* [PATCH] xen-pciback: fix up cleanup path when alloc fails
@ 2015-11-26 20:32 Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
` (4 more replies)
0 siblings, 5 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-11-26 20:32 UTC (permalink / raw)
To: xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel,
Boris Ostrovsky, Konrad Rzeszutek Wilk, Jonathan Creekmore,
Doug Goldstein
When allocating a pciback device fails, avoid the possibility of a
use after free.
Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
drivers/xen/xen-pciback/xenbus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
index 98bc345..4843741 100644
--- a/drivers/xen/xen-pciback/xenbus.c
+++ b/drivers/xen/xen-pciback/xenbus.c
@@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
pdev->xdev = xdev;
- dev_set_drvdata(&xdev->dev, pdev);
mutex_init(&pdev->dev_lock);
@@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
kfree(pdev);
pdev = NULL;
}
+
+ dev_set_drvdata(&xdev->dev, pdev);
+
out:
return pdev;
}
--
2.4.10
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
@ 2015-11-30 21:09 ` Boris Ostrovsky
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
` (2 subsequent siblings)
4 siblings, 0 replies; 18+ messages in thread
From: Boris Ostrovsky @ 2015-11-30 21:09 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel,
Konrad Rzeszutek Wilk, Jonathan Creekmore
On 11/26/2015 03:32 PM, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
>
> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> ---
> drivers/xen/xen-pciback/xenbus.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
@ 2015-11-30 21:09 ` Boris Ostrovsky
2015-11-30 21:09 ` Boris Ostrovsky
` (3 subsequent siblings)
4 siblings, 0 replies; 18+ messages in thread
From: Boris Ostrovsky @ 2015-11-30 21:09 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel
On 11/26/2015 03:32 PM, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
>
> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> ---
> drivers/xen/xen-pciback/xenbus.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
2015-11-30 21:09 ` Boris Ostrovsky
@ 2015-12-01 16:47 ` Konrad Rzeszutek Wilk
2015-12-01 19:24 ` Doug Goldstein
` (2 more replies)
2015-12-02 10:35 ` David Vrabel
2015-12-02 10:35 ` David Vrabel
4 siblings, 3 replies; 18+ messages in thread
From: Konrad Rzeszutek Wilk @ 2015-12-01 16:47 UTC (permalink / raw)
To: Doug Goldstein
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant,
David Vrabel, xen-devel, Boris Ostrovsky
On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Ugh, and it looks like xen-blkfront has the same issue.
>
> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> ---
> drivers/xen/xen-pciback/xenbus.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
> index 98bc345..4843741 100644
> --- a/drivers/xen/xen-pciback/xenbus.c
> +++ b/drivers/xen/xen-pciback/xenbus.c
> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>
> pdev->xdev = xdev;
> - dev_set_drvdata(&xdev->dev, pdev);
>
> mutex_init(&pdev->dev_lock);
>
> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> kfree(pdev);
> pdev = NULL;
> }
> +
> + dev_set_drvdata(&xdev->dev, pdev);
> +
> out:
> return pdev;
> }
> --
> 2.4.10
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
@ 2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:35 ` Konrad Rzeszutek Wilk
2 siblings, 0 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-12-01 19:24 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu,
David Vrabel, Boris Ostrovsky, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]
On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> Ugh, and it looks like xen-blkfront has the same issue.
I believe that case is covered because xen_blkbk_remove() is called in
all the failure cases of xen_blkbk_probe() in that case.
