lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250226-nvmet-fcloop-v1-0-c0bd83d43e6a@kernel.org>
Date: Wed, 26 Feb 2025 19:45:52 +0100
From: Daniel Wagner <wagi@...nel.org>
To: James Smart <james.smart@...adcom.com>, Christoph Hellwig <hch@....de>, 
 Sagi Grimberg <sagi@...mberg.me>, Chaitanya Kulkarni <kch@...dia.com>
Cc: Hannes Reinecke <hare@...e.de>, Keith Busch <kbusch@...nel.org>, 
 linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org, 
 Daniel Wagner <wagi@...nel.org>
Subject: [PATCH 00/11] nvmet-fcloop: track resources via reference counting

The fcloop module is mainly used for testing, that is with blktests.
Unfortunatly, there are shortcomings when it comes to releases resources.
E.g. unloading the module can result in UAFs.

I've written two new blktests which are triggering reconnects. The first
one is doing this by removing the target while the host is still up and
running. The second one is trigger a reset via the new debugfs interface.

Both of these two tests cases work fine for TCP and RDMA but not FC.

By introducing reference counting on various objects the UAFs go away.
Also KASAN is happy. There are also a bunch of fixes for nvmet-fc which
got uncovered by the fcloop fixes.

I still see one UAF sometimes happening. When the association attempt
fails (looks like yet another bug), the test case removes all resources:

 (NULL device *): Create Association LS failed: Association Allocation Failed
 (NULL device *): queue 0 connect admin queue failed (-6).
 nvme nvme1: NVME-FC{0}: reset: Reconnect attempt failed (-6)
 nvme nvme1: NVME-FC{0}: Reconnect attempt in 1 seconds
 nvme nvme1: NVME-FC{0}: create association : host wwpn 0x20001100aa000001  rport wwpn 0x20001100ab000001: NQN "blktests-subsystem-1"
 (NULL device *): Create Association LS failed: Association Allocation Failed
 (NULL device *): queue 0 connect admin queue failed (-6).
 nvme nvme1: NVME-FC{0}: reset: Reconnect attempt failed (-6)
 nvme nvme1: NVME-FC{0}: Reconnect attempt in 1 seconds
 nvme nvme1: Removing ctrl: NQN "blktests-subsystem-1"
 nvme_ns_head_submit_bio: 29 callbacks suppressed
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 block nvme1n1: no available path - failing I/O
 nvme nvme2: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
 ==================================================================
 BUG: KASAN: slab-use-after-free in nvme_fc_rescan_remoteport+0x56/0x1d0 [nvme_fc]
 Read of size 8 at addr ffff88810b662890 by task kworker/u36:10/1876

 CPU: 3 UID: 0 PID: 1876 Comm: kworker/u36:10 Tainted: G        W          6.14.0-rc2+ #48 d5f3bf6340950de08bebd912d815fcf6b60c18ab
 Tainted: [W]=WARN
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014
 Workqueue: nvmet-wq fcloop_tgt_rscn_work [nvme_fcloop]

static void nvmet_port_subsys_drop_link(struct config_item *parent,
		struct config_item *target)
{
	[...]
found:
	list_del(&p->entry);
	nvmet_port_del_ctrls(port, subsys);
	nvmet_port_disc_changed(port, subsys);   /* XXX triggers the above UAF */

	if (list_empty(&port->subsystems))
		nvmet_disable_port(port);
	up_write(&nvmet_config_sem);
	kfree(p);
}

The nvmet_port_disc_changed is a bit useless, because these event will
never be seen by the host. Anyway, more debugging is necessary.

I'll send the new tests cases for blktests soon.

Signed-off-by: Daniel Wagner <wagi@...nel.org>
---
Daniel Wagner (11):
      nvmet-fcloop: remove nport from list on last user
      nvmet-fcloop: add ref counting to lport
      nvmet-fcloop: refactor fcloop_nport_alloc
      nvmet-fcloop: track ref counts for nports
      nvmet-fcloop: track tport with ref counting
      nvmet-fcloop: track rport with ref counting
      nvmet-fc: update tgtport ref per assoc
      nvmet-fc: take tgtport reference only once
      nvmet-fc: free pending reqs on tgtport unregister
      nvmet-fc: inline nvmet_fc_delete_assoc
      nvmet-fc: inline nvmet_fc_free_hostport

 drivers/nvme/target/fc.c     |  82 +++++------
 drivers/nvme/target/fcloop.c | 326 ++++++++++++++++++++++++++++---------------
 2 files changed, 255 insertions(+), 153 deletions(-)
---
base-commit: a64dcfb451e254085a7daee5fe51bf22959d52d3
change-id: 20250214-nvmet-fcloop-a649738b7e6e

Best regards,
-- 
Daniel Wagner <wagi@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