From: Michael Ellerman <mpe@ellerman.id.au>
To: Leonardo Bras <leonardo@linux.ibm.com>,
kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Cc: Leonardo Bras <leonardo@linux.ibm.com>,
Paul Mackerras <paulus@ozlabs.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Tue, 12 Nov 2019 15:57:40 +1100 [thread overview]
Message-ID: <87mud13d4r.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20191107170258.36379-2-leonardo@linux.ibm.com>
Hi Leonardo,
Leonardo Bras <leonardo@linux.ibm.com> writes:
> Fixes a possible 'use after free' of kvm variable in
> kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm->lock)
> after a kvm_put_kvm(kvm).
There is no potential for an actual use after free here AFAICS.
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 5834db0a54c6..a402ead833b6 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
The preceeding context is:
mutex_lock(&kvm->lock);
/* Check this LIOBN hasn't been previously allocated */
ret = 0;
list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
if (siter->liobn == args->liobn) {
ret = -EBUSY;
break;
}
}
kvm_get_kvm(kvm);
if (!ret)
ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
stt, O_RDWR | O_CLOEXEC);
> @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
>
> if (ret >= 0)
> list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> - else
> - kvm_put_kvm(kvm);
>
> mutex_unlock(&kvm->lock);
>
> if (ret >= 0)
> return ret;
>
> + kvm_put_kvm(kvm);
> kfree(stt);
> fail_acct:
> account_locked_vm(current->mm, kvmppc_stt_pages(npages), false);
If the kvm_put_kvm() you've moved actually caused the last reference to
be dropped that would mean that our caller had passed us a kvm struct
without holding a reference to it, and that would be a bug in our
caller.
Or put another way, it would mean the mutex_lock() above could already
be operating on a freed kvm struct.
The kvm_get_kvm() prior to the anon_inode_getfd() is to account for the
reference that's held by the `stt` struct, and dropped in
kvm_spapr_tce_release().
So although this patch isn't wrong, the explanation is not accurate.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Leonardo Bras <leonardo@linux.ibm.com>,
kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Cc: Leonardo Bras <leonardo@linux.ibm.com>
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Tue, 12 Nov 2019 15:57:40 +1100 [thread overview]
Message-ID: <87mud13d4r.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20191107170258.36379-2-leonardo@linux.ibm.com>
Hi Leonardo,
Leonardo Bras <leonardo@linux.ibm.com> writes:
> Fixes a possible 'use after free' of kvm variable in
> kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm->lock)
> after a kvm_put_kvm(kvm).
There is no potential for an actual use after free here AFAICS.
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 5834db0a54c6..a402ead833b6 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
The preceeding context is:
mutex_lock(&kvm->lock);
/* Check this LIOBN hasn't been previously allocated */
ret = 0;
list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
if (siter->liobn == args->liobn) {
ret = -EBUSY;
break;
}
}
kvm_get_kvm(kvm);
if (!ret)
ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
stt, O_RDWR | O_CLOEXEC);
> @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
>
> if (ret >= 0)
> list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> - else
> - kvm_put_kvm(kvm);
>
> mutex_unlock(&kvm->lock);
>
> if (ret >= 0)
> return ret;
>
> + kvm_put_kvm(kvm);
> kfree(stt);
> fail_acct:
> account_locked_vm(current->mm, kvmppc_stt_pages(npages), false);
If the kvm_put_kvm() you've moved actually caused the last reference to
be dropped that would mean that our caller had passed us a kvm struct
without holding a reference to it, and that would be a bug in our
caller.
Or put another way, it would mean the mutex_lock() above could already
be operating on a freed kvm struct.
The kvm_get_kvm() prior to the anon_inode_getfd() is to account for the
reference that's held by the `stt` struct, and dropped in
kvm_spapr_tce_release().
So although this patch isn't wrong, the explanation is not accurate.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Leonardo Bras <leonardo@linux.ibm.com>,
kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Cc: Leonardo Bras <leonardo@linux.ibm.com>,
Paul Mackerras <paulus@ozlabs.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Tue, 12 Nov 2019 04:57:40 +0000 [thread overview]
Message-ID: <87mud13d4r.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20191107170258.36379-2-leonardo@linux.ibm.com>
Hi Leonardo,
Leonardo Bras <leonardo@linux.ibm.com> writes:
> Fixes a possible 'use after free' of kvm variable in
> kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm->lock)
> after a kvm_put_kvm(kvm).
There is no potential for an actual use after free here AFAICS.
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 5834db0a54c6..a402ead833b6 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
The preceeding context is:
mutex_lock(&kvm->lock);
/* Check this LIOBN hasn't been previously allocated */
ret = 0;
list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
if (siter->liobn = args->liobn) {
ret = -EBUSY;
break;
}
}
kvm_get_kvm(kvm);
if (!ret)
ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
stt, O_RDWR | O_CLOEXEC);
> @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
>
> if (ret >= 0)
> list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> - else
> - kvm_put_kvm(kvm);
>
> mutex_unlock(&kvm->lock);
>
> if (ret >= 0)
> return ret;
>
> + kvm_put_kvm(kvm);
> kfree(stt);
> fail_acct:
> account_locked_vm(current->mm, kvmppc_stt_pages(npages), false);
If the kvm_put_kvm() you've moved actually caused the last reference to
be dropped that would mean that our caller had passed us a kvm struct
without holding a reference to it, and that would be a bug in our
caller.
Or put another way, it would mean the mutex_lock() above could already
be operating on a freed kvm struct.
The kvm_get_kvm() prior to the anon_inode_getfd() is to account for the
reference that's held by the `stt` struct, and dropped in
kvm_spapr_tce_release().
So although this patch isn't wrong, the explanation is not accurate.
cheers
next prev parent reply other threads:[~2019-11-12 4:57 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-07 17:02 [PATCH v2 0/4] Replace current->mm by kvm->mm on powerpc/kvm Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-12 4:57 ` Michael Ellerman [this message]
2019-11-12 4:57 ` Michael Ellerman
2019-11-12 4:57 ` Michael Ellerman
2019-11-14 18:43 ` Leonardo Bras
2019-11-14 18:43 ` Leonardo Bras
2019-11-14 18:43 ` Leonardo Bras
2019-11-21 13:24 ` Leonardo Bras
2019-11-21 13:24 ` Leonardo Bras
2019-11-21 13:24 ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 2/4] powerpc/kvm/book3s: Replace current->mm by kvm->mm Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 3/4] powerpc/kvm/book3e: " Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 4/4] powerpc/kvm/e500: " Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mud13d4r.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=benh@kernel.crashing.org \
--cc=kvm-ppc@vger.kernel.org \
--cc=leonardo@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.