* [PATCH] xen-pciback: fix up cleanup path when alloc fails
@ 2015-11-26 20:32 Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Doug Goldstein @ 2015-11-26 20:32 UTC (permalink / raw)
To: xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel,
Boris Ostrovsky, Konrad Rzeszutek Wilk, Jonathan Creekmore,
Doug Goldstein
When allocating a pciback device fails, avoid the possibility of a
use after free.
Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
drivers/xen/xen-pciback/xenbus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
index 98bc345..4843741 100644
--- a/drivers/xen/xen-pciback/xenbus.c
+++ b/drivers/xen/xen-pciback/xenbus.c
@@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
pdev->xdev = xdev;
- dev_set_drvdata(&xdev->dev, pdev);
mutex_init(&pdev->dev_lock);
@@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
kfree(pdev);
pdev = NULL;
}
+
+ dev_set_drvdata(&xdev->dev, pdev);
+
out:
return pdev;
}
--
2.4.10
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
@ 2015-11-30 21:09 ` Boris Ostrovsky
[not found] ` <20151201164717.GA5032@char.us.oracle.com>
2015-12-02 10:35 ` David Vrabel
2 siblings, 0 replies; 7+ messages in thread
From: Boris Ostrovsky @ 2015-11-30 21:09 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, David Vrabel,
Konrad Rzeszutek Wilk, Jonathan Creekmore
On 11/26/2015 03:32 PM, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
>
> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> ---
> drivers/xen/xen-pciback/xenbus.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
[not found] ` <20151201164717.GA5032@char.us.oracle.com>
@ 2015-12-01 19:24 ` Doug Goldstein
[not found] ` <20151201193517.GA32573@char.us.oracle.com>
1 sibling, 0 replies; 7+ messages in thread
From: Doug Goldstein @ 2015-12-01 19:24 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu,
David Vrabel, Boris Ostrovsky, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]
On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> Ugh, and it looks like xen-blkfront has the same issue.
I believe that case is covered because xen_blkbk_remove() is called in
all the failure cases of xen_blkbk_probe() in that case.
>
>>
>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>> ---
>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>> index 98bc345..4843741 100644
>> --- a/drivers/xen/xen-pciback/xenbus.c
>> +++ b/drivers/xen/xen-pciback/xenbus.c
>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>
>> pdev->xdev = xdev;
>> - dev_set_drvdata(&xdev->dev, pdev);
>>
>> mutex_init(&pdev->dev_lock);
>>
>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>> kfree(pdev);
>> pdev = NULL;
>> }
>> +
>> + dev_set_drvdata(&xdev->dev, pdev);
>> +
>> out:
>> return pdev;
>> }
>> --
>> 2.4.10
>>
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
[not found] ` <20151201193517.GA32573@char.us.oracle.com>
@ 2015-12-01 20:54 ` Doug Goldstein
0 siblings, 0 replies; 7+ messages in thread
From: Doug Goldstein @ 2015-12-01 20:54 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk
Cc: xen-devel, linux-kernel, Bob Liu, Paul Durrant, Wei Liu,
David Vrabel, Boris Ostrovsky, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 2052 bytes --]
On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
>
> <whew> Nope. No problems there.
>
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
>
> dev_set_drvdata(dev, NULL);
>
> Wheew!
>
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?
I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.
>
>>
>>>
>>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>>> ---
>>> drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>>
>>> pdev->xdev = xdev;
>>> - dev_set_drvdata(&xdev->dev, pdev);
>>>
>>> mutex_init(&pdev->dev_lock);
>>>
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>> kfree(pdev);
>>> pdev = NULL;
>>> }
>>> +
>>> + dev_set_drvdata(&xdev->dev, pdev);
>>> +
>>> out:
>>> return pdev;
>>> }
>>> --
>>> 2.4.10
>>>
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
[not found] ` <20151201164717.GA5032@char.us.oracle.com>
@ 2015-12-02 10:35 ` David Vrabel
2015-12-02 14:56 ` Doug Goldstein
2 siblings, 1 reply; 7+ messages in thread
From: David Vrabel @ 2015-12-02 10:35 UTC (permalink / raw)
To: Doug Goldstein, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky,
Konrad Rzeszutek Wilk, Jonathan Creekmore
On 26/11/15 20:32, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
We should not require clearing drvdata for correctness. We should
ensure we retain drvdata for as long as it is needed.