>
>>
>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>> ---
>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>> index 98bc345..4843741 100644
>> --- a/drivers/xen/xen-pciback/xenbus.c
>> +++ b/drivers/xen/xen-pciback/xenbus.c
>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>
>> pdev->xdev = xdev;
>> - dev_set_drvdata(&xdev->dev, pdev);
>>
>> mutex_init(&pdev->dev_lock);
>>
>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> kfree(pdev);
>> pdev = NULL;
>> }
>> +
>> + dev_set_drvdata(&xdev->dev, pdev);
>> +
>> out:
>> return pdev;
>> }
>> --
>> 2.4.10
>>
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
2015-12-01 19:24 ` Doug Goldstein
@ 2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:35 ` Konrad Rzeszutek Wilk
2 siblings, 0 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-12-01 19:24 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant,
David Vrabel, xen-devel, Boris Ostrovsky
[-- Attachment #1.1: Type: text/plain, Size: 1470 bytes --]
On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> Ugh, and it looks like xen-blkfront has the same issue.
I believe that case is covered because xen_blkbk_remove() is called in
all the failure cases of xen_blkbk_probe() in that case.
>
>>
>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>> ---
>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>> index 98bc345..4843741 100644
>> --- a/drivers/xen/xen-pciback/xenbus.c
>> +++ b/drivers/xen/xen-pciback/xenbus.c
>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>
>> pdev->xdev = xdev;
>> - dev_set_drvdata(&xdev->dev, pdev);
>>
>> mutex_init(&pdev->dev_lock);
>>
>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> kfree(pdev);
>> pdev = NULL;
>> }
>> +
>> + dev_set_drvdata(&xdev->dev, pdev);
>> +
>> out:
>> return pdev;
>> }
>> --
>> 2.4.10
>>
--
Doug Goldstein
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:24 ` Doug Goldstein
@ 2015-12-01 19:35 ` Konrad Rzeszutek Wilk
2015-12-01 20:54 ` Doug Goldstein
2015-12-01 20:54 ` Doug Goldstein
2 siblings, 2 replies; 18+ messages in thread
From: Konrad Rzeszutek Wilk @ 2015-12-01 19:35 UTC (permalink / raw)
To: Doug Goldstein
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant,
David Vrabel, xen-devel, Boris Ostrovsky
On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> > When allocating a pciback device fails, avoid the possibility of a
> > use after free.
>
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> Ugh, and it looks like xen-blkfront has the same issue.
<whew> Nope. No problems there.
The ->probe if it fails (so xenbus_dev_probe returns the error)
ends up in the 'probe_failed' label in really_probe which takes care by doing:
dev_set_drvdata(dev, NULL);
Wheew!
either way the patch should go in, but the 'possibility' should
be perhaps removed? Unless there is some other path I missed?
>
> >
> > Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> > ---
> > drivers/xen/xen-pciback/xenbus.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
> > index 98bc345..4843741 100644
> > --- a/drivers/xen/xen-pciback/xenbus.c
> > +++ b/drivers/xen/xen-pciback/xenbus.c
> > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> > dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
> >
> > pdev->xdev = xdev;
> > - dev_set_drvdata(&xdev->dev, pdev);
> >
> > mutex_init(&pdev->dev_lock);
> >
> > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> > kfree(pdev);
> > pdev = NULL;
> > }
> > +
> > + dev_set_drvdata(&xdev->dev, pdev);
> > +
> > out:
> > return pdev;
> > }
> > --
> > 2.4.10
> >
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 19:35 ` Konrad Rzeszutek Wilk
@ 2015-12-01 20:54 ` Doug Goldstein
2015-12-01 21:34 ` Konrad Rzeszutek Wilk
2015-12-01 20:54 ` Doug Goldstein
1 sibling, 1 reply; 18+ messages in thread
From: Doug Goldstein @ 2015-12-01 20:54 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu,
David Vrabel, Boris Ostrovsky, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 2052 bytes --]
On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
>
> <whew> Nope. No problems there.
>
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
>
> dev_set_drvdata(dev, NULL);
>
> Wheew!
>
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?
I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.
