lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 Feb 2023 17:54:55 +0100
From:   Niklas Schnelle <schnelle@...ux.ibm.com>
To:     Bjorn Helgaas <helgaas@...nel.org>
Cc:     Gerd Bayer <gbayer@...ux.ibm.com>,
        Gerald Schaefer <gerald.schaefer@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Pierre Morel <pmorel@...ux.ibm.com>,
        Matthew Rosato <mjrosato@...ux.ibm.com>,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-pci@...r.kernel.org
Subject: Re: [PATCH RESEND] PCI: s390: Fix use-after-free of PCI bus
 resources with s390 per-function hotplug

On Mon, 2023-02-20 at 13:53 +0100, Niklas Schnelle wrote:
> On Fri, 2023-02-17 at 17:15 -0600, Bjorn Helgaas wrote:
> > On Tue, Feb 14, 2023 at 10:49:10AM +0100, Niklas Schnelle wrote:
> > 
> > 
---8<---
> > Other random questions unrelated to this patch:
> > 
> >   - zpci_bus_create_pci_bus() calls pci_bus_add_devices().  Isn't that
> >     pointless?  AFAICT, the bus->devices list is empty then.
> 
> Yes I think you're right it does nothing and can be dropped.
> 
> > 
> >   - What about zpci_bus_scan_device()?  Why does it call both
> >     pci_bus_add_device() and pci_bus_add_devices()?  The latter will
> >     just call the former, so it looks redundant.  And the latter is
> >     locked but not the former?
> 
> Hmm. great find. This seems to have been weird and redundant since I
> first used that pattern in 3047766bc6ec ("s390/pci: fix enabling a
> reserved PCI function"). I think maybe then the reason for this was
> that prior to 960ac3626487 ("s390/pci: allow zPCI zbus without a
> function zero") when the newly enabled is devfn == 0 there could be
> functions from the same bus which would not have been added yet. I'm
> not sure though. That was definitely the idea behind the
> zpci_bus_scan_bus() in zpci_scan_configured_devices() that is also
> redundant now as we can now scan each function as it appears.
> 
> This will definitely need to be cleaned up.
> 

I'm working on cleaning this up but I'm a little confused by what
exactly needs to be under the pci_rescan_remove lock. For example the
pci_bus_add_device(virtfn) at the end of pci_iov_add_virtfn() doesn't
seem to be under the lock while most calls to pci_bus_add_devices()
are, most prominently the one in acpi_pci_root_add() which I assume is
what is used on most x86 systems. Any hints?

Also I think my original thought here might have been a premature worry
about PCI-to-PCI bridges thinking that adding the new device could lead
to more devices appearing. Of course actually thinking about it a bit
more there are quite a few other things that won't work without further
changes if we wanted to add bridges e.g. we would need to create
zpci_dev structs for these somewhere.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