[0/3] net: socket: do not close file descriptor if it's not a socket

Message ID	20230609072748.4179873-1-lvivier@redhat.com (mailing list archive)
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Laurent Vivier <lvivier@redhat.com> To: qemu-devel@nongnu.org Cc: David Gibson <dgibson@redhat.com>, Jason Wang <jasowang@redhat.com>, Laurent Vivier <lvivier@redhat.com> Subject: [PATCH 0/3] net: socket: do not close file descriptor if it's not a socket Date: Fri, 9 Jun 2023 09:27:45 +0200 Message-Id: <20230609072748.4179873-1-lvivier@redhat.com> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable UI-OutboundReport: notjunk:1;M01:P0:NJNDcdeCNkM=;LOMzWbabnE6EiIH6zoswWrLWogm QUNf/ry5SJaPfVPhMYcHeDx85RNFitf4YA03zYZp5oEf838GKAyk5bBwJWJcHiKNaqTEbdPtE fnUcYtYYtR7WZhDyp2U9fKCEVxBJDy/Xif7Ro4TcsGsZxkuZDKYzut4S/hAmKIzkR9QC+IfWX Yso0mVlUWCo/dSpAAWo9fnzh/KojTOvmITu9Px3XO6mJoXvEGX8xi2NnfcAGXz1CqBabQePtl 4Sf0j5keC/G3HWeuGQmGb9ebGz9q5qPm8mqWLC0lxPk1wKk0UcgV5YJbBg576kQdOtL+J7YDc lFg60pFcIYTpCXfCHLRIbHLo8buP3NitcBtGN2+MmhxP8KmW4cmlnCJ9OoCF09vQDf/zLrdWM efARy2Rye0lYpjuN0CqVg8Pw1eW4CTU6ygY6p/UamBUxg5gAB3aqhqt7tdGod+uKHxZhdPmtL pqxVhORvgRmmBEj6YtB147yHQCDkL3JdKyrmpXxaFTv2ao4d+vo5K1fQAmyUllyrAvmjMm5nj ceOcknf+BEy955sUx9Udm14ewgRKS3vE4f5Y/z9W0ughKR8ra++9UVR5g77S/k72MNaQlvliI 7NobL9+1bcvehM+vYvo1cSCV4XYusRsQUUicBlcWfhQ0rAnB1R+dyICcoh14J5R5NabdRnMxC YSYP9ufVk1Ds3dptiqMjbZjZkX/wZpZczG/pxXQJvg== Received-SPF: permerror client-ip=212.227.126.134; envelope-from=lvivier@redhat.com; helo=mout.kundenserver.de X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	net: socket: do not close file descriptor if it's not a socket \| expand [0/3] net: socket: do not close file descriptor if it's not a socket [1/3] net: socket: prepare to cleanup net_init_socket() [2/3] net: socket: move fd type checking to its own function [3/3] net: socket: remove net_init_socket()

Message ID

20230609072748.4179873-1-lvivier@redhat.com (mailing list archive)

