Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-14 Thread David Vrabel 
On 02/12/15 14:56, Doug Goldstein wrote:
> On 12/2/15 4:35 AM, David Vrabel wrote:
>> On 26/11/15 20:32, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> We should not require clearing drvdata for correctness.  We should
>> ensure we retain drvdata for as long as it is needed.
>>
>> I note that pcistub_device_release() has:
>>
>>  kfree(dev_data);
>>  pci_set_drvdata(dev, NULL);
>>
>>  /* Clean-up the device */
>>  xen_pcibk_config_free_dyn_fields(dev);
>>  xen_pcibk_config_free_dev(dev);
>>
>> Which should (at a minimum) be reordered to move the kfree(dev_data) to
>> after the calls that require it
>>
>> David
>>
> 
> I apologize but at this point I'm confused at what action I should be
> taking. Are you saying NACK to the original patch and suggesting this as
> the replacement? Or saying that this should be done in addition to the
> original patch?

I'm suggesting that the goal should be to remove all
pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
them.

Konrad's the pciback maintainer though so I'll defer to him on this.

David

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-14 Thread Konrad Rzeszutek Wilk 
On Mon, Dec 14, 2015 at 04:08:13PM +, David Vrabel wrote:
> On 02/12/15 14:56, Doug Goldstein wrote:
> > On 12/2/15 4:35 AM, David Vrabel wrote:
> >> On 26/11/15 20:32, Doug Goldstein wrote:
> >>> When allocating a pciback device fails, avoid the possibility of a
> >>> use after free.
> >>
> >> We should not require clearing drvdata for correctness.  We should
> >> ensure we retain drvdata for as long as it is needed.
> >>
> >> I note that pcistub_device_release() has:
> >>
> >>kfree(dev_data);
> >>pci_set_drvdata(dev, NULL);
> >>
> >>/* Clean-up the device */
> >>xen_pcibk_config_free_dyn_fields(dev);
> >>xen_pcibk_config_free_dev(dev);
> >>
> >> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> >> after the calls that require it
> >>
> >> David
> >>
> > 
> > I apologize but at this point I'm confused at what action I should be
> > taking. Are you saying NACK to the original patch and suggesting this as
> > the replacement? Or saying that this should be done in addition to the
> > original patch?
> 
> I'm suggesting that the goal should be to remove all
> pci_set_drvdata(dev, NULL) calls and have pciback work correctly without
> them.

Which would mean backend/frontend drivers to do this as well.

> 
> Konrad's the pciback maintainer though so I'll defer to him on this.

I would take the patch as is. The cleanup (pci_set_drvdata(dev, NULL)) can
be done another time.

> 
> David
> 
> ___
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-02 Thread Doug Goldstein 
On 12/2/15 4:35 AM, David Vrabel wrote:
> On 26/11/15 20:32, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
> 
> We should not require clearing drvdata for correctness.  We should
> ensure we retain drvdata for as long as it is needed.
> 
> I note that pcistub_device_release() has:
> 
>   kfree(dev_data);
>   pci_set_drvdata(dev, NULL);
> 
>   /* Clean-up the device */
>   xen_pcibk_config_free_dyn_fields(dev);
>   xen_pcibk_config_free_dev(dev);
> 
> Which should (at a minimum) be reordered to move the kfree(dev_data) to
> after the calls that require it
> 
> David
> 

I apologize but at this point I'm confused at what action I should be
taking. Are you saying NACK to the original patch and suggesting this as
the replacement? Or saying that this should be done in addition to the
original patch?

I created the original patch when looking through the other probe()
calls and seeing that they all did pci_set_drvdata() with memory they
allocated but probe() failed they ensured that pci_set_drvdata() was
cleared. But the behavior in xen-pciback was different. It kfree()'d the
memory that passed to pci_set_drvdata() and never set that pointer to
NULL. Which could possibly result in a use after free. The use after
free doesn't occur today as Konrad pointed out but in the future its
possible should some other code changes occur. It was more of a
defensive coding patch in the end. I had planned on resubmitting the
patch with a reworded commit message after Konrad pointed out there was
currently no use after free and retaining the Reviewed-By since the code
wouldn't change but if that's not what I should be doing I will gladly
go another route.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-02 Thread David Vrabel 
On 26/11/15 20:32, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.

