Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 02/12/15 14:56, Doug Goldstein wrote: > On 12/2/15 4:35 AM, David Vrabel wrote: >> On 26/11/15 20:32, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> We should not require clearing drvdata for correctness. We should >> ensure we retain drvdata for as long as it is needed. >> >> I note that pcistub_device_release() has: >> >> kfree(dev_data); >> pci_set_drvdata(dev, NULL); >> >> /* Clean-up the device */ >> xen_pcibk_config_free_dyn_fields(dev); >> xen_pcibk_config_free_dev(dev); >> >> Which should (at a minimum) be reordered to move the kfree(dev_data) to >> after the calls that require it >> >> David >> > > I apologize but at this point I'm confused at what action I should be > taking. Are you saying NACK to the original patch and suggesting this as > the replacement? Or saying that this should be done in addition to the > original patch? I'm suggesting that the goal should be to remove all pci_set_drvdata(dev, NULL) calls and have pciback work correctly without them. Konrad's the pciback maintainer though so I'll defer to him on this. David ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On Mon, Dec 14, 2015 at 04:08:13PM +, David Vrabel wrote: > On 02/12/15 14:56, Doug Goldstein wrote: > > On 12/2/15 4:35 AM, David Vrabel wrote: > >> On 26/11/15 20:32, Doug Goldstein wrote: > >>> When allocating a pciback device fails, avoid the possibility of a > >>> use after free. > >> > >> We should not require clearing drvdata for correctness. We should > >> ensure we retain drvdata for as long as it is needed. > >> > >> I note that pcistub_device_release() has: > >> > >>kfree(dev_data); > >>pci_set_drvdata(dev, NULL); > >> > >>/* Clean-up the device */ > >>xen_pcibk_config_free_dyn_fields(dev); > >>xen_pcibk_config_free_dev(dev); > >> > >> Which should (at a minimum) be reordered to move the kfree(dev_data) to > >> after the calls that require it > >> > >> David > >> > > > > I apologize but at this point I'm confused at what action I should be > > taking. Are you saying NACK to the original patch and suggesting this as > > the replacement? Or saying that this should be done in addition to the > > original patch? > > I'm suggesting that the goal should be to remove all > pci_set_drvdata(dev, NULL) calls and have pciback work correctly without > them. Which would mean backend/frontend drivers to do this as well. > > Konrad's the pciback maintainer though so I'll defer to him on this. I would take the patch as is. The cleanup (pci_set_drvdata(dev, NULL)) can be done another time. > > David > > ___ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 12/2/15 4:35 AM, David Vrabel wrote: > On 26/11/15 20:32, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > We should not require clearing drvdata for correctness. We should > ensure we retain drvdata for as long as it is needed. > > I note that pcistub_device_release() has: > > kfree(dev_data); > pci_set_drvdata(dev, NULL); > > /* Clean-up the device */ > xen_pcibk_config_free_dyn_fields(dev); > xen_pcibk_config_free_dev(dev); > > Which should (at a minimum) be reordered to move the kfree(dev_data) to > after the calls that require it > > David > I apologize but at this point I'm confused at what action I should be taking. Are you saying NACK to the original patch and suggesting this as the replacement? Or saying that this should be done in addition to the original patch? I created the original patch when looking through the other probe() calls and seeing that they all did pci_set_drvdata() with memory they allocated but probe() failed they ensured that pci_set_drvdata() was cleared. But the behavior in xen-pciback was different. It kfree()'d the memory that passed to pci_set_drvdata() and never set that pointer to NULL. Which could possibly result in a use after free. The use after free doesn't occur today as Konrad pointed out but in the future its possible should some other code changes occur. It was more of a defensive coding patch in the end. I had planned on resubmitting the patch with a reworded commit message after Konrad pointed out there was currently no use after free and retaining the Reviewed-By since the code wouldn't change but if that's not what I should be doing I will gladly go another route. -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 26/11/15 