From: Hannes Reinecke <hare@suse.de>
To: Daniel Wagner <dwagner@suse.de>, Sagi Grimberg <sagi@grimberg.me>
Cc: James Smart <james.smart@broadcom.com>,
Keith Busch <kbusch@kernel.org>, Christoph Hellwig <hch@lst.de>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 3/5] nvme-fabrics: introduce ref counting for nvmf_ctrl_options
Date: Mon, 11 Mar 2024 20:28:58 +0100 [thread overview]
Message-ID: <14c5a294-e68f-441f-8606-31cfb67670b7@suse.de> (raw)
In-Reply-To: <3xjjwq56sldxrr3dmcxmzhqjebctrowmfpr3istfqmnitlvpv4@mzjixl3jjnbi>
On 3/11/24 18:36, Daniel Wagner wrote:
> On Thu, Mar 07, 2024 at 12:27:43PM +0200, Sagi Grimberg wrote:
>> Why do we need a refcount for an object that has the same exact lifetime
>> as the ctrl itself? It just feels like unneeded complication.
>
> My claim the UAF is also possible with the current code is not correct.
> Or at least not easy to reproduce. I've re-tested a lot and I couldn't
> reproduce it.
>
> Though, the UAF is very simple to reproduce with the sync connect patch
> applied (nvme-fc: wait for initial connect attempt to finish) together
> with Hannes' patch (nvme: authentication error are always
> non-retryable):
>
> In this case, the initial connect fails and the resources are removed,
> while we are waiting in
>
> + if (!opts->connect_async) {
> + enum nvme_ctrl_state state;
> +
> + wait_for_completion(&ctrl->connect_completion);
> + state = nvme_ctrl_state(&ctrl->ctrl);
> + nvme_fc_ctrl_put(ctrl);
> +
> + if (state != NVME_CTRL_LIVE) {
> + /* Cleanup is handled by the connect state machine */
> + return ERR_PTR(-EIO);
> + }
> + }
>
> This opens up the race window. While we are waiting here for the
> completion, the ctrl entry in sysfs is still reachable. Unfortunately,
> we also fire an uevent which starts another instance of nvme-cli. And
> the new instance of nvme-cli iterates over sysfs and reads the already
> freed options object.
>
Curiously enough, I had been digging into better error reporting for
nvme-fabrics. And the one thing I came up with is to make the controller
_options_ as a private pointer to seq_file.
With that we can allocate and initialize the options during open(),
and then have write() do the parsing and calling create_ctrl() as usual.
But read() would then always have access to the option structure, and
we can use this structure to pass any errors. EG parsing errors could
be reported by an 'err_mask' field and so on.
That would allow us to report errors back to nvme-cli, and,
incidentally, also require reference counting.
Two stones with a bird and all that.
Patch is in testing, and I'll be posting it once I get confirmation.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
next prev parent reply other threads:[~2024-03-11 19:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 13:23 [PATCH v2 0/5] nvme-fc: fix blktests nvme/041 Daniel Wagner
2024-02-21 13:24 ` [PATCH v2 1/5] nvme-fc: rename free_ctrl callback to match name pattern Daniel Wagner
2024-02-21 15:52 ` Hannes Reinecke
2024-03-07 10:21 ` Sagi Grimberg
2024-02-21 13:24 ` [PATCH v2 2/5] nvme-fc: do not retry when auth fails or connection is refused Daniel Wagner
2024-02-21 15:53 ` Hannes Reinecke
2024-02-21 16:37 ` Daniel Wagner
2024-02-22 6:46 ` Hannes Reinecke
2024-02-22 7:45 ` Daniel Wagner
2024-02-22 17:02 ` Daniel Wagner
2024-02-23 11:58 ` Hannes Reinecke
2024-03-07 10:25 ` Sagi Grimberg
2024-03-07 12:43 ` Daniel Wagner
2024-02-21 13:24 ` [PATCH v2 3/5] nvme-fabrics: introduce ref counting for nvmf_ctrl_options Daniel Wagner
2024-02-21 15:54 ` Hannes Reinecke
2024-03-07 10:27 ` Sagi Grimberg
2024-03-11 17:36 ` Daniel Wagner
2024-03-11 19:28 ` Hannes Reinecke [this message]
2024-02-21 13:24 ` [PATCH v2 4/5] nvme-fc: reorder ctrl ref counting and cleanup code path Daniel Wagner
2024-02-21 13:24 ` [PATCH v2 5/5] nvme-fc: wait for initial connect attempt to finish Daniel Wagner
2024-03-07 10:33 ` Sagi Grimberg
2024-02-21 18:04 ` [PATCH v2 0/5] nvme-fc: fix blktests nvme/041 Keith Busch
2024-03-06 14:35 ` Daniel Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14c5a294-e68f-441f-8606-31cfb67670b7@suse.de \
--to=hare@suse.de \
--cc=dwagner@suse.de \
--cc=hch@lst.de \
--cc=james.smart@broadcom.com \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).