Re: [PATCH v3 7/9] vfio: Use driver_override to avert binding to compromising drivers

From: Alex Williamson <alex.williamson@redhat.com>
To: Russell King - ARM Linux <linux@armlinux.org.uk>
Cc: Greg KH <greg@kroah.com>,
	kvm@vger.kernel.org, eric.auger@redhat.com,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 7/9] vfio: Use driver_override to avert binding to compromising drivers
Date: Mon, 26 Jun 2017 13:39:12 -0600	[thread overview]
Message-ID: <20170626133912.7746bdfe@w520.home> (raw)
In-Reply-To: <20170626090854.GE4902@n2100.armlinux.org.uk>

On Mon, 26 Jun 2017 10:08:55 +0100
Russell King - ARM Linux <linux@armlinux.org.uk> wrote:

> On Tue, Jun 20, 2017 at 09:48:31AM -0600, Alex Williamson wrote:
> > If a device is bound to a non-vfio, non-whitelisted driver while a
> > group is in use, then the integrity of the group is compromised and
> > will result in hitting a BUG_ON.  This code tries to avoid this case
> > by mangling driver_override to force a no-match for the driver.  The
> > driver-core will either follow-up with a DRIVER_NOT_BOUND (preferred)
> > or BOUND_DRIVER, at which point we can remove the driver_override
> > mangling.  
> 
> Rather than mangling the driver override string to prevent driver binding,
> I wonder if it would make more sense to allow the BUS_NOTIFY_BIND_DRIVER
> notifier to fail the device probe?
> 
> The driver override strings are, after all, exposed to userspace, and
> it strikes me that this kind of mangling is racy - userspace can read
> or change the override string at any time.

Indeed, that looks easier.  I sent and RFC, let's see what Greg has to
say.  Thanks,

Alex