[PATCH] xen-pciback: fix up cleanup path when alloc fails

[PATCH] xen-pciback: fix up cleanup path when alloc fails

[Doug Goldstein]

When allocating a pciback device fails, avoid the possibility of a
use after free.

Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 drivers/xen/xen-pciback/xenbus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
index 98bc345..4843741 100644
--- a/drivers/xen/xen-pciback/xenbus.c
+++ b/drivers/xen/xen-pciback/xenbus.c
@@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
 	dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
 
 	pdev->xdev = xdev;
-	dev_set_drvdata(&xdev->dev, pdev);
 
 	mutex_init(&pdev->dev_lock);
 
@@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
 		kfree(pdev);
 		pdev = NULL;
 	}
+
+	dev_set_drvdata(&xdev->dev, pdev);
+
 out:
 	return pdev;
 }
-- 
2.4.10

Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails

[Boris Ostrovsky]

On 11/26/2015 03:32 PM, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.
>
> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
> ---
>   drivers/xen/xen-pciback/xenbus.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)

Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
> 
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> 
> Ugh, and it looks like xen-blkfront has the same issue.

I believe that case is covered because xen_blkbk_remove() is called in
all the failure cases of xen_blkbk_probe() in that case.

> 
>>
>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>> ---
>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>> index 98bc345..4843741 100644
>> --- a/drivers/xen/xen-pciback/xenbus.c
>> +++ b/drivers/xen/xen-pciback/xenbus.c
>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>  	dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>  
>>  	pdev->xdev = xdev;
>> -	dev_set_drvdata(&xdev->dev, pdev);
>>  
>>  	mutex_init(&pdev->dev_lock);
>>  
>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>  		kfree(pdev);
>>  		pdev = NULL;
>>  	}
>> +
>> +	dev_set_drvdata(&xdev->dev, pdev);
>> +
>>  out:
>>  	return pdev;
>>  }
>> -- 
>> 2.4.10
>>


-- 
Doug Goldstein


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]

Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 2052 bytes --]

On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
> 
> <whew> Nope. No problems there.
> 
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
> 
> dev_set_drvdata(dev, NULL);
> 
> Wheew!
> 
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?

I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.

> 
>>
>>>
>>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>>> ---
>>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>>  	dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>>  
>>>  	pdev->xdev = xdev;
>>> -	dev_set_drvdata(&xdev->dev, pdev);
>>>  
>>>  	mutex_init(&pdev->dev_lock);
>>>  
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>>  		kfree(pdev);
>>>  		pdev = NULL;
>>>  	}
>>> +
>>> +	dev_set_drvdata(&xdev->dev, pdev);
>>> +
>>>  out:
>>>  	return pdev;
>>>  }
>>> -- 
>>> 2.4.10
>>>


-- 
Doug Goldstein


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]

Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails

[David Vrabel]

On 26/11/15 20:32, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.

We should not require clearing drvdata for correctness.  We should
ensure we retain drvdata for as long as it is needed.

I note that pcistub_device_release() has:

	kfree(dev_data);
	pci_set_drvdata(dev, NULL);

	/* Clean-up the device */
	xen_pcibk_config_free_dyn_fields(dev);
	xen_pcibk_config_free_dev(dev);

Which should (at a minimum) be reordered to move the kfree(dev_data) to
after the calls that require it

David

Re: [PATCH] xen-pciback: fix up cleanup path when alloc fails

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 1788 bytes --]

On 12/2/15 4:35 AM, David Vrabel wrote:
> On 26/11/15 20:32, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
> 
> We should not require clearing drvdata for correctness.  We should
> ensure we retain drvdata for as long as it is needed.
> 
> I note that pcistub_device_release() has:
> 
> 	kfree(dev_data);
> 	pci_set_drvdata(dev, NULL);
> 
> 	/* Clean-up the device */
> 	xen_pcibk_config_free_dyn_fields(dev);
> 	xen_pcibk_config_free_dev(dev);
> 
> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> after the calls that require it
> 
> David
> 

I apologize but at this point I'm confused at what action I should be
taking. Are you saying NACK to the original patch and suggesting this as
the replacement? Or saying that this should be done in addition to the
original patch?

I created the original patch when looking through the other probe()
calls and seeing that they all did pci_set_drvdata() with memory they
allocated but probe() failed they ensured that pci_set_drvdata() was
cleared. But the behavior in xen-pciback was different. It kfree()'d the
memory that passed to pci_set_drvdata() and never set that pointer to
NULL. Which could possibly result in a use after free. The use after
free doesn't occur today as Konrad pointed out but in the future its
possible should some other code changes occur. It was more of a
defensive coding patch in the end. I had planned on resubmitting the
patch with a reworded commit message after Konrad pointed out there was
currently no use after free and retaining the Reviewed-By since the code
wouldn't change but if that's not what I should be doing I will gladly
go another route.

-- 
Doug Goldstein


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

[David Vrabel]

On 02/12/15 14:56, Doug Goldstein wrote:
> On 12/2/15 4:35 AM, David Vrabel wrote:
>> On 26/11/15 20:32, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> We should not require clearing drvdata for correctness.  We should
>> ensure we retain drvdata for as long as it is needed.
>>
>> I note that pcistub_device_release() has:
>>
>> 	kfree(dev_data);
>> 	pci_set_drvdata(dev, NULL);
>>
>> 	/* Clean-up the device */
>> 	xen_pcibk_config_free_dyn_fields(dev);
>> 	xen_pcibk_config_free_dev(dev);
>>
>> Which should (at a minimum) be reordered to move the kfree(dev_data) to
>> after the calls that require it
>>
>> David
>>
> 
> I apologize but at this point I'm confused at what action I should be
> taking. Are you saying NACK to the original patch and suggesting this as
> the replacement? Or saying that this should be done in addition to the
> original patch?

I'm suggesting that the goal should be to remove all
pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
them.

Konrad's the pciback maintainer though so I'll defer to him on this.

David