lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZM34LJJMb2VLVllp@vergenet.net>
Date: Sat, 5 Aug 2023 09:20:12 +0200
From: Simon Horman <horms@...nel.org>
To: Nick Child <nnac123@...ux.ibm.com>
Cc: netdev@...r.kernel.org, haren@...ux.ibm.com, ricklind@...ibm.com,
	danymadden@...ibm.com, tlfalcon@...ux.ibm.com,
	bjking1@...ux.ibm.com
Subject: Re: [PATCH net 4/5] ibmvnic: Do partial reset on login failure

On Thu, Aug 03, 2023 at 03:20:09PM -0500, Nick Child wrote:
> Perform a partial reset before sending a login request if any of the
> following are true:
>  1. If a previous request times out. This can be dangerous because the
>  	VIOS could still receive the old login request at any point after
>  	the timeout. Therefore, it is best to re-register the CRQ's  and
>  	sub-CRQ's before retrying.
>  2. If the previous request returns an error that is not described in
>  	PAPR. PAPR provides procedures if the login returns with partial
>  	success or aborted return codes (section L.5.1) but other values
> 	do not have a defined procedure. Previously, these conditions
> 	just returned error from the login function rather than trying
> 	to resolve the issue.
>  	This can cause further issues since most callers of the login
>  	function are not prepared to handle an error when logging in. This
>  	improper cleanup can lead to the device being permanently DOWN'd.
>  	For example, if the VIOS believes that the device is already logged
>  	in then it will return INVALID_STATE (-7). If we never re-register
>  	CRQ's then it will always think that the device is already logged
>  	in. This leaves the device inoperable.
> 
> The partial reset involves freeing the sub-CRQs, freeing the CRQ then
> registering and initializing a new CRQ and sub-CRQs. This essentially
> restarts all communication with VIOS to allow for a fresh login attempt
> that will be unhindered by any previous failed attempts.
> 
> Fixes: dff515a3e71d ("ibmvnic: Harden device login requests")
> Signed-off-by: Nick Child <nnac123@...ux.ibm.com>

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