>
>>
>>>
>>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>>> ---
>>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>>
>>> pdev->xdev = xdev;
>>> - dev_set_drvdata(&xdev->dev, pdev);
>>>
>>> mutex_init(&pdev->dev_lock);
>>>
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> kfree(pdev);
>>> pdev = NULL;
>>> }
>>> +
>>> + dev_set_drvdata(&xdev->dev, pdev);
>>> +
>>> out:
>>> return pdev;
>>> }
>>> --
>>> 2.4.10
>>>
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 19:35 ` Konrad Rzeszutek Wilk
2015-12-01 20:54 ` Doug Goldstein
@ 2015-12-01 20:54 ` Doug Goldstein
1 sibling, 0 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-12-01 20:54 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant,
David Vrabel, xen-devel, Boris Ostrovsky
[-- Attachment #1.1: Type: text/plain, Size: 2052 bytes --]
On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
>
> <whew> Nope. No problems there.
>
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
>
> dev_set_drvdata(dev, NULL);
>
> Wheew!
>
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?
I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.
>
>>
>>>
>>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>>> ---
>>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>>
>>> pdev->xdev = xdev;
>>> - dev_set_drvdata(&xdev->dev, pdev);
>>>
>>> mutex_init(&pdev->dev_lock);
>>>
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> kfree(pdev);
>>> pdev = NULL;
>>> }
>>> +
>>> + dev_set_drvdata(&xdev->dev, pdev);
>>> +
>>> out:
>>> return pdev;
>>> }
>>> --
>>> 2.4.10
>>>
--
Doug Goldstein
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-01 20:54 ` Doug Goldstein
@ 2015-12-01 21:34 ` Konrad Rzeszutek Wilk
0 siblings, 0 replies; 18+ messages in thread
From: Konrad Rzeszutek Wilk @ 2015-12-01 21:34 UTC (permalink / raw)
To: Doug Goldstein
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant,
David Vrabel, xen-devel, Boris Ostrovsky
On Tue, Dec 01, 2015 at 02:54:33PM -0600, Doug Goldstein wrote:
> On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
> >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> >>> When allocating a pciback device fails, avoid the possibility of a
> >>> use after free.
> >>
> >> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> >>
> >> Ugh, and it looks like xen-blkfront has the same issue.
> >
> > <whew> Nope. No problems there.
> >
> > The ->probe if it fails (so xenbus_dev_probe returns the error)
> > ends up in the 'probe_failed' label in really_probe which takes care by doing:
> >
> > dev_set_drvdata(dev, NULL);
> >
> > Wheew!
> >
> > either way the patch should go in, but the 'possibility' should
> > be perhaps removed? Unless there is some other path I missed?
>
> I put 'possibility' in there because it will only happen when the
> function returns failure. I was also trying to not make it sound panicky
Right, but when it returns failure, the 'really_probe' will take
care of setting dev_set_drvdata(dev, NULL) - so we won't have the
use after free problem.
> I guess. I can resubmit the patch with that word dropped if that's
> desirable.
Sure, or just say: "The 'really_probe' takes care of setting
dev_set_drvdata(dev, NULL) in its failure path (which we would
exercise if the ->probe function failed), so we we
are OK. However lets be defensive as the code can change."
>
> >
> >>
> >>>
> >>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> >>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> >>> ---
> >>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
> >>> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
> >>> index 98bc345..4843741 100644
> >>> --- a/drivers/xen/xen-pciback/xenbus.c
> >>> +++ b/drivers/xen/xen-pciback/xenbus.c
> >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> >>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
> >>>
> >>> pdev->xdev = xdev;
> >>> - dev_set_drvdata(&xdev->dev, pdev);
> >>>
> >>> mutex_init(&pdev->dev_lock);
> >>>
> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
> >>> kfree(pdev);
> >>> pdev = NULL;
> >>> }
> >>> +
> >>> + dev_set_drvdata(&xdev->dev, pdev);
> >>> +
> >>> out:
> >>> return pdev;
> >>> }
> >>> --
> >>> 2.4.10
> >>>
>
>
> --
> Doug Goldstein
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
` (3 preceding siblings ...)
