* [PATCH] xen-pciback: fix up cleanup path when alloc fails @ 2015-11-26 20:32 Doug Goldstein 2015-11-30 21:09 ` Boris Ostrovsky ` (4 more replies) 0 siblings, 5 replies; 17+ messages in thread From: Doug Goldstein @ 2015-11-26 20:32 UTC (permalink / raw) To: xen-devel Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel, Boris Ostrovsky, Konrad Rzeszutek Wilk, Jonathan Creekmore, Doug Goldstein When allocating a pciback device fails, avoid the possibility of a use after free. Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> --- drivers/xen/xen-pciback/xenbus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c index 98bc345..4843741 100644 --- a/drivers/xen/xen-pciback/xenbus.c +++ b/drivers/xen/xen-pciback/xenbus.c @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); pdev->xdev = xdev; - dev_set_drvdata(&xdev->dev, pdev); mutex_init(&pdev->dev_lock); @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) kfree(pdev); pdev = NULL; } + + dev_set_drvdata(&xdev->dev, pdev); + out: return pdev; } -- 2.4.10 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein @ 2015-11-30 21:09 ` Boris Ostrovsky 2015-11-30 21:09 ` Boris Ostrovsky ` (3 subsequent siblings) 4 siblings, 0 replies; 17+ messages in thread From: Boris Ostrovsky @ 2015-11-30 21:09 UTC (permalink / raw) To: Doug Goldstein, xen-devel Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel On 11/26/2015 03:32 PM, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. > > Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > --- > drivers/xen/xen-pciback/xenbus.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein 2015-11-30 21:09 ` Boris Ostrovsky @ 2015-11-30 21:09 ` Boris Ostrovsky 2015-12-01 16:47 ` Konrad Rzeszutek Wilk ` (2 subsequent siblings) 4 siblings, 0 replies; 17+ messages in thread From: Boris Ostrovsky @ 2015-11-30 21:09 UTC (permalink / raw) To: Doug Goldstein, xen-devel Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel, Konrad Rzeszutek Wilk, Jonathan Creekmore On 11/26/2015 03:32 PM, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. > > Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > --- > drivers/xen/xen-pciback/xenbus.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein 2015-11-30 21:09 ` Boris Ostrovsky 2015-11-30 21:09 ` Boris Ostrovsky @ 2015-12-01 16:47 ` Konrad Rzeszutek Wilk 2015-12-01 19:24 ` Doug Goldstein ` (2 more replies) 2015-12-02 10:35 ` David Vrabel 2015-12-02 10:35 ` David Vrabel 4 siblings, 3 replies; 17+ messages in thread From: Konrad Rzeszutek Wilk @ 2015-12-01 16:47 UTC (permalink / raw) To: Doug Goldstein Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel, xen-devel, Boris Ostrovsky On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Ugh, and it looks like xen-blkfront has the same issue. > > Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > --- > drivers/xen/xen-pciback/xenbus.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c > index 98bc345..4843741 100644 > --- a/drivers/xen/xen-pciback/xenbus.c > +++ b/drivers/xen/xen-pciback/xenbus.c > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); > > pdev->xdev = xdev; > - dev_set_drvdata(&xdev->dev, pdev); > > mutex_init(&pdev->dev_lock); > > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > kfree(pdev); > pdev = NULL; > } > + > + dev_set_drvdata(&xdev->dev, pdev); > + > out: > return pdev; > } > -- > 2.4.10 > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 16:47 ` Konrad Rzeszutek Wilk @ 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:35 ` Konrad Rzeszutek Wilk 2 siblings, 0 replies; 17+ messages in thread From: Doug Goldstein @ 2015-12-01 19:24 UTC (permalink / raw) To: Konrad Rzeszutek Wilk Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel, Boris Ostrovsky, Jonathan Creekmore [-- Attachment #1: Type: text/plain, Size: 1470 bytes --] On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote: > On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > > Ugh, and it looks like xen-blkfront has the same issue. I believe that case is covered because xen_blkbk_remove() is called in all the failure cases of xen_blkbk_probe() in that case. > >> >> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> >> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> >> --- >> drivers/xen/xen-pciback/xenbus.