20:32, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. We should not require clearing drvdata for correctness. We should ensure we retain drvdata for as long as it is needed. I note that pcistub_device_release() has: kfree(dev_data); pci_set_drvdata(dev, NULL); /* Clean-up the device */ xen_pcibk_config_free_dyn_fields(dev); xen_pcibk_config_free_dev(dev); Which should (at a minimum) be reordered to move the kfree(dev_data) to after the calls that require it David ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote: > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >>> When allocating a pciback device fails, avoid the possibility of a >>> use after free. >> >> Reviewed-by: Konrad Rzeszutek Wilk>> >> Ugh, and it looks like xen-blkfront has the same issue. > > Nope. No problems there. > > The ->probe if it fails (so xenbus_dev_probe returns the error) > ends up in the 'probe_failed' label in really_probe which takes care by doing: > > dev_set_drvdata(dev, NULL); > > Wheew! > > either way the patch should go in, but the 'possibility' should > be perhaps removed? Unless there is some other path I missed? I put 'possibility' in there because it will only happen when the function returns failure. I was also trying to not make it sound panicky I guess. I can resubmit the patch with that word dropped if that's desirable. > >> >>> >>> Reported-by: Jonathan Creekmore >>> Signed-off-by: Doug Goldstein >>> --- >>> drivers/xen/xen-pciback/xenbus.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c >>> b/drivers/xen/xen-pciback/xenbus.c >>> index 98bc345..4843741 100644 >>> --- a/drivers/xen/xen-pciback/xenbus.c >>> +++ b/drivers/xen/xen-pciback/xenbus.c >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct >>> xenbus_device *xdev) >>> dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev); >>> >>> pdev->xdev = xdev; >>> - dev_set_drvdata(>dev, pdev); >>> >>> mutex_init(>dev_lock); >>> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct >>> xenbus_device *xdev) >>> kfree(pdev); >>> pdev = NULL; >>> } >>> + >>> + dev_set_drvdata(>dev, pdev); >>> + >>> out: >>> return pdev; >>> } >>> -- >>> 2.4.10 >>> -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On Tue, Dec 01, 2015 at 02:54:33PM -0600, Doug Goldstein wrote: > On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote: > > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: > >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > >>> When allocating a pciback device fails, avoid the possibility of a > >>> use after free. > >> > >> Reviewed-by: Konrad Rzeszutek Wilk> >> > >> Ugh, and it looks like xen-blkfront has the same issue. > > > > Nope. No problems there. > > > > The ->probe if it fails (so xenbus_dev_probe returns the error) > > ends up in the 'probe_failed' label in really_probe which takes care by > > doing: > > > > dev_set_drvdata(dev, NULL); > > > > Wheew! > > > > either way the patch should go in, but the 'possibility' should > > be perhaps removed? Unless there is some other path I missed? > > I put 'possibility' in there because it will only happen when the > function returns failure. I was also trying to not make it sound panicky Right, but when it returns failure, the 'really_probe' will take care of setting dev_set_drvdata(dev, NULL) - so we won't have the use after free problem. > I guess. I can resubmit the patch with that word dropped if that's > desirable. Sure, or just say: "The 'really_probe' takes care of setting dev_set_drvdata(dev, NULL) in its failure path (which we would exercise if the ->probe function failed), so we we are OK. However lets be defensive as the code can change." > > > > >> > >>> > >>> Reported-by: Jonathan Creekmore > >>> Signed-off-by: Doug Goldstein > >>> --- > >>> drivers/xen/xen-pciback/xenbus.c | 4 +++- > >>> 1 file changed, 3 insertions(+), 1 deletion(-) > >>> > >>> diff --git a/drivers/xen/xen-pciback/xenbus.c > >>> b/drivers/xen/xen-pciback/xenbus.c > >>> index 98bc345..4843741 100644 > >>> --- a/drivers/xen/xen-pciback/xenbus.c > >>> +++ b/drivers/xen/xen-pciback/xenbus.c > >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct > >>> xenbus_device *xdev) > >>> dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev); > >>> > >>> pdev->xdev = xdev; > >>> - dev_set_drvdata(>dev, pdev); > >>> > >>> mutex_init(>dev_lock); > >>> > >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct > >>> xenbus_device *xdev) > >>> kfree(pdev); > >>> pdev = NULL; > >>> } > >>> + > >>> + dev_set_drvdata(>dev, pdev); > >>> + > >>> out: > >>> return pdev; > >>> } > >>> -- > >>> 2.4.10 > >>> > > > -- > Doug Goldstein > ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > When allocating a pciback device fails, avoid the possibility of a > use after free. Reviewed-by: Konrad Rzeszutek WilkUgh, and it looks like xen-blkfront has the same issue. > > Reported-by: Jonathan Creekmore > Signed-off-by: Doug Goldstein > --- > drivers/xen/xen-pciback/xenbus.