2015-12-02 10:35 ` David Vrabel
@ 2015-12-02 10:35 ` David Vrabel
2015-12-02 14:56 ` Doug Goldstein
2015-12-02 14:56 ` Doug Goldstein
4 siblings, 2 replies; 18+ messages in thread
From: David Vrabel @ 2015-12-02 10:35 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky,
Konrad Rzeszutek Wilk, Jonathan Creekmore
On 26/11/15 20:32, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
We should not require clearing drvdata for correctness. We should
ensure we retain drvdata for as long as it is needed.
I note that pcistub_device_release() has:
kfree(dev_data);
pci_set_drvdata(dev, NULL);
/* Clean-up the device */
xen_pcibk_config_free_dyn_fields(dev);
xen_pcibk_config_free_dev(dev);
Which should (at a minimum) be reordered to move the kfree(dev_data) to
after the calls that require it
David
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
` (2 preceding siblings ...)
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
@ 2015-12-02 10:35 ` David Vrabel
2015-12-02 10:35 ` David Vrabel
4 siblings, 0 replies; 18+ messages in thread
From: David Vrabel @ 2015-12-02 10:35 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky
On 26/11/15 20:32, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
We should not require clearing drvdata for correctness. We should
ensure we retain drvdata for as long as it is needed.
I note that pcistub_device_release() has:
kfree(dev_data);
pci_set_drvdata(dev, NULL);
/* Clean-up the device */
xen_pcibk_config_free_dyn_fields(dev);
xen_pcibk_config_free_dev(dev);
Which should (at a minimum) be reordered to move the kfree(dev_data) to
after the calls that require it
David
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 10:35 ` David Vrabel
2015-12-02 14:56 ` Doug Goldstein
@ 2015-12-02 14:56 ` Doug Goldstein
2015-12-14 16:08 ` David Vrabel
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
1 sibling, 2 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-12-02 14:56 UTC (permalink / raw)
To: David Vrabel, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky,
Konrad Rzeszutek Wilk, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 1788 bytes --]
On 12/2/15 4:35 AM, David Vrabel wrote:
> On 26/11/15 20:32, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> We should not require clearing drvdata for correctness. We should
> ensure we retain drvdata for as long as it is needed.
>
> I note that pcistub_device_release() has:
>
> kfree(dev_data);
> pci_set_drvdata(dev, NULL);
>
> /* Clean-up the device */
> xen_pcibk_config_free_dyn_fields(dev);
> xen_pcibk_config_free_dev(dev);
>
> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> after the calls that require it
>
> David
>
I apologize but at this point I'm confused at what action I should be
taking. Are you saying NACK to the original patch and suggesting this as
the replacement? Or saying that this should be done in addition to the
original patch?
I created the original patch when looking through the other probe()
calls and seeing that they all did pci_set_drvdata() with memory they
allocated but probe() failed they ensured that pci_set_drvdata() was
cleared. But the behavior in xen-pciback was different. It kfree()'d the
memory that passed to pci_set_drvdata() and never set that pointer to
NULL. Which could possibly result in a use after free. The use after
free doesn't occur today as Konrad pointed out but in the future its
possible should some other code changes occur. It was more of a
defensive coding patch in the end. I had planned on resubmitting the
patch with a reworded commit message after Konrad pointed out there was
currently no use after free and retaining the Reviewed-By since the code
wouldn't change but if that's not what I should be doing I will gladly
go another route.
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 10:35 ` David Vrabel
@ 2015-12-02 14:56 ` Doug Goldstein
2015-12-02 14:56 ` Doug Goldstein
1 sibling, 0 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-12-02 14:56 UTC (permalink / raw)
To: David Vrabel, xen-devel
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky
[-- Attachment #1.1: Type: text/plain, Size: 1788 bytes --]
On 12/2/15 4:35 AM, David Vrabel wrote:
> On 26/11/15 20:32, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> We should not require clearing drvdata for correctness. We should
> ensure we retain drvdata for as long as it is needed.
