Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leonardo Bras <leonardo@linux.ibm.com>
To: Michael Ellerman <mpe@ellerman.id.au>,
	kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	linux-kernel@vger.kernel.org
Cc: Paul Mackerras <paulus@ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Thu, 14 Nov 2019 18:43:57 +0000	[thread overview]
Message-ID: <c792fdc629d87f452d4348d33ab179df01d42017.camel@linux.ibm.com> (raw)
In-Reply-To: <87mud13d4r.fsf@mpe.ellerman.id.au>

[-- Attachment #1: Type: text/plain, Size: 2319 bytes --]

On Tue, 2019-11-12 at 15:57 +1100, Michael Ellerman wrote:
> Hi Leonardo,

Hello Micheal, thanks for the feedback!

> 
> Leonardo Bras <leonardo@linux.ibm.com> writes:
> > Fixes a possible 'use after free' of kvm variable in
> > kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm-
> > >lock)
> > after a kvm_put_kvm(kvm).
> 
> There is no potential for an actual use after free here AFAICS.
> 
> > diff --git a/arch/powerpc/kvm/book3s_64_vio.c
> > b/arch/powerpc/kvm/book3s_64_vio.c
> > index 5834db0a54c6..a402ead833b6 100644
> > --- a/arch/powerpc/kvm/book3s_64_vio.c
> > +++ b/arch/powerpc/kvm/book3s_64_vio.c
> 
> The preceeding context is:
> 
> 	mutex_lock(&kvm->lock);
> 
> 	/* Check this LIOBN hasn't been previously allocated */
> 	ret = 0;
> 	list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
> 		if (siter->liobn == args->liobn) {
> 			ret = -EBUSY;
> 			break;
> 		}
> 	}
> 
> 	kvm_get_kvm(kvm);
> 	if (!ret)
> 		ret = anon_inode_getfd("kvm-spapr-tce",
> &kvm_spapr_tce_fops,
> 				       stt, O_RDWR | O_CLOEXEC);
> 
> > @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm
> > *kvm,
> >  
> >  	if (ret >= 0)
> >  		list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> > -	else
> > -		kvm_put_kvm(kvm);
> >  
> >  	mutex_unlock(&kvm->lock);
> >  
> >  	if (ret >= 0)
> >  		return ret;
> >  
> > +	kvm_put_kvm(kvm);
> >  	kfree(stt);
> >   fail_acct:
> >  	account_locked_vm(current->mm, kvmppc_stt_pages(npages),
> > false);
> 
> If the kvm_put_kvm() you've moved actually caused the last reference
> to
> be dropped that would mean that our caller had passed us a kvm struct
> without holding a reference to it, and that would be a bug in our
> caller.
> 

So, there is no chance that between this function's kvm_get_kvm() and 
kvm_put_kvm(), another thread can decrease this reference counter?

> Or put another way, it would mean the mutex_lock() above could
> already
> be operating on a freed kvm struct.
> 
> The kvm_get_kvm() prior to the anon_inode_getfd() is to account for
> the
> reference that's held by the `stt` struct, and dropped in
> kvm_spapr_tce_release().
> 
> So although this patch isn't wrong, the explanation is not accurate.
> 
> cheers

Kind regards

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

WARNING: multiple messages have this Message-ID (diff)

From: Leonardo Bras <leonardo@linux.ibm.com>
To: Michael Ellerman <mpe@ellerman.id.au>,
	kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Thu, 14 Nov 2019 15:43:57 -0300	[thread overview]
Message-ID: <c792fdc629d87f452d4348d33ab179df01d42017.camel@linux.ibm.com> (raw)
In-Reply-To: <87mud13d4r.fsf@mpe.ellerman.id.au>

[-- Attachment #1: Type: text/plain, Size: 2319 bytes --]

On Tue, 2019-11-12 at 15:57 +1100, Michael Ellerman wrote:
> Hi Leonardo,

Hello Micheal, thanks for the feedback!

> 
> Leonardo Bras <leonardo@linux.ibm.com> writes:
> > Fixes a possible 'use after free' of kvm variable in
> > kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm-
> > >lock)
> > after a kvm_put_kvm(kvm).
> 
> There is no potential for an actual use after free here AFAICS.
> 
> > diff --git a/arch/powerpc/kvm/book3s_64_vio.c
> > b/arch/powerpc/kvm/book3s_64_vio.c
> > index 5834db0a54c6..a402ead833b6 100644
> > --- a/arch/powerpc/kvm/book3s_64_vio.c
> > +++ b/arch/powerpc/kvm/book3s_64_vio.c
> 
> The preceeding context is:
> 
> 	mutex_lock(&kvm->lock);
> 
> 	/* Check this LIOBN hasn't been previously allocated */
> 	ret = 0;
> 	list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
> 		if (siter->liobn == args->liobn) {
> 			ret = -EBUSY;
> 			break;
> 		}
> 	}
> 
> 	kvm_get_kvm(kvm);
> 	if (!ret)
> 		ret = anon_inode_getfd("kvm-spapr-tce",
> &kvm_spapr_tce_fops,
> 				       stt, O_RDWR | O_CLOEXEC);
> 
> > @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm
> > *kvm,
> >  
> >  	if (ret >= 0)
> >  		list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> > -	else
> > -		kvm_put_kvm(kvm);
> >  
> >  	mutex_unlock(&kvm->lock);
> >  
> >  	if (ret >= 0)
> >  		return ret;
> >  
> > +	kvm_put_kvm(kvm);
> >  	kfree(stt);
> >   fail_acct:
> >  	account_locked_vm(current->mm, kvmppc_stt_pages(npages),
> > false);
> 
> If the kvm_put_kvm() you've moved actually caused the last reference
> to
> be dropped that would mean that our caller had passed us a kvm struct
> without holding a reference to it, and that would be a bug in our
> caller.
> 

So, there is no chance that between this function's kvm_get_kvm() and 
kvm_put_kvm(), another thread can decrease this reference counter?

