Stefano Garzarella
2019-May-28 10:56 UTC
[PATCH 0/4] vsock/virtio: several fixes in the .probe() and .remove()
During the review of "[PATCH] vsock/virtio: Initialize core virtio vsock before registering the driver", Stefan pointed out some possible issues in the .probe() and .remove() callbacks of the virtio-vsock driver. This series tries to solve these issues: - Patch 1 postpones the 'the_virtio_vsock' assignment at the end of the .probe() to avoid that some sockets queue works when the initialization is not finished. - Patches 2 and 3 stop workers before to call vdev->config->reset(vdev) to be sure that no one is accessing the device, and adds another flush at the end of the .remove() to avoid use after free. - Patch 4 free also used buffers in the virtqueues during the .remove(). Stefano Garzarella (4): vsock/virtio: fix locking around 'the_virtio_vsock' vsock/virtio: stop workers during the .remove() vsock/virtio: fix flush of works during the .remove() vsock/virtio: free used buffers during the .remove() net/vmw_vsock/virtio_transport.c | 105 ++++++++++++++++++++++++++----- 1 file changed, 90 insertions(+), 15 deletions(-) -- 2.20.1
Stefano Garzarella
2019-May-28 10:56 UTC
[PATCH 1/4] vsock/virtio: fix locking around 'the_virtio_vsock'
This patch protects the reading of 'the_virtio_vsock' taking the mutex used when it is set. We also move the 'the_virtio_vsock' assignment at the end of the .probe(), when we finished all the initialization, and at the beginning of .remove(), before to release resources, taking the lock until the end of the function. Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> --- net/vmw_vsock/virtio_transport.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 96ab344f17bb..d3ba7747aa73 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -68,7 +68,13 @@ struct virtio_vsock { static struct virtio_vsock *virtio_vsock_get(void) { - return the_virtio_vsock; + struct virtio_vsock *vsock; + + mutex_lock(&the_virtio_vsock_mutex); + vsock = the_virtio_vsock; + mutex_unlock(&the_virtio_vsock_mutex); + + return vsock; } static u32 virtio_transport_get_local_cid(void) @@ -592,7 +598,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev) atomic_set(&vsock->queued_replies, 0); vdev->priv = vsock; - the_virtio_vsock = vsock; mutex_init(&vsock->tx_lock); mutex_init(&vsock->rx_lock); mutex_init(&vsock->event_lock); @@ -614,6 +619,8 @@ static int virtio_vsock_probe(struct virtio_device *vdev) virtio_vsock_event_fill(vsock); mutex_unlock(&vsock->event_lock); + the_virtio_vsock = vsock; + mutex_unlock(&the_virtio_vsock_mutex); return 0; @@ -628,6 +635,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev) struct virtio_vsock *vsock = vdev->priv; struct virtio_vsock_pkt *pkt; + mutex_lock(&the_virtio_vsock_mutex); + the_virtio_vsock = NULL; + flush_work(&vsock->loopback_work); flush_work(&vsock->rx_work); flush_work(&vsock->tx_work); @@ -667,13 +677,10 @@ static void virtio_vsock_remove(struct virtio_device *vdev) } spin_unlock_bh(&vsock->loopback_list_lock); - mutex_lock(&the_virtio_vsock_mutex); - the_virtio_vsock = NULL; - mutex_unlock(&the_virtio_vsock_mutex); - vdev->config->del_vqs(vdev); kfree(vsock); + mutex_unlock(&the_virtio_vsock_mutex); } static struct virtio_device_id id_table[] = { -- 2.20.1
Stefano Garzarella
2019-May-28 10:56 UTC
[PATCH 2/4] vsock/virtio: stop workers during the .remove()