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/xen/xen-pciback/xenbus.c > b/drivers/xen/xen-pciback/xenbus.c > index 98bc345..4843741 100644 > --- a/drivers/xen/xen-pciback/xenbus.c > +++ b/drivers/xen/xen-pciback/xenbus.c > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct > xenbus_device *xdev) > dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev); > > pdev->xdev = xdev; > - dev_set_drvdata(>dev, pdev); > > mutex_init(>dev_lock); > > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct > xenbus_device *xdev) > kfree(pdev); > pdev = NULL; > } > + > + dev_set_drvdata(>dev, pdev); > + > out: > return pdev; > } > -- > 2.4.10 > ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote: > On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: >> When allocating a pciback device fails, avoid the possibility of a >> use after free. > > Reviewed-by: Konrad Rzeszutek Wilk> > Ugh, and it looks like xen-blkfront has the same issue. I believe that case is covered because xen_blkbk_remove() is called in all the failure cases of xen_blkbk_probe() in that case. > >> >> Reported-by: Jonathan Creekmore >> Signed-off-by: Doug Goldstein >> --- >> drivers/xen/xen-pciback/xenbus.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/xen/xen-pciback/xenbus.c >> b/drivers/xen/xen-pciback/xenbus.c >> index 98bc345..4843741 100644 >> --- a/drivers/xen/xen-pciback/xenbus.c >> +++ b/drivers/xen/xen-pciback/xenbus.c >> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct >> xenbus_device *xdev) >> dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev); >> >> pdev->xdev = xdev; >> -dev_set_drvdata(>dev, pdev); >> >> mutex_init(>dev_lock); >> >> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct >> xenbus_device *xdev) >> kfree(pdev); >> pdev = NULL; >> } >> + >> +dev_set_drvdata(>dev, pdev); >> + >> out: >> return pdev; >> } >> -- >> 2.4.10 >> -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote: > On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote: > > When allocating a pciback device fails, avoid the possibility of a > > use after free. > > Reviewed-by: Konrad Rzeszutek Wilk> > Ugh, and it looks like xen-blkfront has the same issue. Nope. No problems there. The ->probe if it fails (so xenbus_dev_probe returns the error) ends up in the 'probe_failed' label in really_probe which takes care by doing: dev_set_drvdata(dev, NULL); Wheew! either way the patch should go in, but the 'possibility' should be perhaps removed? Unless there is some other path I missed? > > > > > Reported-by: Jonathan Creekmore > > Signed-off-by: Doug Goldstein > > --- > > drivers/xen/xen-pciback/xenbus.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/xen/xen-pciback/xenbus.c > > b/drivers/xen/xen-pciback/xenbus.c > > index 98bc345..4843741 100644 > > --- a/drivers/xen/xen-pciback/xenbus.c > > +++ b/drivers/xen/xen-pciback/xenbus.c > > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct > > xenbus_device *xdev) > > dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev); > > > > pdev->xdev = xdev; > > - dev_set_drvdata(>dev, pdev); > > > > mutex_init(>dev_lock); > > > > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct > > xenbus_device *xdev) > > kfree(pdev); > > pdev = NULL; > > } > > + > > + dev_set_drvdata(>dev, pdev); > > + > > out: > > return pdev; > > } > > -- > > 2.4.10 > > ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails
On 11/26/2015 03:32 PM, Doug Goldstein wrote: When allocating a pciback device fails, avoid the possibility of a use after free. Reported-by: Jonathan CreekmoreSigned-off-by: Doug Goldstein --- drivers/xen/xen-pciback/xenbus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Reviewed-by: Boris Ostrovsky ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel