| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Oct 2022 13:14:15 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Tariq Toukan <ttoukan.linux@...il.com>
Cc: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Emeel Hakim <ehakim@...dia.com>,
Eric Dumazet <edumazet@...gle.com>, linux-rdma@...r.kernel.org,
netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>,
Raed Salem <raeds@...dia.com>,
Saeed Mahameed <saeedm@...dia.com>,
Tariq Toukan <tariqt@...dia.com>
Subject: Re: [PATCH net] net/mlx5e: Cleanup MACsec uninitialization routine
On Thu, Oct 13, 2022 at 01:03:43PM +0300, Tariq Toukan wrote:
>
>
> On 10/13/2022 10:21 AM, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@...dia.com>
> >
> > The mlx5e_macsec_cleanup() routine has pointer dereferencing if mlx5 device
> > doesn't support MACsec (priv->macsec will be NULL) together with useless
> > comment line, assignment and extra blank lines.
> >
> > Fix everything in one patch.
> >
> > Fixes: 1f53da676439 ("net/mlx5e: Create advanced steering operation (ASO) object for MACsec")
> > Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
> > Signed-off-by: Leon Romanovsky <leonro@...dia.com>
> > ---
> > .../net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 11 +----------
> > 1 file changed, 1 insertion(+), 10 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> > index 41970067917b..4331235b21ee 100644
> > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> > @@ -1846,25 +1846,16 @@ int mlx5e_macsec_init(struct mlx5e_priv *priv)
> > void mlx5e_macsec_cleanup(struct mlx5e_priv *priv)
> > {
> > struct mlx5e_macsec *macsec = priv->macsec;
> > - struct mlx5_core_dev *mdev = macsec->mdev;
> > + struct mlx5_core_dev *mdev = priv->mdev;
>
> simply defer the mdev calculation to be after the early return, trying to
> keep this macsec function as independent as possible.
It is done to keep _cleanup symmetrical to _init one. The function
should operate on same priv->mdev as was used there without any relation
to macsec->mdev. Of course, it is the same pointer, but it is better to have
same code.
>
> > if (!macsec)
> > return;
> > mlx5_notifier_unregister(mdev, &macsec->nb);
> > -
> > mlx5e_macsec_fs_cleanup(macsec->macsec_fs);
> > -
> > - /* Cleanup workqueue */
> > destroy_workqueue(macsec->wq);
> > -
> > mlx5e_macsec_aso_cleanup(&macsec->aso, mdev);
> > -
> > - priv->macsec = NULL;
> > -
>
> Why remove this assignment?
>
> It protects against accessing freed memory, for instance when querying the
> macsec stats, see
> drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_stats.c
You can't and shouldn't access anything related to MACsec after call to
mlx5e_macsec_cleanup(). If you do so, you are already in trouble as you
don't have any locking protection from stat access and cleanup.
So no, it doesn't protect from accessing freed memory. It is just
anti-pattern of hiding bugs related to unlocked concurrent accesses
and wrong release flows. Don't do it.
Thanks
>
> > rhashtable_destroy(&macsec->sci_hash);
> > -
> > mutex_destroy(&macsec->lock);
> > -
> > kfree(macsec);
> > }
Powered by blists - more mailing lists