Before to call vdev->config->reset(vdev) we need to be sure that no one is accessing the device, for this reason, we add new variables in the struct virtio_vsock to stop the workers during the .remove(). This patch also add few comments before vdev->config->reset(vdev) and vdev->config->del_vqs(vdev). Suggested-by: Stefan Hajnoczi <stefanha at redhat.com> Suggested-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> --- net/vmw_vsock/virtio_transport.c | 49 +++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index d3ba7747aa73..e694df10ab61 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -39,6 +39,7 @@ struct virtio_vsock { * must be accessed with tx_lock held. */ struct mutex tx_lock; + bool tx_run; struct work_struct send_pkt_work; spinlock_t send_pkt_list_lock; @@ -54,6 +55,7 @@ struct virtio_vsock { * must be accessed with rx_lock held. */ struct mutex rx_lock; + bool rx_run; int rx_buf_nr; int rx_buf_max_nr; @@ -61,6 +63,7 @@ struct virtio_vsock { * vqs[VSOCK_VQ_EVENT] must be accessed with event_lock held. */ struct mutex event_lock; + bool event_run; struct virtio_vsock_event event_list[8]; u32 guest_cid; @@ -98,6 +101,10 @@ static void virtio_transport_loopback_work(struct work_struct *work) spin_unlock_bh(&vsock->loopback_list_lock); mutex_lock(&vsock->rx_lock); + + if (!vsock->rx_run) + goto out; + while (!list_empty(&pkts)) { struct virtio_vsock_pkt *pkt; @@ -106,6 +113,7 @@ static void virtio_transport_loopback_work(struct work_struct *work) virtio_transport_recv_pkt(pkt); } +out: mutex_unlock(&vsock->rx_lock); } @@ -134,6 +142,9 @@ virtio_transport_send_pkt_work(struct work_struct *work) mutex_lock(&vsock->tx_lock); + if (!vsock->tx_run) + goto out; + vq = vsock->vqs[VSOCK_VQ_TX]; for (;;) { @@ -192,6 +203,7 @@ virtio_transport_send_pkt_work(struct work_struct *work) if (added) virtqueue_kick(vq); +out: mutex_unlock(&vsock->tx_lock); if (restart_rx) @@ -314,6 +326,10 @@ static void virtio_transport_tx_work(struct work_struct *work) vq = vsock->vqs[VSOCK_VQ_TX]; mutex_lock(&vsock->tx_lock); + + if (!vsock->tx_run) + goto out; + do { struct virtio_vsock_pkt *pkt; unsigned int len; @@ -324,6 +340,8 @@ static void virtio_transport_tx_work(struct work_struct *work) added = true; } } while (!virtqueue_enable_cb(vq)); + +out: mutex_unlock(&vsock->tx_lock); if (added) @@ -352,6 +370,9 @@ static void virtio_transport_rx_work(struct work_struct *work) mutex_lock(&vsock->rx_lock); + if (!vsock->rx_run) + goto out; + do { virtqueue_disable_cb(vq); for (;;) { @@ -461,6 +482,9 @@ static void virtio_transport_event_work(struct work_struct *work) mutex_lock(&vsock->event_lock); + if (!vsock->event_run) + goto out; + do { struct virtio_vsock_event *event; unsigned int len; @@ -475,7 +499,7 @@ static void virtio_transport_event_work(struct work_struct *work) } while (!virtqueue_enable_cb(vq)); virtqueue_kick(vsock->vqs[VSOCK_VQ_EVENT]); - +out: mutex_unlock(&vsock->event_lock); } @@ -611,12 +635,18 @@ static int virtio_vsock_probe(struct virtio_device *vdev) INIT_WORK(&vsock->send_pkt_work, virtio_transport_send_pkt_work); INIT_WORK(&vsock->loopback_work, virtio_transport_loopback_work); + mutex_lock(&vsock->tx_lock); + vsock->tx_run = true; + mutex_unlock(&vsock->tx_lock); + mutex_lock(&vsock->rx_lock); virtio_vsock_rx_fill(vsock); + vsock->rx_run = true; mutex_unlock(&vsock->rx_lock); mutex_lock(&vsock->event_lock); virtio_vsock_event_fill(vsock); + vsock->event_run = true; mutex_unlock(&vsock->event_lock); the_virtio_vsock = vsock; @@ -647,6 +677,22 @@ static void virtio_vsock_remove(struct virtio_device *vdev) /* Reset all connected sockets when the device disappear */ vsock_for_each_connected_socket(virtio_vsock_reset_sock); + /* Stop all work handlers to make sure no one is accessing the device */ + mutex_lock(&vsock->rx_lock); + vsock->rx_run = false; + mutex_unlock(&vsock->rx_lock); + + mutex_lock(&vsock->tx_lock); + vsock->tx_run = false; + mutex_unlock(&vsock->tx_lock); + + mutex_lock(&vsock->event_lock); + vsock->event_run = false; + mutex_unlock(&vsock->event_lock); + + /* Flush all device writes and interrupts, device will not use any + * more buffers. + */ vdev->config->reset(vdev); mutex_lock(&vsock->rx_lock); @@ -677,6 +723,7 @@ static void virtio_vsock_remove(struct virtio_device *vdev) } spin_unlock_bh(&vsock->loopback_list_lock); + /* Delete virtqueues and flush outstanding callbacks if any */ vdev->config->del_vqs(vdev); kfree(vsock); -- 2.20.1