We should not require clearing drvdata for correctness.  We should
ensure we retain drvdata for as long as it is needed.

I note that pcistub_device_release() has:

kfree(dev_data);
pci_set_drvdata(dev, NULL);

/* Clean-up the device */
xen_pcibk_config_free_dyn_fields(dev);
xen_pcibk_config_free_dev(dev);

Which should (at a minimum) be reordered to move the kfree(dev_data) to
after the calls that require it

David

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-01 Thread Doug Goldstein 
On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk 
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
> 
>  Nope. No problems there.
> 
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
> 
> dev_set_drvdata(dev, NULL);
> 
> Wheew!
> 
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?

I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.

> 
>>
>>>
>>> Reported-by: Jonathan Creekmore 
>>> Signed-off-by: Doug Goldstein 
>>> ---
>>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c 
>>> b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
>>> xenbus_device *xdev)
>>> dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev);
>>>  
>>> pdev->xdev = xdev;
>>> -   dev_set_drvdata(>dev, pdev);
>>>  
>>> mutex_init(>dev_lock);
>>>  
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
>>> xenbus_device *xdev)
>>> kfree(pdev);
>>> pdev = NULL;
>>> }
>>> +
>>> +   dev_set_drvdata(>dev, pdev);
>>> +
>>>  out:
>>> return pdev;
>>>  }
>>> -- 
>>> 2.4.10
>>>


-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-01 Thread Konrad Rzeszutek Wilk 
On Tue, Dec 01, 2015 at 02:54:33PM -0600, Doug Goldstein wrote:
> On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
> >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> >>> When allocating a pciback device fails, avoid the possibility of a
> >>> use after free.
> >>
> >> Reviewed-by: Konrad Rzeszutek Wilk 
> >>
> >> Ugh, and it looks like xen-blkfront has the same issue.
> > 
> >  Nope. No problems there.
> > 
> > The ->probe if it fails (so xenbus_dev_probe returns the error)
> > ends up in the 'probe_failed' label in really_probe which takes care by 
> > doing:
> > 
> > dev_set_drvdata(dev, NULL);
> > 
> > Wheew!
> > 
> > either way the patch should go in, but the 'possibility' should
> > be perhaps removed? Unless there is some other path I missed?
> 
> I put 'possibility' in there because it will only happen when the
> function returns failure. I was also trying to not make it sound panicky

Right, but when it returns failure, the 'really_probe' will take
care of setting dev_set_drvdata(dev, NULL) - so we won't have the
use after free problem.


> I guess. I can resubmit the patch with that word dropped if that's
> desirable.

Sure, or just say: "The 'really_probe' takes care of setting
dev_set_drvdata(dev, NULL) in its failure path (which we would 
exercise if the ->probe function failed), so we we
are OK. However lets be defensive as the code can change."

> 
> > 
> >>
> >>>
> >>> Reported-by: Jonathan Creekmore 
> >>> Signed-off-by: Doug Goldstein 
> >>> ---
> >>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
> >>>  1 file changed, 3 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c 
> >>> b/drivers/xen/xen-pciback/xenbus.c
> >>> index 98bc345..4843741 100644
> >>> --- a/drivers/xen/xen-pciback/xenbus.c
> >>> +++ b/drivers/xen/xen-pciback/xenbus.c
> >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> >>> xenbus_device *xdev)
> >>>   dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev);
> >>>  
> >>>   pdev->xdev = xdev;
> >>> - dev_set_drvdata(>dev, pdev);
> >>>  
> >>>   mutex_init(>dev_lock);
> >>>  
> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> >>> xenbus_device *xdev)
> >>>   kfree(pdev);
> >>>   pdev = NULL;
> >>>   }
> >>> +
> >>> + dev_set_drvdata(>dev, pdev);
> >>> +
> >>>  out:
> >>>   return pdev;
> >>>  }
> >>> -- 
> >>> 2.4.10
> >>>
> 
> 
> -- 
> Doug Goldstein
> 



___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-01 Thread Konrad Rzeszutek Wilk 
On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> When allocating a pciback device fails, avoid the possibility of a
> use after free.

Reviewed-by: Konrad Rzeszutek Wilk 

Ugh, and it looks like xen-blkfront has the same issue.