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c >> index 98bc345..4843741 100644 >> --- a/drivers/xen/xen-pciback/xenbus.c >> +++ b/drivers/xen/xen-pciback/xenbus.c >> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); >> >> pdev->xdev = xdev; >> - dev_set_drvdata(&xdev->dev, pdev); >> >> mutex_init(&pdev->dev_lock); >> >> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >> kfree(pdev); >> pdev = NULL; >> } >> + >> + dev_set_drvdata(&xdev->dev, pdev); >> + >> out: >> return pdev; >> } >> -- >> 2.4.10 >> -- Doug Goldstein [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 16:47 ` Konrad Rzeszutek Wilk 2015-12-01 19:24 ` Doug Goldstein @ 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:35 ` Konrad Rzeszutek Wilk 2 siblings, 0 replies; 17+ messages in thread From: Doug Goldstein @ 2015-12-01 19:24 UTC (permalink / raw) To: Konrad Rzeszutek Wilk Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel, xen-devel, Boris Ostrovsky [-- Attachment #1.1: Type: text/plain, Size: 1470 bytes --] On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote: > On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > > Ugh, and it looks like xen-blkfront has the same issue. I believe that case is covered because xen_blkbk_remove() is called in all the failure cases of xen_blkbk_probe() in that case. > >> >> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> >> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> >> --- >> drivers/xen/xen-pciback/xenbus.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c >> index 98bc345..4843741 100644 >> --- a/drivers/xen/xen-pciback/xenbus.c >> +++ b/drivers/xen/xen-pciback/xenbus.c >> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); >> >> pdev->xdev = xdev; >> - dev_set_drvdata(&xdev->dev, pdev); >> >> mutex_init(&pdev->dev_lock); >> >> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >> kfree(pdev); >> pdev = NULL; >> } >> + >> + dev_set_drvdata(&xdev->dev, pdev); >> + >> out: >> return pdev; >> } >> -- >> 2.4.10 >> -- Doug Goldstein [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 16:47 ` Konrad Rzeszutek Wilk 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:24 ` Doug Goldstein @ 2015-12-01 19:35 ` Konrad Rzeszutek Wilk 2015-12-01 20:54 ` Doug Goldstein 2015-12-01 20:54 ` Doug Goldstein 2 siblings, 2 replies; 17+ messages in thread From: Konrad Rzeszutek Wilk @ 2015-12-01 19:35 UTC (permalink / raw) To: Doug Goldstein Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel, xen-devel, Boris Ostrovsky On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: > On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > > When allocating a pciback device fails, avoid the possibility of a > > use after free. > > Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > > Ugh, and it looks like xen-blkfront has the same issue. <whew> Nope. No problems there. The ->probe if it fails (so xenbus_dev_probe returns the error) ends up in the 'probe_failed' label in really_probe which takes care by doing: dev_set_drvdata(dev, NULL); Wheew! either way the patch should go in, but the 'possibility' should be perhaps removed? Unless there is some other path I missed? > > > > > Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> > > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > > --- > > drivers/xen/xen-pciback/xenbus.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c > > index 98bc345..4843741 100644 > > --- a/drivers/xen/xen-pciback/xenbus.c > > +++ b/drivers/xen/xen-pciback/xenbus.c > > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > > dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); > > > > pdev->xdev = xdev; > > - dev_set_drvdata(&xdev->dev, pdev); > > > > mutex_init(&pdev->dev_lock); > > > > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > > kfree(pdev); > > pdev = NULL; > > } > > + > > + dev_set_drvdata(&xdev->dev, pdev); > > + > > out: > > return pdev; > > } > > -- > > 2.4.10 > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 19:35 ` Konrad Rzeszutek Wilk @ 2015-12-01 20:54 ` Doug Goldstein 2015-12-01 21:34 ` Konrad Rzeszutek Wilk 2015-12-01 20:54 ` Doug Goldstein 1 sibling, 1 reply; 17+ messages in thread From: Doug Goldstein @ 2015-12-01 20:54 UTC (permalink / raw) To: Konrad Rzeszutek Wilk Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel, Boris Ostrovsky, Jonathan Creekmore [-- Attachment #1: Type: text/plain, Size: 2052 bytes --] On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote: > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> >> >> Ugh, and