From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754843AbdGJVeR (ORCPT ); Mon, 10 Jul 2017 17:34:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45134 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754106AbdGJVeP (ORCPT ); Mon, 10 Jul 2017 17:34:15 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 428B84E4CB Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=alex.williamson@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 428B84E4CB Date: Mon, 10 Jul 2017 15:34:12 -0600 From: Alex Williamson To: Russell King - ARM Linux Cc: Greg KH , kvm@vger.kernel.org, eric.auger@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 7/9] vfio: Use driver_override to avert binding to compromising drivers Message-ID: <20170710153412.660e31a4@w520.home> In-Reply-To: <20170626090854.GE4902@n2100.armlinux.org.uk> References: <20170620154312.17487.66916.stgit@gimli.home> <20170620154830.17487.1861.stgit@gimli.home> <20170626090854.GE4902@n2100.armlinux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 10 Jul 2017 21:34:15 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 26 Jun 2017 10:08:55 +0100 Russell King - ARM Linux wrote: > On Tue, Jun 20, 2017 at 09:48:31AM -0600, Alex Williamson wrote: > > If a device is bound to a non-vfio, non-whitelisted driver while a > > group is in use, then the integrity of the group is compromised and > > will result in hitting a BUG_ON. This code tries to avoid this case > > by mangling driver_override to force a no-match for the driver. The > > driver-core will either follow-up with a DRIVER_NOT_BOUND (preferred) > > or BOUND_DRIVER, at which point we can remove the driver_override > > mangling. > > Rather than mangling the driver override string to prevent driver binding, > I wonder if it would make more sense to allow the BUS_NOTIFY_BIND_DRIVER > notifier to fail the device probe? Well, it seemed like a good idea, but I don't think we're getting any traction here, the thread has gone cold: https://lkml.org/lkml/2017/6/27/1002 Greg, any further comments? > The driver override strings are, after all, exposed to userspace, and > it strikes me that this kind of mangling is racy - userspace can read > or change the override string at any time. As an alternative, I think we can make this not racy. BIND_DRIVER is notified through device_bind_driver() which specifies that the device lock is held. This covers not only BIND_DRIVER, but also BOUND_DRIVER and DRIVER_NOT_BOUND. So if the user entry points in sysfs were to require the device lock, we could easily mangle and de-mangle without interference from a user. It also seems like a rather good idea in general to exclude the user from changing driver_override while we're evaluating a match using it. Do you still have an objection to mangling driver_override if we can avoid the user race? Thanks, Alex