Headers

From: Laurent Vivier <lvivier@redhat.com>
To: qemu-devel@nongnu.org
Cc: David Gibson <dgibson@redhat.com>, Jason Wang <jasowang@redhat.com>,
 Laurent Vivier <lvivier@redhat.com>
Subject: [PATCH 0/3] net: socket: do not close file descriptor if it's not a
 socket
Date: Fri,  9 Jun 2023 09:27:45 +0200
Message-Id: <20230609072748.4179873-1-lvivier@redhat.com>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
UI-OutboundReport: notjunk:1;M01:P0:NJNDcdeCNkM=;LOMzWbabnE6EiIH6zoswWrLWogm
 QUNf/ry5SJaPfVPhMYcHeDx85RNFitf4YA03zYZp5oEf838GKAyk5bBwJWJcHiKNaqTEbdPtE
 fnUcYtYYtR7WZhDyp2U9fKCEVxBJDy/Xif7Ro4TcsGsZxkuZDKYzut4S/hAmKIzkR9QC+IfWX
 Yso0mVlUWCo/dSpAAWo9fnzh/KojTOvmITu9Px3XO6mJoXvEGX8xi2NnfcAGXz1CqBabQePtl
 4Sf0j5keC/G3HWeuGQmGb9ebGz9q5qPm8mqWLC0lxPk1wKk0UcgV5YJbBg576kQdOtL+J7YDc
 lFg60pFcIYTpCXfCHLRIbHLo8buP3NitcBtGN2+MmhxP8KmW4cmlnCJ9OoCF09vQDf/zLrdWM
 efARy2Rye0lYpjuN0CqVg8Pw1eW4CTU6ygY6p/UamBUxg5gAB3aqhqt7tdGod+uKHxZhdPmtL
 pqxVhORvgRmmBEj6YtB147yHQCDkL3JdKyrmpXxaFTv2ao4d+vo5K1fQAmyUllyrAvmjMm5nj
 ceOcknf+BEy955sUx9Udm14ewgRKS3vE4f5Y/z9W0ughKR8ra++9UVR5g77S/k72MNaQlvliI
 7NobL9+1bcvehM+vYvo1cSCV4XYusRsQUUicBlcWfhQ0rAnB1R+dyICcoh14J5R5NabdRnMxC
 YSYP9ufVk1Ds3dptiqMjbZjZkX/wZpZczG/pxXQJvg==
Received-SPF: permerror client-ip=212.227.126.134;
 envelope-from=lvivier@redhat.com; helo=mout.kundenserver.de
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_FAIL=0.001,
 SPF_HELO_NONE=0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

net: socket: do not close file descriptor if it's not a socket | expand

Message

Laurent Vivier June 9, 2023, 7:27 a.m. UTC

The socket netdev with a file descriptor (fd) cannot be removed
and then added again because the fd is closed when the backend is
removed and thus is not available anymore when we want to add the
backend again.

But this can bring to a core dump:
1- boot a VM with an fd socket netdev
2- remove the netdev
3- reboot
4- add the netdev again, it fails because the fd is not a
   socket, and then closed
5- stop QEMU -> core dump

On reboot (step 3) the fd is allocated to another use in QEMU, and when
we try to use it with a socket netdev, it fails. But the netdev backend
closes the file descriptor that is in use by another part of QEMU.
We can see the core dump on QEMU exit because it tries to close
an invalid file descriptor.

It happens for instance when we have a PCI device and the fd is allocated
to a VirtIOIRQFD on reboot.

Moreover, using "netdev socket,fd=X" allows an user to close any QEMU
internal file descriptor from an HMP or QMP interface.

Laurent Vivier (3):
  net: socket: prepare to cleanup net_init_socket()
  net: socket: move fd type checking to its own function
  net: socket: remove net_init_socket()

 net/socket.c | 53 +++++++++++++++++++++++++++-------------------------
 1 file changed, 28 insertions(+), 25 deletions(-)

Comments

Jason Wang June 30, 2023, 6:02 a.m. UTC | #1

On Fri, Jun 9, 2023 at 3:28 PM Laurent Vivier <lvivier@redhat.com> wrote:
>
> The socket netdev with a file descriptor (fd) cannot be removed
> and then added again because the fd is closed when the backend is
> removed and thus is not available anymore when we want to add the
> backend again.
>
> But this can bring to a core dump:
> 1- boot a VM with an fd socket netdev
> 2- remove the netdev
> 3- reboot
> 4- add the netdev again, it fails because the fd is not a
>    socket, and then closed
> 5- stop QEMU -> core dump
>
> On reboot (step 3) the fd is allocated to another use in QEMU, and when
> we try to use it with a socket netdev, it fails. But the netdev backend
> closes the file descriptor that is in use by another part of QEMU.
> We can see the core dump on QEMU exit because it tries to close
> an invalid file descriptor.
>
> It happens for instance when we have a PCI device and the fd is allocated
> to a VirtIOIRQFD on reboot.
>
> Moreover, using "netdev socket,fd=X" allows an user to close any QEMU
> internal file descriptor from an HMP or QMP interface.
>
> Laurent Vivier (3):
>   net: socket: prepare to cleanup net_init_socket()
>   net: socket: move fd type checking to its own function
>   net: socket: remove net_init_socket()
>
>  net/socket.c | 53 +++++++++++++++++++++++++++-------------------------
>  1 file changed, 28 insertions(+), 25 deletions(-)

Queued.

Thanks

>
> --
> 2.39.2
>
>