lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20201202163340.33da3a42@kicinski-fedora-pc1c0hjn.DHCP.thefacebook.com>
Date:   Wed, 2 Dec 2020 16:33:40 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Dany Madden <drt@...ux.ibm.com>
Cc:     netdev@...r.kernel.org, sukadev@...ux.ibm.com, ljp@...ux.ibm.com
Subject: Re: [PATCH net-next v2] ibmvnic: process HMC disable command

On Wed, 02 Dec 2020 15:50:58 -0800 Dany Madden wrote:
> On 2020-12-02 12:02, drt wrote:
> > On 2020-11-30 10:19, drt wrote:  
> >> On 2020-11-25 15:55, drt wrote:  
> >>> On 2020-11-25 13:08, Jakub Kicinski wrote:  
> >>>> On Mon, 23 Nov 2020 18:58:41 -0500 Dany Madden wrote:  
> >>>>> Currently ibmvnic does not support the "Disable vNIC" command from
> >>>>> the Hardware Management Console. The HMC uses this command to 
> >>>>> disconnect
> >>>>> the adapter from the network if the adapter is misbehaving or 
> >>>>> sending
> >>>>> malicious traffic. The effect of this command is equivalent to 
> >>>>> setting
> >>>>> the link to the "down" state on the linux client.
> >>>>> 
> >>>>> Enable support in ibmvnic driver for the Disable vNIC command.
> >>>>> 
> >>>>> Signed-off-by: Dany Madden <drt@...ux.ibm.com>  
> >>>> 
> >>>> It seems that (a) user looking at the system where NIC was disabled 
> >>>> has
> >>>> no idea why netdev is not working even tho it's UP, and (b) AFAICT
> >>>> nothing prevents the user from bringing the device down and back up
> >>>> again.  
> >>> 
> >>> User would see the interface as DOWN. ibmvnic_close() requests the
> >>> vnicserver to do a link down. The vnicserver responds with a link
> >>> state indication CRQ message with logical link down, client would 
> >>> then
> >>> do netif_carrier_off().
> >>> 
> >>> You are correct, nothing is preventing the user from bringing the
> >>> device back online.
> >>>   
> >>>> 
> >>>> You said this is to disable misbehaving and/or sending malicious 
> >>>> vnic,
> >>>> obviously the guest can ignore the command so it's not very 
> >>>> dependable,
> >>>> anyway.  
> >>> 
> >>> Without this patch, ibmvnic would ignore the command. With this 
> >>> patch,
> >>> it will handle the disable command from the HMC. If the guest insists
> >>> on being bad, the HMC does have the ability to remove vnic adapter
> >>> from the guest.
> >>>   
> >>>> 
> >>>> Would it not be sufficient to mark the carrier state as down to cut 
> >>>> the
> >>>> vnic off?  
> >>> Essentially, this is what ibmvnic_disable does.  
> >> 
> >> Hello Jakub, did I address your concern? If not, please let me know.  
> > 
> > Hello Jakub,
> > 
> > I am pulling this patch. Suka pointed out that rwi lock is not being
> > held when it walks the rwi_list, also the reset bit is incorrectly
> > checked. We will send a v3.
> > 
> > Apologize for any inconvenient.  
> 
> It appears that my email is not showing up in the mailing archive 
> because of email aliases. I hope this is going thru.
> 
> Please do not commit this patch.

FWIW you can check the status of active patches in patchwork:

https://patchwork.kernel.org/project/netdevbpf/list/

This one has already been made inactive so it won't be applied in its
current form.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