> 
> Reported-by: Jonathan Creekmore 
> Signed-off-by: Doug Goldstein 
> ---
>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/xen/xen-pciback/xenbus.c 
> b/drivers/xen/xen-pciback/xenbus.c
> index 98bc345..4843741 100644
> --- a/drivers/xen/xen-pciback/xenbus.c
> +++ b/drivers/xen/xen-pciback/xenbus.c
> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> xenbus_device *xdev)
>   dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev);
>  
>   pdev->xdev = xdev;
> - dev_set_drvdata(>dev, pdev);
>  
>   mutex_init(>dev_lock);
>  
> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> xenbus_device *xdev)
>   kfree(pdev);
>   pdev = NULL;
>   }
> +
> + dev_set_drvdata(>dev, pdev);
> +
>  out:
>   return pdev;
>  }
> -- 
> 2.4.10
> 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-01 Thread Doug Goldstein 
On 12/1/15 10:47 AM, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>> When allocating a pciback device fails, avoid the possibility of a
>> use after free.
> 
> Reviewed-by: Konrad Rzeszutek Wilk 
> 
> Ugh, and it looks like xen-blkfront has the same issue.

I believe that case is covered because xen_blkbk_remove() is called in
all the failure cases of xen_blkbk_probe() in that case.

> 
>>
>> Reported-by: Jonathan Creekmore 
>> Signed-off-by: Doug Goldstein 
>> ---
>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/xen/xen-pciback/xenbus.c 
>> b/drivers/xen/xen-pciback/xenbus.c
>> index 98bc345..4843741 100644
>> --- a/drivers/xen/xen-pciback/xenbus.c
>> +++ b/drivers/xen/xen-pciback/xenbus.c
>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
>> xenbus_device *xdev)
>>  dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev);
>>  
>>  pdev->xdev = xdev;
>> -dev_set_drvdata(>dev, pdev);
>>  
>>  mutex_init(>dev_lock);
>>  
>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
>> xenbus_device *xdev)
>>  kfree(pdev);
>>  pdev = NULL;
>>  }
>> +
>> +dev_set_drvdata(>dev, pdev);
>> +
>>  out:
>>  return pdev;
>>  }
>> -- 
>> 2.4.10
>>


-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-12-01 Thread Konrad Rzeszutek Wilk 
On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> > When allocating a pciback device fails, avoid the possibility of a
> > use after free.
> 
> Reviewed-by: Konrad Rzeszutek Wilk 
> 
> Ugh, and it looks like xen-blkfront has the same issue.

 Nope. No problems there.

The ->probe if it fails (so xenbus_dev_probe returns the error)
ends up in the 'probe_failed' label in really_probe which takes care by doing:

dev_set_drvdata(dev, NULL);

Wheew!

either way the patch should go in, but the 'possibility' should
be perhaps removed? Unless there is some other path I missed?

> 
> > 
> > Reported-by: Jonathan Creekmore 
> > Signed-off-by: Doug Goldstein 
> > ---
> >  drivers/xen/xen-pciback/xenbus.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/xen/xen-pciback/xenbus.c 
> > b/drivers/xen/xen-pciback/xenbus.c
> > index 98bc345..4843741 100644
> > --- a/drivers/xen/xen-pciback/xenbus.c
> > +++ b/drivers/xen/xen-pciback/xenbus.c
> > @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> > xenbus_device *xdev)
> > dev_dbg(>dev, "allocated pdev @ 0x%p\n", pdev);
> >  
> > pdev->xdev = xdev;
> > -   dev_set_drvdata(>dev, pdev);
> >  
> > mutex_init(>dev_lock);
> >  
> > @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> > xenbus_device *xdev)
> > kfree(pdev);
> > pdev = NULL;
> > }
> > +
> > +   dev_set_drvdata(>dev, pdev);
> > +
> >  out:
> > return pdev;
> >  }
> > -- 
> > 2.4.10
> > 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails

2015-11-30 Thread Boris Ostrovsky 

On 11/26/2015 03:32 PM, Doug Goldstein wrote:

When allocating a pciback device fails, avoid the possibility of a
use after free.

Reported-by: Jonathan Creekmore 
Signed-off-by: Doug Goldstein 
---
  drivers/xen/xen-pciback/xenbus.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)


Reviewed-by: Boris Ostrovsky 


___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel