lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f36e686e13142d885a6e34f0a4dc2e33567ef287.camel@redhat.com>
Date: Wed, 06 Dec 2023 13:27:06 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Heng Qi <hengqi@...ux.alibaba.com>, Jason Wang <jasowang@...hat.com>
Cc: netdev@...r.kernel.org, virtualization@...ts.linux-foundation.org, 
 mst@...hat.com, kuba@...nel.org, yinjun.zhang@...igine.com,
 edumazet@...gle.com,  davem@...emloft.net, hawk@...nel.org,
 john.fastabend@...il.com, ast@...nel.org,  horms@...nel.org,
 xuanzhuo@...ux.alibaba.com
Subject: Re: [PATCH net-next v6 4/5] virtio-net: add spin lock for ctrl cmd
 access

On Tue, 2023-12-05 at 19:05 +0800, Heng Qi wrote:
> 
> 在 2023/12/5 下午4:35, Jason Wang 写道:
> > On Tue, Dec 5, 2023 at 4:02 PM Heng Qi <hengqi@...ux.alibaba.com> wrote:
> > > Currently access to ctrl cmd is globally protected via rtnl_lock and works
> > > fine. But if dim work's access to ctrl cmd also holds rtnl_lock, deadlock
> > > may occur due to cancel_work_sync for dim work.
> > Can you explain why?
> 
> For example, during the bus unbind operation, the following call stack 
> occurs:
> virtnet_remove -> unregister_netdev -> rtnl_lock[1] -> virtnet_close -> 
> cancel_work_sync -> virtnet_rx_dim_work -> rtnl_lock[2] (deadlock occurs).
> 
> > > Therefore, treating
> > > ctrl cmd as a separate protection object of the lock is the solution and
> > > the basis for the next patch.
> > Let's don't do that. Reasons are:
> > 
> > 1) virtnet_send_command() may wait for cvq commands for an indefinite time
> 
> Yes, I took that into consideration. But ndo_set_rx_mode's need for an 
> atomic
> environment rules out the mutex lock.
> 
> > 2) hold locks may complicate the future hardening works around cvq
> 
> Agree, but I don't seem to have thought of a better way besides passing 
> the lock.
> Do you have any other better ideas or suggestions?

What about:

- using the rtnl lock only
- virtionet_close() invokes cancel_work(), without flushing the work
- virtnet_remove() calls flush_work() after unregister_netdev(),
outside the rtnl lock

Should prevent both the deadlock and the UaF.

Side note: for this specific case any functional test with a
CONFIG_LOCKDEP enabled build should suffice to catch the deadlock
scenario above.

Cheers,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