Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp933355pxb;
        Mon, 16 Aug 2021 23:01:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzr2fxIUgQcF+ong1NWdnEv2zDVWQUuIJ1hjLgaaAZ2Lo+D9CQREDil26Gl6G+8MCYRo69J
X-Received: by 2002:a05:6638:2604:: with SMTP id m4mr1542367jat.38.1629180098309;
        Mon, 16 Aug 2021 23:01:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629180098; cv=none;
        d=google.com; s=arc-20160816;
        b=ghsVQuNxuTvBd+0K9UDoK6HuV5L4v7ETMxSE/sf3K/sOtKjRt3mh0icK1+BjHQcgXb
         Ob9Z8n1KJF1Fk5F+EyQUXCeDp20n8kgTHpxAqLM3Lpxbc1dCdFQ8oIXFAi5V39qJ3EoE
         5dIQT2zeHvhTJBl+ZX3rq5i256i7fbWidccrHLZMeqfM3EToqMI/dxxyMxmYWdydo0dy
         AU7dQ8xfwmI5bIrI5Uepkbhjo5sx/Oh38zQBFomOVHyslvkOVLW9Xmw7faSc7/71fQUF
         pR6P5XDwU+re7DFbib1rNWMU0MHiODqe5kPeP0GWpH1Q4tgKPwMOWF9T0hFq3xw3Wvt9
         +IAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=RPiGCnN0mU5Hs/vXmlJwp8kV2V+kclTuptCOx6/vieM=;
        b=xYH3yDEYqRjYhIppXeLtWpf+cNAeY6i+5BrikJ1ktKxMICjuzvtprcdZMi6O4LJgzV
         junLLbE8kk8C5ftNDeuc6DEtsHPNZKTOCcBUcMbKDtOJVnlvawJ4cUymB19VGugsKpxo
         q00jxDPYRuvogH1CyGknoGftCGCIwz7i56wOZywsRzzEGzj7S3WeFp9XGJEfvfl6MyVr
         4fsQdZR5jA8bS8la69LuQietBBWrlmSynv24hymbq558bmyILiU+u6tjBlcwNf+ppx7O
         BdZDbR8GfKXShXRXqvM0aDM21VnAj/PMSj3oF9mZT1gdDsr/UsHGwo7/u9BFp8zcmOH4
         g/Kw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f7si1233114ilq.58.2021.08.16.23.01.26;
        Mon, 16 Aug 2021 23:01:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234155AbhHQF7X (ORCPT <rfc822;liuchenandwork@gmail.com>
        + 99 others); Tue, 17 Aug 2021 01:59:23 -0400
Received: from out30-132.freemail.mail.aliyun.com ([115.124.30.132]:53379 "EHLO
        out30-132.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S233676AbhHQF7W (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Aug 2021 01:59:22 -0400
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R191e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04426;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0UjKztuN_1629179928;
Received: from B-LB6YLVDL-0141.local(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UjKztuN_1629179928)
          by smtp.aliyun-inc.com(127.0.0.1);
          Tue, 17 Aug 2021 13:58:48 +0800
Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit()
To:     Jassi Brar <jassisinghbrar@gmail.com>
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        guoren@kernel.org
References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com>
 <CABb+yY3i5aZQrimoWLTMQRY5WsOJ1FCGNxBN0Hz_=4qxUvoqSw@mail.gmail.com>
From:   Xianting TIan <xianting.tian@linux.alibaba.com>
Message-ID: <977740a4-c08d-663d-410e-3375d034d2e8@linux.alibaba.com>
Date:   Tue, 17 Aug 2021 13:58:47 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <CABb+yY3i5aZQrimoWLTMQRY5WsOJ1FCGNxBN0Hz_=4qxUvoqSw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


在 2021/8/17 下午12:29, Jassi Brar 写道:
> On Fri, Aug 6, 2021 at 7:15 AM Xianting Tian
> <xianting.tian@linux.alibaba.com> wrote:
>> We met a UAF issue during our mailbox testing.
>>
>> In synchronous mailbox, we use mbox_send_message() to send a message
>> and wait for completion. mbox_send_message() calls msg_submit() to
>> send the message for the first time, if timeout, it will send the
>> message in tx_tick() for the second time.
>>
> Seems like your controller's  .send_data() returns error. Can you
> please explain why it does so? Because
> send_data() only _accepts_ data for further transmission... which
> should seldom be a problem.

Thanks for the comments,

We developed virtio-mailbox for heterogeneous virtualization system.

virtio-mailbox is based on the mialbox framework.

In virtio framework, its send func 'virtqueue_add_outbuf()' may return 
error, which caused .send_data() return error.  And also contains other 
csenarios.

But I think mailbox framework shouldn't depend on .send_data() always 
return OK,  as .send_data() is implemented by mailbox hardware 
manufacturer, which is not controlled by mailbox framework itself.

You said 'seldom',  but it still possible we can meet such issue.  sucn 
as flexrm_send_data() of drivers/mailbox/bcm-flexrm-mailbox.c.

I think mailbox framework should be work normaly no matter .send_data() 
returns ok or not ok.  Do you think so? thanks

>
> thanks.