[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xen-pciback: fix up cleanup path when alloc fails



On Tue, Dec 01, 2015 at 02:54:33PM -0600, Doug Goldstein wrote:
> On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> > On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
> >> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
> >>> When allocating a pciback device fails, avoid the possibility of a
> >>> use after free.
> >>
> >> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> >>
> >> Ugh, and it looks like xen-blkfront has the same issue.
> > 
> > <whew> Nope. No problems there.
> > 
> > The ->probe if it fails (so xenbus_dev_probe returns the error)
> > ends up in the 'probe_failed' label in really_probe which takes care by 
> > doing:
> > 
> > dev_set_drvdata(dev, NULL);
> > 
> > Wheew!
> > 
> > either way the patch should go in, but the 'possibility' should
> > be perhaps removed? Unless there is some other path I missed?
> 
> I put 'possibility' in there because it will only happen when the
> function returns failure. I was also trying to not make it sound panicky

Right, but when it returns failure, the 'really_probe' will take
care of setting dev_set_drvdata(dev, NULL) - so we won't have the
use after free problem.


> I guess. I can resubmit the patch with that word dropped if that's
> desirable.

Sure, or just say: "The 'really_probe' takes care of setting
dev_set_drvdata(dev, NULL) in its failure path (which we would 
exercise if the ->probe function failed), so we we
are OK. However lets be defensive as the code can change."

> 
> > 
> >>
> >>>
> >>> Reported-by: Jonathan Creekmore <jonathan.creekmore@xxxxxxxxx>
> >>> Signed-off-by: Doug Goldstein <cardoe@xxxxxxxxxx>
> >>> ---
> >>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
> >>>  1 file changed, 3 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/xen/xen-pciback/xenbus.c 
> >>> b/drivers/xen/xen-pciback/xenbus.c
> >>> index 98bc345..4843741 100644
> >>> --- a/drivers/xen/xen-pciback/xenbus.c
> >>> +++ b/drivers/xen/xen-pciback/xenbus.c
> >>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> >>> xenbus_device *xdev)
> >>>   dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
> >>>  
> >>>   pdev->xdev = xdev;
> >>> - dev_set_drvdata(&xdev->dev, pdev);
> >>>  
> >>>   mutex_init(&pdev->dev_lock);
> >>>  
> >>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct 
> >>> xenbus_device *xdev)
> >>>           kfree(pdev);
> >>>           pdev = NULL;
> >>>   }
> >>> +
> >>> + dev_set_drvdata(&xdev->dev, pdev);
> >>> +
> >>>  out:
> >>>   return pdev;
> >>>  }
> >>> -- 
> >>> 2.4.10
> >>>
> 
> 
> -- 
> Doug Goldstein
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.