XXX */ + nssToken_NotifyCertsNotVisible(slot->token); + } + slot->token->base.name[0] = 0; /* XXX */ + /* clear the token cache */ +@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent( + } + + /* token is present, use the session info to determine if the card + * has been removed and reinserted. + */ + session = nssToken_GetDefaultSession(slot->token); + if (session) { + PRBool tokenRemoved; ++ nssSlot_ExitMonitor(slot); + nssSession_EnterMonitor(session); + if (session->handle != CK_INVALID_HANDLE) { + CK_SESSION_INFO sessionInfo; + ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo); + if (ckrv != CKR_OK) { + /* session is screwy, close and invalidate it */ + CKAPI(epv) + ->C_CloseSession(session->handle); + session->handle = CK_INVALID_HANDLE; + } + } + tokenRemoved = (session->handle == CK_INVALID_HANDLE); + nssSession_ExitMonitor(session); ++ nssSlot_EnterMonitor(slot); + /* token not removed, finished */ + if (!tokenRemoved) { + isPresent = PR_TRUE; + goto done; /* slot lock held */ + } ++ if (!slot->token) { ++ /* Check token presence after re-acquiring lock */ ++ isPresent = PR_FALSE; ++ goto done; /* slot lock held */ ++ } + } + /* the token has been removed, and reinserted, or the slot contains + * a token it doesn't recognize. invalidate all the old + * information we had on this token, if we can't refresh, clear + * the present flag */ + nssToken_NotifyCertsNotVisible(slot->token); + nssToken_Remove(slot->token); + /* token has been removed, need to refresh with new session */ + diff --git a/dev-libs/nss/nss-3.59.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild similarity index 99% rename from dev-libs/nss/nss-3.59.ebuild rename to dev-libs/nss/nss-3.59-r1.ebuild index 37ab7c58696..82184ff8a71 100644 --- a/dev-libs/nss/nss-3.59.ebuild +++ b/dev-libs/nss/nss-3.59-r1.ebuild @@ -40,6 +40,7 @@ PATCHES=( "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch" "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch" "${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch" + "${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch" ) src_prepare() {