Stefano Garzarella
2019-May-28 10:56 UTC
[PATCH 3/4] vsock/virtio: fix flush of works during the .remove()
We flush all pending works before to call vdev->config->reset(vdev), but other works can be queued before the vdev->config->del_vqs(vdev), so we add another flush after it, to avoid use after free. Suggested-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> --- net/vmw_vsock/virtio_transport.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index e694df10ab61..ad093ce96693 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -660,6 +660,15 @@ static int virtio_vsock_probe(struct virtio_device *vdev) return ret; } +static void virtio_vsock_flush_works(struct virtio_vsock *vsock) +{ + flush_work(&vsock->loopback_work); + flush_work(&vsock->rx_work); + flush_work(&vsock->tx_work); + flush_work(&vsock->event_work); + flush_work(&vsock->send_pkt_work); +} + static void virtio_vsock_remove(struct virtio_device *vdev) { struct virtio_vsock *vsock = vdev->priv; @@ -668,12 +677,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev) mutex_lock(&the_virtio_vsock_mutex); the_virtio_vsock = NULL; - flush_work(&vsock->loopback_work); - flush_work(&vsock->rx_work); - flush_work(&vsock->tx_work); - flush_work(&vsock->event_work); - flush_work(&vsock->send_pkt_work); - /* Reset all connected sockets when the device disappear */ vsock_for_each_connected_socket(virtio_vsock_reset_sock); @@ -690,6 +693,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev) vsock->event_run = false; mutex_unlock(&vsock->event_lock); + /* Flush all pending works */ + virtio_vsock_flush_works(vsock); + /* Flush all device writes and interrupts, device will not use any * more buffers. */ @@ -726,6 +732,11 @@ static void virtio_vsock_remove(struct virtio_device *vdev) /* Delete virtqueues and flush outstanding callbacks if any */ vdev->config->del_vqs(vdev); + /* Other works can be queued before 'config->del_vqs()', so we flush + * all works before to free the vsock object to avoid use after free. + */ + virtio_vsock_flush_works(vsock); + kfree(vsock); mutex_unlock(&the_virtio_vsock_mutex); } -- 2.20.1
Stefano Garzarella
2019-May-28 10:56 UTC
[PATCH 4/4] vsock/virtio: free used buffers during the .remove()
Before this patch, we only freed unused buffers, but there may still be used buffers to be freed. Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> --- net/vmw_vsock/virtio_transport.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index ad093ce96693..6a2afb989562 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -669,6 +669,18 @@ static void virtio_vsock_flush_works(struct virtio_vsock *vsock) flush_work(&vsock->send_pkt_work); } +static void virtio_vsock_free_buf(struct virtqueue *vq) +{ + struct virtio_vsock_pkt *pkt; + unsigned int len; + + while ((pkt = virtqueue_detach_unused_buf(vq))) + virtio_transport_free_pkt(pkt); + + while ((pkt = virtqueue_get_buf(vq, &len))) + virtio_transport_free_pkt(pkt); +} + static void virtio_vsock_remove(struct virtio_device *vdev) { struct virtio_vsock *vsock = vdev->priv; @@ -702,13 +714,11 @@ static void virtio_vsock_remove(struct virtio_device *vdev) vdev->config->reset(vdev); mutex_lock(&vsock->rx_lock); - while ((pkt = virtqueue_detach_unused_buf(vsock->vqs[VSOCK_VQ_RX]))) - virtio_transport_free_pkt(pkt); + virtio_vsock_free_buf(vsock->vqs[VSOCK_VQ_RX]); mutex_unlock(&vsock->rx_lock); mutex_lock(&vsock->tx_lock); - while ((pkt = virtqueue_detach_unused_buf(vsock->vqs[VSOCK_VQ_TX]))) - virtio_transport_free_pkt(pkt); + virtio_vsock_free_buf(vsock->vqs[VSOCK_VQ_TX]); mutex_unlock(&vsock->tx_lock); spin_lock_bh(&vsock->send_pkt_list_lock); -- 2.20.1
Jason Wang
2019-May-29 03:22 UTC