>
> I note that pcistub_device_release() has:
>
> kfree(dev_data);
> pci_set_drvdata(dev, NULL);
>
> /* Clean-up the device */
> xen_pcibk_config_free_dyn_fields(dev);
> xen_pcibk_config_free_dev(dev);
>
> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> after the calls that require it
>
> David
>
I apologize but at this point I'm confused at what action I should be
taking. Are you saying NACK to the original patch and suggesting this as
the replacement? Or saying that this should be done in addition to the
original patch?
I created the original patch when looking through the other probe()
calls and seeing that they all did pci_set_drvdata() with memory they
allocated but probe() failed they ensured that pci_set_drvdata() was
cleared. But the behavior in xen-pciback was different. It kfree()'d the
memory that passed to pci_set_drvdata() and never set that pointer to
NULL. Which could possibly result in a use after free. The use after
free doesn't occur today as Konrad pointed out but in the future its
possible should some other code changes occur. It was more of a
defensive coding patch in the end. I had planned on resubmitting the
patch with a reworded commit message after Konrad pointed out there was
currently no use after free and retaining the Reviewed-By since the code
wouldn't change but if that's not what I should be doing I will gladly
go another route.
--
Doug Goldstein
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 14:56 ` Doug Goldstein
2015-12-14 16:08 ` David Vrabel
@ 2015-12-14 16:08 ` David Vrabel
2015-12-14 20:21 ` Konrad Rzeszutek Wilk
1 sibling, 1 reply; 18+ messages in thread
From: David Vrabel @ 2015-12-14 16:08 UTC (permalink / raw)
To: Doug Goldstein, David Vrabel, xen-devel
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky
On 02/12/15 14:56, Doug Goldstein wrote:
> On 12/2/15 4:35 AM, David Vrabel wrote:
>> On 26/11/15 20:32, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> We should not require clearing drvdata for correctness. We should
>> ensure we retain drvdata for as long as it is needed.
>>
>> I note that pcistub_device_release() has:
>>
>> kfree(dev_data);
>> pci_set_drvdata(dev, NULL);
>>
>> /* Clean-up the device */
>> xen_pcibk_config_free_dyn_fields(dev);
>> xen_pcibk_config_free_dev(dev);
>>
>> Which should (at a minimum) be reordered to move the kfree(dev_data) to
>> after the calls that require it
>>
>> David
>>
>
> I apologize but at this point I'm confused at what action I should be
> taking. Are you saying NACK to the original patch and suggesting this as
> the replacement? Or saying that this should be done in addition to the
> original patch?
I'm suggesting that the goal should be to remove all
pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
them.
Konrad's the pciback maintainer though so I'll defer to him on this.
David
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 14:56 ` Doug Goldstein
@ 2015-12-14 16:08 ` David Vrabel
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
1 sibling, 0 replies; 18+ messages in thread
From: David Vrabel @ 2015-12-14 16:08 UTC (permalink / raw)
To: Doug Goldstein, David Vrabel, xen-devel
Cc: Jonathan Creekmore, Boris Ostrovsky, Paul Durrant, Wei Liu, linux-kernel
On 02/12/15 14:56, Doug Goldstein wrote:
> On 12/2/15 4:35 AM, David Vrabel wrote:
>> On 26/11/15 20:32, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> We should not require clearing drvdata for correctness. We should
>> ensure we retain drvdata for as long as it is needed.
>>
>> I note that pcistub_device_release() has:
>>
>> kfree(dev_data);
>> pci_set_drvdata(dev, NULL);
>>
>> /* Clean-up the device */
>> xen_pcibk_config_free_dyn_fields(dev);
>> xen_pcibk_config_free_dev(dev);
>>
>> Which should (at a minimum) be reordered to move the kfree(dev_data) to
>> after the calls that require it
>>
>> David
>>
>
> I apologize but at this point I'm confused at what action I should be
> taking. Are you saying NACK to the original patch and suggesting this as
> the replacement? Or saying that this should be done in addition to the
> original patch?
I'm suggesting that the goal should be to remove all
pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
them.
Konrad's the pciback maintainer though so I'll defer to him on this.
