From: Jakub Kicinski <kuba@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Ziyang Xuan <william.xuanziyang@huawei.com>,
davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: Re: [PATCH net] net: vlan: fix a UAF in vlan_dev_real_dev()
Date: Thu, 28 Oct 2021 07:00:50 -0700 [thread overview]
Message-ID: <20211028070050.6ca7893b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> (raw)
In-Reply-To: <20211028114503.GM2744544@nvidia.com>
On Thu, 28 Oct 2021 08:45:03 -0300 Jason Gunthorpe wrote:
> > But will make all the callers of vlan_dev_real_dev() feel like they
> > should NULL-check the result, which is not necessary.
>
> Isn't it better to reliably return NULL instead of a silent UAF in
> this edge case?
I don't know what the best practice is for maintaining sanity of
unregistered objects.
If there really is a requirement for the real_dev pointer to be sane we
may want to move the put_device(real_dev) to vlan_dev_free(). There
should not be any risk of circular dependency but I'm not 100% sure.
> > RDMA must be calling this helper on a vlan which was already
> > unregistered, can we fix RDMA instead?
>
> RDMA holds a get on the netdev which prevents unregistration, however
> unregister_vlan_dev() does:
>
> unregister_netdevice_queue(dev, head);
> dev_put(real_dev);
>
> Which corrupts the still registered vlan device while it is sitting in
> the queue waiting to unregister. So, it is not true that a registered
> vlan device always has working vlan_dev_real_dev().
That's not my reading, unless we have a different definition of
"registered". The RDMA code in question runs from a workqueue, at the
time the UNREGISTER notification is generated all objects are still
alive and no UAF can happen. Past UNREGISTER extra care is needed when
accessing the object.
Note that unregister_vlan_dev() may queue the unregistration, without
running it. If it clears real_dev the UNREGISTER notification will no
longer be able to access real_dev, which used to be completely legal.
next prev parent reply other threads:[~2021-10-28 14:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 12:16 [PATCH net] net: vlan: fix a UAF in vlan_dev_real_dev() Ziyang Xuan
2021-10-28 1:46 ` Jakub Kicinski
2021-10-28 5:44 ` Leon Romanovsky
2021-10-28 11:45 ` Jason Gunthorpe
2021-10-28 14:00 ` Jakub Kicinski [this message]
2021-10-29 7:04 ` Ziyang Xuan (William)
2021-10-29 12:13 ` Jason Gunthorpe
2021-10-29 13:46 ` Jakub Kicinski
2021-10-29 18:47 ` Jason Gunthorpe
2021-10-30 4:09 ` Ziyang Xuan (William)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211028070050.6ca7893b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=jgg@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.