I note that pcistub_device_release() has:
kfree(dev_data);
pci_set_drvdata(dev, NULL);
/* Clean-up the device */
xen_pcibk_config_free_dyn_fields(dev);
xen_pcibk_config_free_dev(dev);
Which should (at a minimum) be reordered to move the kfree(dev_data) to
after the calls that require it
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 10:35 ` David Vrabel
@ 2015-12-02 14:56 ` Doug Goldstein
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
0 siblings, 1 reply; 7+ messages in thread
From: Doug Goldstein @ 2015-12-02 14:56 UTC (permalink / raw)
To: David Vrabel, xen-devel
Cc: linux-kernel, Bob Liu, Paul Durrant, Wei Liu, Boris Ostrovsky,
Konrad Rzeszutek Wilk, Jonathan Creekmore
[-- Attachment #1: Type: text/plain, Size: 1788 bytes --]
On 12/2/15 4:35 AM, David Vrabel wrote:
> On 26/11/15 20:32, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
>
> We should not require clearing drvdata for correctness. We should
> ensure we retain drvdata for as long as it is needed.
>
> I note that pcistub_device_release() has:
>
> kfree(dev_data);
> pci_set_drvdata(dev, NULL);
>
> /* Clean-up the device */
> xen_pcibk_config_free_dyn_fields(dev);
> xen_pcibk_config_free_dev(dev);
>
> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> after the calls that require it
>
> David
>
I apologize but at this point I'm confused at what action I should be
taking. Are you saying NACK to the original patch and suggesting this as
the replacement? Or saying that this should be done in addition to the
original patch?
I created the original patch when looking through the other probe()
calls and seeing that they all did pci_set_drvdata() with memory they
allocated but probe() failed they ensured that pci_set_drvdata() was
cleared. But the behavior in xen-pciback was different. It kfree()'d the
memory that passed to pci_set_drvdata() and never set that pointer to
NULL. Which could possibly result in a use after free. The use after
free doesn't occur today as Konrad pointed out but in the future its
possible should some other code changes occur. It was more of a
defensive coding patch in the end. I had planned on resubmitting the
patch with a reworded commit message after Konrad pointed out there was
currently no use after free and retaining the Reviewed-By since the code
wouldn't change but if that's not what I should be doing I will gladly
go another route.
--
Doug Goldstein
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
2015-12-02 14:56 ` Doug Goldstein
@ 2015-12-14 16:08 ` David Vrabel
0 siblings, 0 replies; 7+ messages in thread
From: David Vrabel @ 2015-12-14 16:08 UTC (permalink / raw)
To: Doug Goldstein, David Vrabel, xen-devel
Cc: Wei Liu, Jonathan Creekmore, linux-kernel, Paul Durrant, Boris Ostrovsky
On 02/12/15 14:56, Doug Goldstein wrote:
> On 12/2/15 4:35 AM, David Vrabel wrote:
>> On 26/11/15 20:32, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> We should not require clearing drvdata for correctness. We should
>> ensure we retain drvdata for as long as it is needed.
>>
>> I note that pcistub_device_release() has:
>>
>> kfree(dev_data);
>> pci_set_drvdata(dev, NULL);
>>
>> /* Clean-up the device */
>> xen_pcibk_config_free_dyn_fields(dev);
>> xen_pcibk_config_free_dev(dev);
>>
>> Which should (at a minimum) be reordered to move the kfree(dev_data) to
>> after the calls that require it
>>
>> David
>>
>
> I apologize but at this point I'm confused at what action I should be
> taking. Are you saying NACK to the original patch and suggesting this as
> the replacement? Or saying that this should be done in addition to the
> original patch?
I'm suggesting that the goal should be to remove all
pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
them.
Konrad's the pciback maintainer though so I'll defer to him on this.
David
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-12-14 16:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-26 20:32 [PATCH] xen-pciback: fix up cleanup path when alloc fails Doug Goldstein
2015-11-30 21:09 ` Boris Ostrovsky
[not found] ` <20151201164717.GA5032@char.us.oracle.com>
2015-12-01 19:24 ` Doug Goldstein
[not found] ` <20151201193517.GA32573@char.us.oracle.com>
2015-12-01 20:54 ` Doug Goldstein
2015-12-02 10:35 ` David Vrabel
2015-12-02 14:56 ` Doug Goldstein
2015-12-14 16:08 ` [Xen-devel] " David Vrabel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).