David
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
@ 2015-12-14 20:21 ` Konrad Rzeszutek Wilk
0 siblings, 0 replies; 18+ messages in thread
From: Konrad Rzeszutek Wilk @ 2015-12-14 20:21 UTC (permalink / raw)
To: David Vrabel
Cc: Wei Liu, Jonathan Creekmore, Doug Goldstein, linux-kernel,
Paul Durrant, xen-devel, Boris Ostrovsky
On Mon, Dec 14, 2015 at 04:08:13PM +0000, David Vrabel wrote:
> On 02/12/15 14:56, Doug Goldstein wrote:
> > On 12/2/15 4:35 AM, David Vrabel wrote:
> >> On 26/11/15 20:32, Doug Goldstein wrote:
> >>> When allocating a pciback device fails, avoid the possibility of a
> >>> use after free.
> >>
> >> We should not require clearing drvdata for correctness. We should
> >> ensure we retain drvdata for as long as it is needed.
> >>
> >> I note that pcistub_device_release() has:
> >>
> >> kfree(dev_data);
> >> pci_set_drvdata(dev, NULL);
> >>
> >> /* Clean-up the device */
> >> xen_pcibk_config_free_dyn_fields(dev);
> >> xen_pcibk_config_free_dev(dev);
> >>
> >> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> >> after the calls that require it
> >>
> >> David
> >>
> >
> > I apologize but at this point I'm confused at what action I should be
> > taking. Are you saying NACK to the original patch and suggesting this as
> > the replacement? Or saying that this should be done in addition to the
> > original patch?
>
> I'm suggesting that the goal should be to remove all
> pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
> them.
Which would mean backend/frontend drivers to do this as well.
>
> Konrad's the pciback maintainer though so I'll defer to him on this.
I would take the patch as is. The cleanup (pci_set_drvdata(dev, NULL)) can
be done another time.
>
> David
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH] xen-pciback: fix up cleanup path when alloc fails
@ 2015-11-26 20:32 Doug Goldstein
0 siblings, 0 replies; 18+ messages in thread
From: Doug Goldstein @ 2015-11-26 20:32 UTC (permalink / raw)
To: xen-devel
Cc: Wei Liu, Jonathan Creekmore, Doug Goldstein, linux-kernel,
Paul Durrant, David Vrabel, Boris Ostrovsky
When allocating a pciback device fails, avoid the possibility of a
use after free.
Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
drivers/xen/xen-pciback/xenbus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
index 98bc345..4843741 100644
--- a/drivers/xen/xen-pciback/xenbus.c
+++ b/drivers/xen/xen-pciback/xenbus.c
@@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
pdev->xdev = xdev;
- dev_set_drvdata(&xdev->dev, pdev);
mutex_init(&pdev->dev_lock);
@@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
kfree(pdev);
pdev = NULL;
}
+
+ dev_set_drvdata(&xdev->dev, pdev);
+
out:
return pdev;
}
--
2.4.10
^ permalink raw reply related [flat|nested] 18+ messages in thread
end of thread, other threads:[~2015-12-14 20:21 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
2015-11-30 21:09 ` Boris Ostrovsky
2015-12-01 16:47 ` Konrad Rzeszutek Wilk
2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:24 ` Doug Goldstein
2015-12-01 19:35 ` Konrad Rzeszutek Wilk
2015-12-01 20:54 ` Doug Goldstein
2015-12-01 21:34 ` Konrad Rzeszutek Wilk
2015-12-01 20:54 ` Doug Goldstein
2015-12-02 10:35 ` David Vrabel
2015-12-02 10:35 ` David Vrabel
2015-12-02 14:56 ` Doug Goldstein
2015-12-02 14:56 ` Doug Goldstein
2015-12-14 16:08 ` David Vrabel
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
2015-12-14 20:21 ` Konrad Rzeszutek Wilk
-- strict thread matches above, loose matches on Subject: below --
2015-11-26 20:32 Doug Goldstein
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.