> Or put another way, it would mean the mutex_lock() above could
> already
> be operating on a freed kvm struct.
> 
> The kvm_get_kvm() prior to the anon_inode_getfd() is to account for
> the
> reference that's held by the `stt` struct, and dropped in
> kvm_spapr_tce_release().
> 
> So although this patch isn't wrong, the explanation is not accurate.
> 
> cheers

Kind regards

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

WARNING: multiple messages have this Message-ID (diff)

From: Leonardo Bras <leonardo@linux.ibm.com>
To: Michael Ellerman <mpe@ellerman.id.au>,
	kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	linux-kernel@vger.kernel.org
Cc: Paul Mackerras <paulus@ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm
Date: Thu, 14 Nov 2019 15:43:57 -0300	[thread overview]
Message-ID: <c792fdc629d87f452d4348d33ab179df01d42017.camel@linux.ibm.com> (raw)
In-Reply-To: <87mud13d4r.fsf@mpe.ellerman.id.au>

[-- Attachment #1: Type: text/plain, Size: 2319 bytes --]

On Tue, 2019-11-12 at 15:57 +1100, Michael Ellerman wrote:
> Hi Leonardo,

Hello Micheal, thanks for the feedback!

> 
> Leonardo Bras <leonardo@linux.ibm.com> writes:
> > Fixes a possible 'use after free' of kvm variable in
> > kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm-
> > >lock)
> > after a kvm_put_kvm(kvm).
> 
> There is no potential for an actual use after free here AFAICS.
> 
> > diff --git a/arch/powerpc/kvm/book3s_64_vio.c
> > b/arch/powerpc/kvm/book3s_64_vio.c
> > index 5834db0a54c6..a402ead833b6 100644
> > --- a/arch/powerpc/kvm/book3s_64_vio.c
> > +++ b/arch/powerpc/kvm/book3s_64_vio.c
> 
> The preceeding context is:
> 
> 	mutex_lock(&kvm->lock);
> 
> 	/* Check this LIOBN hasn't been previously allocated */
> 	ret = 0;
> 	list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
> 		if (siter->liobn == args->liobn) {
> 			ret = -EBUSY;
> 			break;
> 		}
> 	}
> 
> 	kvm_get_kvm(kvm);
> 	if (!ret)
> 		ret = anon_inode_getfd("kvm-spapr-tce",
> &kvm_spapr_tce_fops,
> 				       stt, O_RDWR | O_CLOEXEC);
> 
> > @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm
> > *kvm,
> >  
> >  	if (ret >= 0)
> >  		list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> > -	else
> > -		kvm_put_kvm(kvm);
> >  
> >  	mutex_unlock(&kvm->lock);
> >  
> >  	if (ret >= 0)
> >  		return ret;
> >  
> > +	kvm_put_kvm(kvm);
> >  	kfree(stt);
> >   fail_acct:
> >  	account_locked_vm(current->mm, kvmppc_stt_pages(npages),
> > false);
> 
> If the kvm_put_kvm() you've moved actually caused the last reference
> to
> be dropped that would mean that our caller had passed us a kvm struct
> without holding a reference to it, and that would be a bug in our
> caller.
> 

So, there is no chance that between this function's kvm_get_kvm() and 
kvm_put_kvm(), another thread can decrease this reference counter?

> Or put another way, it would mean the mutex_lock() above could
> already
> be operating on a freed kvm struct.
> 
> The kvm_get_kvm() prior to the anon_inode_getfd() is to account for
> the
> reference that's held by the `stt` struct, and dropped in
> kvm_spapr_tce_release().
> 
> So although this patch isn't wrong, the explanation is not accurate.
> 
> cheers

Kind regards

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2019-11-14 18:43 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-07 17:02 [PATCH v2 0/4] Replace current->mm by kvm->mm on powerpc/kvm Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-12  4:57   ` Michael Ellerman
2019-11-12  4:57     ` Michael Ellerman
2019-11-12  4:57     ` Michael Ellerman
2019-11-14 18:43     ` Leonardo Bras [this message]
2019-11-14 18:43       ` Leonardo Bras
2019-11-14 18:43       ` Leonardo Bras
2019-11-21 13:24       ` Leonardo Bras
2019-11-21 13:24         ` Leonardo Bras
2019-11-21 13:24         ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 2/4] powerpc/kvm/book3s: Replace current->mm by kvm->mm Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 3/4] powerpc/kvm/book3e: " Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02 ` [PATCH v2 4/4] powerpc/kvm/e500: " Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras
2019-11-07 17:02   ` Leonardo Bras

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c792fdc629d87f452d4348d33ab179df01d42017.camel@linux.ibm.com \
    --to=leonardo@linux.ibm.com \
    --cc=benh@kernel.crashing.org \
    --cc=kvm-ppc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=mpe@ellerman.id.au \
    --cc=paulus@ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.