From: Halil Pasic <pasic@linux.ibm.com>
To: Anthony Krowiak <akrowiak@linux.ibm.com>
Cc: Alex Williamson <alex.williamson@redhat.com>,
Rorie Reyes <rreyes@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, hca@linux.ibm.com, borntraeger@de.ibm.com,
agordeev@linux.ibm.com, gor@linux.ibm.com, jjherne@linux.ibm.com,
Halil Pasic <pasic@linux.ibm.com>
Subject: Re: [PATCH v1] s390/vfio-ap: Signal eventfd when guest AP configuration is changed
Date: Thu, 16 Jan 2025 01:17:46 +0100 [thread overview]
Message-ID: <20250116011746.20cf941c.pasic@linux.ibm.com> (raw)
In-Reply-To: <5d6402ce-38bd-4632-927e-2551fdd01dbe@linux.ibm.com>
On Wed, 15 Jan 2025 14:35:02 -0500
Anthony Krowiak <akrowiak@linux.ibm.com> wrote:
> >> +static int vfio_ap_set_cfg_change_irq(struct ap_matrix_mdev *matrix_mdev, unsigned long arg)
> >> +{
> >> + s32 fd;
> >> + void __user *data;
> >> + unsigned long minsz;
> >> + struct eventfd_ctx *cfg_chg_trigger;
> >> +
> >> + minsz = offsetofend(struct vfio_irq_set, count);
> >> + data = (void __user *)(arg + minsz);
> >> +
> >> + if (get_user(fd, (s32 __user *)data))
> >> + return -EFAULT;
> >> +
> >> + if (fd == -1) {
> >> + if (matrix_mdev->cfg_chg_trigger)
> >> + eventfd_ctx_put(matrix_mdev->cfg_chg_trigger);
> >> + matrix_mdev->cfg_chg_trigger = NULL;
> >> + } else if (fd >= 0) {
> >> + cfg_chg_trigger = eventfd_ctx_fdget(fd);
> >> + if (IS_ERR(cfg_chg_trigger))
> >> + return PTR_ERR(cfg_chg_trigger);
> >> +
> >> + if (matrix_mdev->cfg_chg_trigger)
> >> + eventfd_ctx_put(matrix_mdev->cfg_chg_trigger);
> >> +
> >> + matrix_mdev->cfg_chg_trigger = cfg_chg_trigger;
> >> + } else {
> >> + return -EINVAL;
> >> + }
> >> +
> >> + return 0;
> >> +}
> > How does this guard against a use after free, such as the eventfd being
> > disabled or swapped concurrent to a config change? Thanks,
> >
> > Alex
>
> Hi Alex. I spent a great deal of time today trying to figure out exactly
> what
> you are asking here; reading about eventfd and digging through code.
> I looked at other places where eventfd is used to set up communication
> of events targetting a vfio device from KVM to userspace (e.g.,
> hw/vfio/ccw.c)
> and do not find anything much different than what is done here. In fact,
> this code looks identical to the code that sets up an eventfd for the
> VFIO_AP_REQ_IRQ_INDEX.
>
> Maybe you can explain how an eventfd is disabled or swapped, or maybe
> explain how we can guard against its use after free. Thanks.
Maybe I will try! The value of matrix_mdev->cfg_chg_trigger is used in:
* vfio_ap_set_cfg_change_irq() (rw, with matrix_dev->mdevs_lock)
* signal_guest_ap_cfg_changed()(r, takes no locks itself, )
* called by vfio_ap_mdev_update_guest_apcb()
* called at a bunch of places but AFAICT always with
matrix_dev->mdevs_lock held
* called by vfio_ap_mdev_unset_kvm() (with matrix_dev->mdevs_lock held
via get_update_locks_for_kvm())
* vfio_ap_mdev_probe() (w, assigns NULL to it)
If vfio_ap_set_cfg_change_irq() could change/destroy
matrix_mdev->cfg_chg_trigger while another thread of execution
is using it e.g. with signal_guest_ap_cfg_changed() that would be a
possible UAF and thus BAD.
Now AFAICT matrix_mdev->cfg_chg_trigger is protected by
matrix_dev->mdevs_lock on each access except for in vfio_ap_mdev_probe()
which is AFAIK just an initialization in a safe state where we are
guaranteed to have exclusive access.
The eventfd is swapped and disabled in vfio_ap_set_cfg_change_irq() with
userspace supplying a new valid fd or -1 respectively.
Tony does that answer your question to Alex?
Alex, does the above answer your question on what guards against UAF (the
short answer is: matrix_dev->mdevs_lock)?
Regards,
Halil
next prev parent reply other threads:[~2025-01-16 0:17 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-07 18:36 [PATCH v1] s390/vfio-ap: Signal eventfd when guest AP configuration is changed Rorie Reyes
2025-01-13 16:08 ` Alexander Gordeev
2025-02-05 17:33 ` Rorie Reyes
2025-02-05 17:47 ` Anthony Krowiak
2025-02-06 7:40 ` Alexander Gordeev
2025-02-06 14:12 ` Rorie Reyes
2025-02-11 7:58 ` Alexander Gordeev
2025-02-11 15:02 ` Rorie Reyes
2025-02-11 20:24 ` Anthony Krowiak
2025-02-12 10:55 ` Vasily Gorbik
2025-01-14 9:03 ` Harald Freudenberger
2025-01-16 16:46 ` Anthony Krowiak
2025-01-17 8:30 ` Harald Freudenberger
2025-01-17 12:42 ` Anthony Krowiak
2025-01-14 20:05 ` Alex Williamson
2025-01-15 19:35 ` Anthony Krowiak
2025-01-16 0:17 ` Halil Pasic [this message]
2025-01-16 15:38 ` Anthony Krowiak
2025-01-16 16:52 ` Alex Williamson
2025-01-16 19:18 ` Halil Pasic
2025-01-17 12:50 ` Anthony Krowiak
2025-01-17 12:55 ` Anthony Krowiak
2025-01-16 19:30 ` Halil Pasic
2025-01-17 12:53 ` Anthony Krowiak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250116011746.20cf941c.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=akrowiak@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=rreyes@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.