From: Simon Horman <horms@kernel.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: nex.sw.ncis.osdt.itp.upstreaming@intel.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Tony Nguyen <anthony.l.nguyen@intel.com>,
Jakub Kicinski <kuba@kernel.org>,
intel-wired-lan@lists.osuosl.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Intel-wired-lan] [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset
Date: Tue, 30 Jul 2024 17:37:07 +0100 [thread overview]
Message-ID: <20240730163707.GB1967603@kernel.org> (raw)
In-Reply-To: <870cd73e-0f87-41eb-95d1-c9fe27ed1230@intel.com>
On Mon, Jul 29, 2024 at 10:54:50AM +0200, Alexander Lobakin wrote:
> From: Simon Horman <horms@kernel.org>
> Date: Fri, 26 Jul 2024 17:09:54 +0100
>
> > On Wed, Jul 24, 2024 at 03:40:22PM +0200, Alexander Lobakin wrote:
> >> The second tagged commit introduced a UAF, as it removed restoring
> >> q_vector->vport pointers after reinitializating the structures.
> >> This is due to that all queue allocation functions are performed here
> >> with the new temporary vport structure and those functions rewrite
> >> the backpointers to the vport. Then, this new struct is freed and
> >> the pointers start leading to nowhere.
>
> [...]
>
> >> err_reset:
> >> - idpf_vport_queues_rel(new_vport);
> >> + idpf_send_add_queues_msg(vport, vport->num_txq, vport->num_complq,
> >> + vport->num_rxq, vport->num_bufq);
> >> +
> >> +err_open:
> >> + if (current_state == __IDPF_VPORT_UP)
> >> + idpf_vport_open(vport);
> >
> > Hi Alexander,
> >
> > Can the system end up in an odd state if this call to idpf_vport_open(), or
> > the one above, fails. Likewise if the above call to
> > idpf_send_add_queues_msg() fails.
>
> Adding the queues with the parameters that were before changing them
> almost can't fail. But if any of these two fails, it really will be in
> an odd state...
Thanks for the clarification, this is my concern.
> Perhaps we need to do a more powerful reset then? Can we somehow tell
> the kernel that in fact our iface is down, so that the user could try
> to enable it manually once again?
> Anyway, feels like a separate series or patch to -next, what do you think?
Yes, sure. I agree that this patch improves things, and more extreme
corner cases can be addressed separately.
With the above in mind, I'm happy with this patch.
Reviewed-by: Simon Horman <horms@kernel.org>
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: intel-wired-lan@lists.osuosl.org,
Tony Nguyen <anthony.l.nguyen@intel.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
nex.sw.ncis.osdt.itp.upstreaming@intel.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset
Date: Tue, 30 Jul 2024 17:37:07 +0100 [thread overview]
Message-ID: <20240730163707.GB1967603@kernel.org> (raw)
In-Reply-To: <870cd73e-0f87-41eb-95d1-c9fe27ed1230@intel.com>
On Mon, Jul 29, 2024 at 10:54:50AM +0200, Alexander Lobakin wrote:
> From: Simon Horman <horms@kernel.org>
> Date: Fri, 26 Jul 2024 17:09:54 +0100
>
> > On Wed, Jul 24, 2024 at 03:40:22PM +0200, Alexander Lobakin wrote:
> >> The second tagged commit introduced a UAF, as it removed restoring
> >> q_vector->vport pointers after reinitializating the structures.
> >> This is due to that all queue allocation functions are performed here
> >> with the new temporary vport structure and those functions rewrite
> >> the backpointers to the vport. Then, this new struct is freed and
> >> the pointers start leading to nowhere.
>
> [...]
>
> >> err_reset:
> >> - idpf_vport_queues_rel(new_vport);
> >> + idpf_send_add_queues_msg(vport, vport->num_txq, vport->num_complq,
> >> + vport->num_rxq, vport->num_bufq);
> >> +
> >> +err_open:
> >> + if (current_state == __IDPF_VPORT_UP)
> >> + idpf_vport_open(vport);
> >
> > Hi Alexander,
> >
> > Can the system end up in an odd state if this call to idpf_vport_open(), or
> > the one above, fails. Likewise if the above call to
> > idpf_send_add_queues_msg() fails.
>
> Adding the queues with the parameters that were before changing them
> almost can't fail. But if any of these two fails, it really will be in
> an odd state...
Thanks for the clarification, this is my concern.
> Perhaps we need to do a more powerful reset then? Can we somehow tell
> the kernel that in fact our iface is down, so that the user could try
> to enable it manually once again?
> Anyway, feels like a separate series or patch to -next, what do you think?
Yes, sure. I agree that this patch improves things, and more extreme
corner cases can be addressed separately.
With the above in mind, I'm happy with this patch.
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2024-07-30 16:37 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 13:40 [Intel-wired-lan] [PATCH iwl-net 0/3] idpf: fix 3 bugs revealed by the Chapter I Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:09 ` [Intel-wired-lan] " Simon Horman
2024-07-26 16:09 ` Simon Horman
2024-07-29 8:54 ` [Intel-wired-lan] " Alexander Lobakin
2024-07-29 8:54 ` Alexander Lobakin
2024-07-30 11:03 ` [Intel-wired-lan] " Simon Horman
2024-07-30 11:03 ` Simon Horman
2024-07-30 16:37 ` Simon Horman [this message]
2024-07-30 16:37 ` Simon Horman
2024-08-02 0:21 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:21 ` Singh, Krishneil K
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 2/3] idpf: fix memleak in vport interrupt configuration Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:16 ` [Intel-wired-lan] " Simon Horman
2024-07-26 16:16 ` Simon Horman
2024-08-02 0:22 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:22 ` Singh, Krishneil K
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 3/3] idpf: fix UAFs when destroying the queues Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:22 ` [Intel-wired-lan] " Simon Horman
2024-07-26 16:22 ` Simon Horman
2024-08-02 0:23 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:23 ` Singh, Krishneil K
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240730163707.GB1967603@kernel.org \
--to=horms@kernel.org \
--cc=aleksander.lobakin@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nex.sw.ncis.osdt.itp.upstreaming@intel.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.