All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Wang <jasowang@redhat.com>
To: "Laurent Vivier" <lvivier@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, Stefan Weil <sw@weilnetz.de>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] net: tap: check if the file descriptor is valid before using it
Date: Tue, 30 Jun 2020 17:21:49 +0800	[thread overview]
Message-ID: <b912e24c-8dc5-7022-6ed2-cf10d72ef6e7@redhat.com> (raw)
In-Reply-To: <ea94fa3c-edb5-220e-e0e0-4b7fca7b90e8@redhat.com>


On 2020/6/30 上午3:30, Laurent Vivier wrote:
> On 28/06/2020 08:31, Jason Wang wrote:
>> On 2020/6/25 下午7:56, Laurent Vivier wrote:
>>> On 25/06/2020 10:48, Daniel P. Berrangé wrote:
>>>> On Wed, Jun 24, 2020 at 09:00:09PM +0200, Laurent Vivier wrote:
>>>>> qemu_set_nonblock() checks that the file descriptor can be used and, if
>>>>> not, crashes QEMU. An assert() is used for that. The use of assert() is
>>>>> used to detect programming error and the coredump will allow to debug
>>>>> the problem.
>>>>>
>>>>> But in the case of the tap device, this assert() can be triggered by
>>>>> a misconfiguration by the user. At startup, it's not a real problem,
>>>>> but it
>>>>> can also happen during the hot-plug of a new device, and here it's a
>>>>> problem because we can crash a perfectly healthy system.
>>>> If the user/mgmt app is not correctly passing FDs, then there's a whole
>>>> pile of bad stuff that can happen. Checking whether the FD is valid is
>>>> only going to catch a small subset. eg consider if fd=9 refers to the
>>>> FD that is associated with the root disk QEMU has open. We'll fail to
>>>> setup the TAP device and close this FD, breaking the healthy system
>>>> again.
>>>>
>>>> I'm not saying we can't check if the FD is valid, but lets be clear that
>>>> this is not offering very much protection against a broken mgmt apps
>>>> passing bad FDs.
>>>>
>>> I agree with you, but my only goal here is to avoid the crash in this
>>> particular case.
>>>
>>> The punishment should fit the crime.
>>>
>>> The user can think the netdev_del doesn't close the fd, and he can try
>>> to reuse it. Sending back an error is better than crashing his system.
>>> After that, if the system crashes, it will be for the good reasons, not
>>> because of an assert.
>>
>> Yes. And on top of this we may try to validate the TAP via st_dev
>> through fstat[1].
> I agree, but the problem I have is to know which major(st_dev) we can
> allow to use.
>
> Do we allow only macvtap major number?


Macvtap and tuntap.


> How to know the macvtap major number at user level?
> [it is allocated dynamically: do we need to parse /proc/devices?]


I think we can get them through fstat for /dev/net/tun and /dev/macvtapX.

Thanks


>
> Thanks,
> Laurent
>
>



  reply	other threads:[~2020-06-30  9:28 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-24 19:00 [PATCH] net: tap: check if the file descriptor is valid before using it Laurent Vivier
2020-06-25  6:19 ` Philippe Mathieu-Daudé
2020-06-25  7:38   ` Laurent Vivier
2020-06-25  7:40     ` Philippe Mathieu-Daudé
2020-06-25  8:48 ` Daniel P. Berrangé
2020-06-25 11:56   ` Laurent Vivier
2020-06-28  6:31     ` Jason Wang
2020-06-29 19:30       ` Laurent Vivier
2020-06-30  9:21         ` Jason Wang [this message]
2020-06-30  9:23           ` Daniel P. Berrangé
2020-06-30  9:31             ` Daniel P. Berrangé
2020-06-30  9:45               ` Laurent Vivier
2020-06-30 10:03                 ` Jason Wang
2020-06-30 10:35                   ` Laurent Vivier
2020-06-30 10:57                     ` Jason Wang
2020-06-30 11:03                     ` Daniel P. Berrangé
2020-06-30 12:00                       ` Laurent Vivier
2020-06-30 12:35                         ` Daniel P. Berrangé
2020-06-30 12:42                           ` Laurent Vivier
2020-06-30  9:56               ` Jason Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b912e24c-8dc5-7022-6ed2-cf10d72ef6e7@redhat.com \
    --to=jasowang@redhat.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=lvivier@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=sw@weilnetz.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.