Virtio wants to release used indices after the corresponding
virtio device has been unregistered. However, virtio does not
hold an extra reference, giving up its last reference with
device_unregister(), making accessing dev->index afterwards
invalid.
I actually saw problems when testing my (not-yet-merged)
virtio-ccw code:
- device_add virtio-net,id=xxx
-> creates device virtio<n> with n>0
- device_del xxx
-> deletes virtio<n>, but calls ida_simple_remove with an
index of 0
- device_add virtio-net,id=xxx
-> tries to add virtio0, which is still in use...
So let's save the index we want to release before calling
device_unregister().
Signed-off-by: Cornelia Huck <cornelia.huck at de.ibm.com>
---
drivers/virtio/virtio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
index 1e8659c..809b0de 100644
--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -225,8 +225,10 @@ EXPORT_SYMBOL_GPL(register_virtio_device);
void unregister_virtio_device(struct virtio_device *dev)
{
+ int index = dev->index; /* save for after device release */
+
device_unregister(&dev->dev);
- ida_simple_remove(&virtio_index_ida, dev->index);
+ ida_simple_remove(&virtio_index_ida, index);
}
EXPORT_SYMBOL_GPL(unregister_virtio_device);
--
1.7.12.4
Sjur Brændeland
2012-Nov-08 11:50 UTC
[PATCH] virtio: Don't access index after unregister.
On Thu, Nov 8, 2012 at 11:43 AM, Cornelia Huck <cornelia.huck at de.ibm.com> wrote:> Virtio wants to release used indices after the corresponding > virtio device has been unregistered. However, virtio does not > hold an extra reference, giving up its last reference with > device_unregister(), making accessing dev->index afterwards > invalid. > > I actually saw problems when testing my (not-yet-merged) > virtio-ccw code: > > - device_add virtio-net,id=xxx > -> creates device virtio<n> with n>0 > > - device_del xxx > -> deletes virtio<n>, but calls ida_simple_remove with an > index of 0 > > - device_add virtio-net,id=xxx > -> tries to add virtio0, which is still in use... > > So let's save the index we want to release before calling > device_unregister(). > > Signed-off-by: Cornelia Huck <cornelia.huck at de.ibm.com> > --- > drivers/virtio/virtio.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index 1e8659c..809b0de 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -225,8 +225,10 @@ EXPORT_SYMBOL_GPL(register_virtio_device); > > void unregister_virtio_device(struct virtio_device *dev) > { > + int index = dev->index; /* save for after device release */ > + > device_unregister(&dev->dev); > - ida_simple_remove(&virtio_index_ida, dev->index); > + ida_simple_remove(&virtio_index_ida, index); > } > EXPORT_SYMBOL_GPL(unregister_virtio_device);Acked-by: Sjur Br?ndeland <sjur.brandeland at stericsson.com> Great minds think alike! I discovered issues with this implementation a while back and Michael suggested an identical patch: https://lkml.org/lkml/2012/9/4/173 https://lkml.org/lkml/2012/9/7/105 The issue I ran into was that when virtio devices are created by remoteproc the device memory might be freed when calling device_unregister(), and the value of dev->index is then undefined. So this bug bites when unregistering a Virtio devices from remoteproc with CONFIG_DEBUG_SLAB enabled. However this bug is not triggered by virtio_pci as it implements a non-standard device release-function that does not free the device memory. Thanks, Sjur
Cornelia Huck <cornelia.huck at de.ibm.com> writes:> Virtio wants to release used indices after the corresponding > virtio device has been unregistered. However, virtio does not > hold an extra reference, giving up its last reference with > device_unregister(), making accessing dev->index afterwards > invalid. > > I actually saw problems when testing my (not-yet-merged) > virtio-ccw code: > > - device_add virtio-net,id=xxx > -> creates device virtio<n> with n>0 > > - device_del xxx > -> deletes virtio<n>, but calls ida_simple_remove with an > index of 0 > > - device_add virtio-net,id=xxx > -> tries to add virtio0, which is still in use... > > So let's save the index we want to release before calling > device_unregister().Great catch! I've add a CC:stable. Applied, Rusty.
Michael S. Tsirkin
2012-Nov-09 05:14 UTC
[PATCH] virtio: Don't access index after unregister.
On Thu, Nov 08, 2012 at 11:43:47AM +0100, Cornelia Huck wrote:> Virtio wants to release used indices after the corresponding > virtio device has been unregistered. However, virtio does not > hold an extra reference, giving up its last reference with > device_unregister(), making accessing dev->index afterwards > invalid. > > I actually saw problems when testing my (not-yet-merged) > virtio-ccw code: > > - device_add virtio-net,id=xxx > -> creates device virtio<n> with n>0 > > - device_del xxx > -> deletes virtio<n>, but calls ida_simple_remove with an > index of 0 > > - device_add virtio-net,id=xxx > -> tries to add virtio0, which is still in use... > > So let's save the index we want to release before calling > device_unregister(). > > Signed-off-by: Cornelia Huck <cornelia.huck at de.ibm.com> > --- > drivers/virtio/virtio.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index 1e8659c..809b0de 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -225,8 +225,10 @@ EXPORT_SYMBOL_GPL(register_virtio_device); > > void unregister_virtio_device(struct virtio_device *dev) > { > + int index = dev->index; /* save for after device release */It's obvious from code that we safe for after release, I think a better comment would explain *why* we do this. Something like /* device_unregister drops reference to device so put_device could invoke release callback. In case that callback will free the device, make sure we don't access device after this call. */ int index = dev->index; ?> + > device_unregister(&dev->dev); > - ida_simple_remove(&virtio_index_ida, dev->index); > + ida_simple_remove(&virtio_index_ida, index); > } > EXPORT_SYMBOL_GPL(unregister_virtio_device); > > -- > 1.7.12.4
Apparently Analagous Threads
- [PATCH] virtio: Don't access index after unregister.
- [PATCH] virtio: Don't access device data after unregistration.
- [PATCH] virtio: Don't access device data after unregistration.
- [PATCH 2/2] virtio: Use ida to allocate virtio index
- [PATCH 2/2] virtio: Use ida to allocate virtio index