Re: [PATCH rc 2/2] iommufd: Do not UAF during iommufd_put_object()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: "iommu@lists.linux.dev" <iommu@lists.linux.dev>,
	Lu Baolu <baolu.lu@linux.intel.com>,
	Eric Auger <eric.auger@redhat.com>,
	Lixiao Yang <lixiao.yang@intel.com>,
	Matthew Rosato <mjrosato@linux.ibm.com>,
	Nicolin Chen <nicolinc@nvidia.com>,
	"patches@lists.linux.dev" <patches@lists.linux.dev>,
	"syzbot+7574ebfe589049630608@syzkaller.appspotmail.com"
	<syzbot+7574ebfe589049630608@syzkaller.appspotmail.com>,
	"syzbot+d31adfb277377ef8fcba@syzkaller.appspotmail.com"
	<syzbot+d31adfb277377ef8fcba@syzkaller.appspotmail.com>,
	"Liu, Yi L" <yi.l.liu@intel.com>
Subject: Re: [PATCH rc 2/2] iommufd: Do not UAF during iommufd_put_object()
Date: Tue, 21 Nov 2023 09:04:43 -0400	[thread overview]
Message-ID: <20231121130443.GF6083@nvidia.com> (raw)
In-Reply-To: <BN9PR11MB527644B411E7F9EEC11F49898CBBA@BN9PR11MB5276.namprd11.prod.outlook.com>

On Tue, Nov 21, 2023 at 03:49:55AM +0000, Tian, Kevin wrote:
> > From: Jason Gunthorpe <jgg@nvidia.com>
> > Sent: Tuesday, November 21, 2023 9:28 AM
> > +
> > +/*
> > + * The caller holds a users refcount and wants to destroy the object. In all
> > + * cases the caller no longer has a reference on obj.
> 
> It's unclear which refcnt is being talked here given we have two now.

It says: "users refcount"

At this point the shortterm_users refcount is held by the
xarray. Let's add a note about that

> Actually none of them matches this description e.g. if wait shortterm timeouts
> then both users and shortterm_users are left intact.

shortterm_users was decremented and the object is leaked in that
case. It is a should-never-happen flow.
 
> >  static inline void iommufd_object_destroy_user(struct iommufd_ctx *ictx,
> >  					       struct iommufd_object *obj)
> >  {
> > -	__iommufd_object_destroy_user(ictx, obj, false);
> > +	int ret;
> > +
> > +	ret = iommufd_object_remove(ictx, obj, obj->id,
> > REMOVE_WAIT_SHORTTERM);
> > +
> > +	/*
> > +	 * If there is a bug and we couldn't destroy the object then we did put
> > +	 * back the caller's refcount and will eventually try to free it again
> > +	 * during close.
> 
> This also needs more clarification. obj->users is not recovered upon error.
> only obj->shortterm_users is put back.

And it doesn't always happen anyhow.

I'll work on this some more, it is really tricky.

> > +	 */
> > +	WARN_ON(ret);
> >  }
> > +
> > +/*
> > + * Used by autodomains to clean up the hwpt object if it was not used
> > manually.
> > + */
> >  static inline void iommufd_object_deref_user(struct iommufd_ctx *ictx,
> >  					     struct iommufd_object *obj)
> >  {
> > -	__iommufd_object_destroy_user(ictx, obj, true);
> > +	iommufd_object_remove(ictx, obj, obj->id, 0);
> 
> since there is a flag parameter now can we introduce a new flag bit
> to represent extra_put? having both obj and obj->id in one invocation
> as the hint for extra_put is a bit vague.

If the user has a pointer to the object then the user must also have a
ref to the object, basic ref counting rules.

Jason

     prev parent reply	other threads:[~2023-11-21 13:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-21  1:28 [PATCH rc 0/2] Do not UAF during iommufd_put_object() Jason Gunthorpe
2023-11-21  1:28 ` [PATCH rc 1/2] iommufd: Add iommufd_ctx to iommufd_put_object() Jason Gunthorpe
2023-11-21  3:42   ` Tian, Kevin
2023-11-21  1:28 ` [PATCH rc 2/2] iommufd: Do not UAF during iommufd_put_object() Jason Gunthorpe
2023-11-21  3:49   ` Tian, Kevin
2023-11-21 13:04     ` Jason Gunthorpe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231121130443.GF6083@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=baolu.lu@linux.intel.com \
    --cc=eric.auger@redhat.com \
    --cc=iommu@lists.linux.dev \
    --cc=kevin.tian@intel.com \
    --cc=lixiao.yang@intel.com \
    --cc=mjrosato@linux.ibm.com \
    --cc=nicolinc@nvidia.com \
    --cc=patches@lists.linux.dev \
    --cc=syzbot+7574ebfe589049630608@syzkaller.appspotmail.com \
    --cc=syzbot+d31adfb277377ef8fcba@syzkaller.appspotmail.com \
    --cc=yi.l.liu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.