it looks like xen-blkfront has the same issue. > > <whew> Nope. No problems there. > > The ->probe if it fails (so xenbus_dev_probe returns the error) > ends up in the 'probe_failed' label in really_probe which takes care by doing: > > dev_set_drvdata(dev, NULL); > > Wheew! > > either way the patch should go in, but the 'possibility' should > be perhaps removed? Unless there is some other path I missed? I put 'possibility' in there because it will only happen when the function returns failure. I was also trying to not make it sound panicky I guess. I can resubmit the patch with that word dropped if that's desirable. > >> >>> >>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> >>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> >>> --- >>> drivers/xen/xen-pciback/xenbus.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c >>> index 98bc345..4843741 100644 >>> --- a/drivers/xen/xen-pciback/xenbus.c >>> +++ b/drivers/xen/xen-pciback/xenbus.c >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); >>> >>> pdev->xdev = xdev; >>> - dev_set_drvdata(&xdev->dev, pdev); >>> >>> mutex_init(&pdev->dev_lock); >>> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >>> kfree(pdev); >>> pdev = NULL; >>> } >>> + >>> + dev_set_drvdata(&xdev->dev, pdev); >>> + >>> out: >>> return pdev; >>> } >>> -- >>> 2.4.10 >>> -- Doug Goldstein [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 20:54 ` Doug Goldstein @ 2015-12-01 21:34 ` Konrad Rzeszutek Wilk 0 siblings, 0 replies; 17+ messages in thread From: Konrad Rzeszutek Wilk @ 2015-12-01 21:34 UTC (permalink / raw) To: Doug Goldstein Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel, xen-devel, Boris Ostrovsky On Tue, Dec 01, 2015 at 02:54:33PM -0600, Doug Goldstein wrote: > On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote: > > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: > >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > >>> When allocating a pciback device fails, avoid the possibility of a > >>> use after free. > >> > >> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > >> > >> Ugh, and it looks like xen-blkfront has the same issue. > > > > <whew> Nope. No problems there. > > > > The ->probe if it fails (so xenbus_dev_probe returns the error) > > ends up in the 'probe_failed' label in really_probe which takes care by doing: > > > > dev_set_drvdata(dev, NULL); > > > > Wheew! > > > > either way the patch should go in, but the 'possibility' should > > be perhaps removed? Unless there is some other path I missed? > > I put 'possibility' in there because it will only happen when the > function returns failure. I was also trying to not make it sound panicky Right, but when it returns failure, the 'really_probe' will take care of setting dev_set_drvdata(dev, NULL) - so we won't have the use after free problem. > I guess. I can resubmit the patch with that word dropped if that's > desirable. Sure, or just say: "The 'really_probe' takes care of setting dev_set_drvdata(dev, NULL) in its failure path (which we would exercise if the ->probe function failed), so we we are OK. However lets be defensive as the code can change." > > > > >> > >>> > >>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> > >>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > >>> --- > >>> drivers/xen/xen-pciback/xenbus.c | 4 +++- > >>> 1 file changed, 3 insertions(+), 1 deletion(-) > >>> > >>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c > >>> index 98bc345..4843741 100644 > >>> --- a/drivers/xen/xen-pciback/xenbus.c > >>> +++ b/drivers/xen/xen-pciback/xenbus.c > >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > >>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); > >>> > >>> pdev->xdev = xdev; > >>> - dev_set_drvdata(&xdev->dev, pdev); > >>> > >>> mutex_init(&pdev->dev_lock); > >>> > >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) > >>> kfree(pdev); > >>> pdev = NULL; > >>> } > >>> + > >>> + dev_set_drvdata(&xdev->dev, pdev); > >>> + > >>> out: > >>> return pdev; > >>> } > >>> -- > >>> 2.4.10 > >>> > > > -- > Doug Goldstein > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-01 19:35 ` Konrad Rzeszutek Wilk 2015-12-01 20:54 ` Doug Goldstein @ 2015-12-01 20:54 ` Doug Goldstein 1 sibling, 0 replies; 17+ messages in thread From: Doug Goldstein @ 2015-12-01 20:54 UTC (permalink / raw) To: Konrad Rzeszutek Wilk Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, David Vrabel, xen-devel, Boris Ostrovsky [-- Attachment #1.1: Type: text/plain, Size: 2052 bytes --] On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote: > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> >> >> Ugh, and it looks like xen-blkfront has the same issue. > > <whew> Nope. No problems there. > > The ->probe if it fails (so xenbus_dev_probe returns the error) > ends up in the 'probe_failed' label in really_probe which takes care by doing: > > dev_set_drvdata(dev, NULL); > > Wheew! > > either way the patch should go in, but the 'possibility' should > be perhaps removed? Unless there is some other path I missed? I put 'possibility' in there because it will only happen when the function returns failure. I was also trying to not make it sound panicky I guess. I can resubmit the patch with that word dropped if that's desirable. > >> >>> >>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> >>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> >>> --- >>> drivers/xen/xen-pciback/xenbus.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c >>> index 98bc345..4843741 100644 >>> --- a/drivers/xen/xen-pciback/xenbus.c >>> +++ b/drivers/xen/xen-pciback/xenbus.c >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev); >>> >>> pdev->xdev = xdev; >>> - dev_set_drvdata(&xdev->dev, pdev); >>> >>> mutex_init(&pdev->dev_lock); >>> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev) >>> kfree(pdev); >>> pdev = NULL; >>> } >>> + >>> + dev_set_drvdata(&xdev->dev, pdev); >>> + >>> out: >>> return pdev; >>> } >>> -- >>> 2.4.10 >>> -- Doug Goldstein [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein ` (2 preceding siblings ...) 2015-12-01 16:47 ` Konrad Rzeszutek Wilk @ 2015-12-02 10:35 ` David Vrabel 2015-12-02 10:35 ` David Vrabel 4 siblings, 0 replies; 17+ messages in thread From: David Vrabel @ 2015-12-02 10:35 UTC (permalink / raw) To: Doug Goldstein, xen-devel Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky On 26/11/15 20:32, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. We should not require clearing drvdata for correctness. We should ensure we retain drvdata for as long as it is needed. I note that pcistub_device_release() has: kfree(dev_data); pci_set_drvdata(dev, NULL); /* Clean-up the device */ xen_pcibk_config_free_dyn_fields(dev); xen_pcibk_config_free_dev(dev); Which should (at a minimum) be reordered to move the kfree(dev_data) to after the calls that require it David ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein ` (3 preceding siblings ...) 2015-12-02 10:35 ` David Vrabel @ 2015-12-02 10:35 ` David Vrabel 2015-12-02 14:56 ` Doug Goldstein 2015-12-02 14:56 ` Doug Goldstein 4 siblings, 2 replies; 17+ messages in thread From: David Vrabel @ 2015-12-02 10:35 UTC (permalink / raw) To: Doug Goldstein, xen-devel Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky, Konrad Rzeszutek Wilk, Jonathan Creekmore On 26/11/15 20:32, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. We should not require clearing drvdata for correctness. We should ensure we retain drvdata for as long as it is needed. I note that pcistub_device_release() has: kfree(dev_data); pci_set_drvdata(dev, NULL); /* Clean-up the device */ xen_pcibk_config_free_dyn_fields(dev); xen_pcibk_config_free_dev(dev); Which should (at a minimum) be reordered to move the kfree(dev_data) to after the calls that require it David ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-02 10:35 ` David Vrabel @ 2015-12-02 14:56 ` Doug Goldstein 2015-12-02 14:56 ` Doug Goldstein 1 sibling, 0 replies; 17+ messages in thread From: Doug Goldstein @ 2015-12-02 14:56 UTC (permalink / raw) To: David Vrabel, xen-devel Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky [-- Attachment #1.1: Type: text/plain, Size: 1788 bytes --] On 12/2/15 4:35 AM, David Vrabel wrote: > On 26/11/15 20:32, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > We should not require clearing drvdata for correctness. We should > ensure we retain drvdata for as long as it is needed. > > I note that pcistub_device_release() has: > > kfree(dev_data); > pci_set_drvdata(dev, NULL); > > /* Clean-up the device */ > xen_pcibk_config_free_dyn_fields(dev); > xen_pcibk_config_free_dev(dev); > > Which should (at a minimum) be reordered to move the kfree(dev_data) to > after the calls that require it > > David > I apologize but at this point I'm confused at what action I should be taking. Are you saying NACK to the original patch and suggesting this as the replacement? Or saying that this should be done in addition to the original patch? I created the original patch when looking through the other probe() calls and seeing that they all did pci_set_drvdata() with memory they allocated but probe() failed they ensured that pci_set_drvdata() was cleared. But the behavior in xen-pciback was different. It kfree()'d the memory that passed to pci_set_drvdata() and never set that pointer to NULL. Which could possibly result in a use after free. The use after free doesn't occur today as Konrad pointed out but in the future its possible should some other code changes occur. It was more of a defensive coding patch in the end. I had planned on resubmitting the patch with a reworded commit message after Konrad pointed out there was currently no use after free and retaining the Reviewed-By since the code wouldn't change but if that's not what I should be doing I will gladly go another route. -- Doug Goldstein [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-02 10:35 ` David Vrabel 2015-12-02 14:56 ` Doug Goldstein @ 2015-12-02 14:56 ` Doug Goldstein 2015-12-14 16:08 ` David Vrabel 2015-12-14 16:08 ` [Xen-devel] " David Vrabel 1 sibling, 2 replies; 17+ messages in thread From: Doug Goldstein @ 2015-12-02 14:56 UTC (permalink / raw) To: David Vrabel, xen-devel Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky, Konrad Rzeszutek Wilk, Jonathan Creekmore [-- Attachment #1: Type: text/plain, Size: 1788 bytes --] On 12/2/15 4:35 AM, David Vrabel wrote: > On 26/11/15 20:32, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > We should not require clearing drvdata for correctness. We should > ensure we retain drvdata for as long as it is needed. > > I note that pcistub_device_release() has: > > kfree(dev_data); > pci_set_drvdata(dev, NULL); > > /* Clean-up the device */ > xen_pcibk_config_free_dyn_fields(dev); > xen_pcibk_config_free_dev(dev); > > Which should (at a minimum) be reordered to move the kfree(dev_data) to > after the calls that require it > > David > I apologize but at this point I'm confused at what action I should be taking. Are you saying NACK to the original patch and suggesting this as the replacement? Or saying that this should be done in addition to the original patch? I created the original patch when looking through the other probe() calls and seeing that they all did pci_set_drvdata() with memory they allocated but probe() failed they ensured that pci_set_drvdata() was cleared. But the behavior in xen-pciback was different. It kfree()'d the memory that passed to pci_set_drvdata() and never set that pointer to NULL. Which could possibly result in a use after free. The use after free doesn't occur today as Konrad pointed out but in the future its possible should some other code changes occur. It was more of a defensive coding patch in the end. I had planned on resubmitting the patch with a reworded commit message after Konrad pointed out there was currently no use after free and retaining the Reviewed-By since the code wouldn't change but if that's not what I should be doing I will gladly go another route. -- Doug Goldstein [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 959 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-02 14:56 ` Doug Goldstein @ 2015-12-14 16:08 ` David Vrabel 2015-12-14 16:08 ` [Xen-devel] " David Vrabel 1 sibling, 0 replies; 17+ messages in thread From: David Vrabel @ 2015-12-14 16:08 UTC (permalink / raw) To: Doug Goldstein, David Vrabel, xen-devel Cc: Jonathan Creekmore, Boris Ostrovsky, Paul Durrant, Wei Liu, linux-kernel On 02/12/15 14:56, Doug Goldstein wrote: > On 12/2/15 4:35 AM, David Vrabel wrote: >> On 26/11/15 20:32, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> We should not require clearing drvdata for correctness. We should >> ensure we retain drvdata for as long as it is needed. >> >> I note that pcistub_device_release() has: >> >> kfree(dev_data); >> pci_set_drvdata(dev, NULL); >> >> /* Clean-up the device */ >> xen_pcibk_config_free_dyn_fields(dev); >> xen_pcibk_config_free_dev(dev); >> >> Which should (at a minimum) be reordered to move the kfree(dev_data) to >> after the calls that require it >> >> David >> > > I apologize but at this point I'm confused at what action I should be > taking. Are you saying NACK to the original patch and suggesting this as > the replacement? Or saying that this should be done in addition to the > original patch? I'm suggesting that the goal should be to remove all pci_set_drvdata(dev, NULL) calls and have pciback work correctly without them. Konrad's the pciback maintainer though so I'll defer to him on this. David ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-02 14:56 ` Doug Goldstein 2015-12-14 16:08 ` David Vrabel @ 2015-12-14 16:08 ` David Vrabel 2015-12-14 20:21 ` Konrad Rzeszutek Wilk 1 sibling, 1 reply; 17+ messages in thread From: David Vrabel @ 2015-12-14 16:08 UTC (permalink / raw) To: Doug Goldstein, David Vrabel, xen-devel Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky On 02/12/15 14:56, Doug Goldstein wrote: > On 12/2/15 4:35 AM, David Vrabel wrote: >> On 26/11/15 20:32, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> We should not require clearing drvdata for correctness. We should >> ensure we retain drvdata for as long as it is needed. >> >> I note that pcistub_device_release() has: >> >> kfree(dev_data); >> pci_set_drvdata(dev, NULL); >> >> /* Clean-up the device */ >> xen_pcibk_config_free_dyn_fields(dev); >> xen_pcibk_config_free_dev(dev); >> >> Which should (at a minimum) be reordered to move the kfree(dev_data) to >> after the calls that require it >> >> David >> > > I apologize but at this point I'm confused at what action I should be > taking. Are you saying NACK to the original patch and suggesting this as > the replacement? Or saying that this should be done in addition to the > original patch? I'm suggesting that the goal should be to remove all pci_set_drvdata(dev, NULL) calls and have pciback work correctly without them. Konrad's the pciback maintainer though so I'll defer to him on this. David ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails 2015-12-14 16:08 ` [Xen-devel] " David Vrabel @ 2015-12-14 20:21 ` Konrad Rzeszutek Wilk 0 siblings, 0 replies; 17+ messages in thread From: Konrad Rzeszutek Wilk @ 2015-12-14 20:21 UTC (permalink / raw) To: David Vrabel Cc: Wei Liu, Jonathan Creekmore, Doug Goldstein, linux-kernel, Paul Durrant, xen-devel, Boris Ostrovsky On Mon, Dec 14, 2015 at 04:08:13PM +0000, David Vrabel wrote: > On 02/12/15 14:56, Doug Goldstein wrote: > > On 12/2/15 4:35 AM, David Vrabel wrote: > >> On 26/11/15 20:32, Doug Goldstein wrote: > >>> When allocating a pciback device fails, avoid the possibility of a > >>> use after free. > >> > >> We should not require clearing drvdata for correctness. We should > >> ensure we retain drvdata for as long as it is needed. > >> > >> I note that pcistub_device_release() has: > >> > >> kfree(dev_data); > >> pci_set_drvdata(dev, NULL); > >> > >> /* Clean-up the device */ > >> xen_pcibk_config_free_dyn_fields(dev); > >> xen_pcibk_config_free_dev(dev); > >> > >> Which should (at a minimum) be reordered to move the kfree(dev_data) to > >> after the calls that require it > >> > >> David > >> > > > > I apologize but at this point I'm confused at what action I should be > > taking. Are you saying NACK to the original patch and suggesting this as > > the replacement? Or saying that this should be done in addition to the > > original patch? > > I'm suggesting that the goal should be to remove all > pci_set_drvdata(dev, NULL) calls and have pciback work correctly without > them. Which would mean backend/frontend drivers to do this as well. > > Konrad's the pciback maintainer though so I'll defer to him on this. I would take the patch as is. The cleanup (pci_set_drvdata(dev, NULL)) can be done another time. > > David > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2015-12-14 20:21 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein 2015-11-30 21:09 ` Boris Ostrovsky 2015-11-30 21:09 ` Boris Ostrovsky 2015-12-01 16:47 ` Konrad Rzeszutek Wilk 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:24 ` Doug Goldstein 2015-12-01 19:35 ` Konrad Rzeszutek Wilk 2015-12-01 20:54 ` Doug Goldstein 2015-12-01 21:34 ` Konrad Rzeszutek Wilk 2015-12-01 20:54 ` Doug Goldstein 2015-12-02 10:35 ` David Vrabel 2015-12-02 10:35 ` David Vrabel 2015-12-02 14:56 ` Doug Goldstein 2015-12-02 14:56 ` Doug Goldstein 2015-12-14 16:08 ` David Vrabel 2015-12-14 16:08 ` [Xen-devel] " David Vrabel 2015-12-14 20:21 ` Konrad Rzeszutek Wilk
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.