[PATCH 3/4] vsock/virtio: fix flush of works during the .remove()
On 2019/5/28 ??6:56, Stefano Garzarella wrote:> We flush all pending works before to call vdev->config->reset(vdev), > but other works can be queued before the vdev->config->del_vqs(vdev), > so we add another flush after it, to avoid use after free. > > Suggested-by: Michael S. Tsirkin <mst at redhat.com> > Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> > --- > net/vmw_vsock/virtio_transport.c | 23 +++++++++++++++++------ > 1 file changed, 17 insertions(+), 6 deletions(-) > > diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c > index e694df10ab61..ad093ce96693 100644 > --- a/net/vmw_vsock/virtio_transport.c > +++ b/net/vmw_vsock/virtio_transport.c > @@ -660,6 +660,15 @@ static int virtio_vsock_probe(struct virtio_device *vdev) > return ret; > } > > +static void virtio_vsock_flush_works(struct virtio_vsock *vsock) > +{ > + flush_work(&vsock->loopback_work); > + flush_work(&vsock->rx_work); > + flush_work(&vsock->tx_work); > + flush_work(&vsock->event_work); > + flush_work(&vsock->send_pkt_work); > +} > + > static void virtio_vsock_remove(struct virtio_device *vdev) > { > struct virtio_vsock *vsock = vdev->priv; > @@ -668,12 +677,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev) > mutex_lock(&the_virtio_vsock_mutex); > the_virtio_vsock = NULL; > > - flush_work(&vsock->loopback_work); > - flush_work(&vsock->rx_work); > - flush_work(&vsock->tx_work); > - flush_work(&vsock->event_work); > - flush_work(&vsock->send_pkt_work); > - > /* Reset all connected sockets when the device disappear */ > vsock_for_each_connected_socket(virtio_vsock_reset_sock); > > @@ -690,6 +693,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev) > vsock->event_run = false; > mutex_unlock(&vsock->event_lock); > > + /* Flush all pending works */ > + virtio_vsock_flush_works(vsock); > + > /* Flush all device writes and interrupts, device will not use any > * more buffers. > */ > @@ -726,6 +732,11 @@ static void virtio_vsock_remove(struct virtio_device *vdev) > /* Delete virtqueues and flush outstanding callbacks if any */ > vdev->config->del_vqs(vdev); > > + /* Other works can be queued before 'config->del_vqs()', so we flush > + * all works before to free the vsock object to avoid use after free. > + */ > + virtio_vsock_flush_works(vsock);Some questions after a quick glance: 1) It looks to me that the work could be queued from the path of vsock_transport_cancel_pkt() . Is that synchronized here? 2) If we decide to flush after dev_vqs(), is tx_run/rx_run/event_run still needed? It looks to me we've already done except that we need flush rx_work in the end since send_pkt_work can requeue rx_work. Thanks> + > kfree(vsock); > mutex_unlock(&the_virtio_vsock_mutex); > }
David Miller
2019-May-30 04:28 UTC
[PATCH 1/4] vsock/virtio: fix locking around 'the_virtio_vsock'
From: Stefano Garzarella <sgarzare at redhat.com> Date: Tue, 28 May 2019 12:56:20 +0200> @@ -68,7 +68,13 @@ struct virtio_vsock { > > static struct virtio_vsock *virtio_vsock_get(void) > { > - return the_virtio_vsock; > + struct virtio_vsock *vsock; > + > + mutex_lock(&the_virtio_vsock_mutex); > + vsock = the_virtio_vsock; > + mutex_unlock(&the_virtio_vsock_mutex); > + > + return vsock;This doesn't do anything as far as I can tell. No matter what, you will either get the value before it's changed or after it's changed. Since you should never publish the pointer by assigning it until the object is fully initialized, this can never be a problem even without the mutex being there. Even if you sampled the the_virtio_sock value right before it's being set to NULL by the remove function, that still can happen with the mutex held too. This function is also terribly named btw, it implies that a reference count is being taken. But that's not what this function does, it just returns the pointer value as-is.
Stefan Hajnoczi
2019-Jun-10 13:09 UTC
[PATCH 0/4] vsock/virtio: several fixes in the .probe() and .remove()
On Tue, May 28, 2019 at 12:56:19PM +0200, Stefano Garzarella wrote:> During the review of "[PATCH] vsock/virtio: Initialize core virtio vsock > before registering the driver", Stefan pointed out some possible issues > in the .probe() and .remove() callbacks of the virtio-vsock driver. > > This series tries to solve these issues: > - Patch 1 postpones the 'the_virtio_vsock' assignment at the end of the > .probe() to avoid that some sockets queue works when the initialization > is not finished. > - Patches 2 and 3 stop workers before to call vdev->config->reset(vdev) to > be sure that no one is accessing the device, and adds another flush at the > end of the .remove() to avoid use after free. > - Patch 4 free also used buffers in the virtqueues during the .remove(). > > Stefano Garzarella (4): > vsock/virtio: fix locking around 'the_virtio_vsock' > vsock/virtio: stop workers during the .remove() > vsock/virtio: fix flush of works during the .remove() > vsock/virtio: free used buffers during the .remove() > > net/vmw_vsock/virtio_transport.c | 105 ++++++++++++++++++++++++++----- > 1 file changed, 90 insertions(+), 15 deletions(-)Looking forward to v2. I took a look at the discussion and I'll review v2 from scratch. Just keep in mind that the mutex is used more for mutual exclusion of the init/exit code than to protect the_virtio_vsock, so we'll still need protection of init/exit code even with RCU. Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20190610/18a26537/attachment.sig>
Stefano Garzarella
2019-Jun-27 10:05 UTC
[PATCH 0/4] vsock/virtio: several fixes in the .probe() and .remove()
On Mon, Jun 10, 2019 at 02:09:45PM +0100, Stefan Hajnoczi wrote:> On Tue, May 28, 2019 at 12:56:19PM +0200, Stefano Garzarella wrote: > > During the review of "[PATCH] vsock/virtio: Initialize core virtio vsock > > before registering the driver", Stefan pointed out some possible issues > > in the .probe() and .remove() callbacks of the virtio-vsock driver. > > > > This series tries to solve these issues: > > - Patch 1 postpones the 'the_virtio_vsock' assignment at the end of the > > .probe() to avoid that some sockets queue works when the initialization > > is not finished. > > - Patches 2 and 3 stop workers before to call vdev->config->reset(vdev) to > > be sure that no one is accessing the device, and adds another flush at the > > end of the .remove() to avoid use after free. > > - Patch 4 free also used buffers in the virtqueues during the .remove(). > > > > Stefano Garzarella (4): > > vsock/virtio: fix locking around 'the_virtio_vsock' > > vsock/virtio: stop workers during the .remove() > > vsock/virtio: fix flush of works during the .remove() > > vsock/virtio: free used buffers during the .remove() > > > > net/vmw_vsock/virtio_transport.c | 105 ++++++++++++++++++++++++++----- > > 1 file changed, 90 insertions(+), 15 deletions(-) > > Looking forward to v2. I took a look at the discussion and I'll review > v2 from scratch. Just keep in mind that the mutex is used more for > mutual exclusion of the init/exit code than to protect the_virtio_vsock, > so we'll still need protection of init/exit code even with RCU.Thanks for the advice! I'll send the v2 ASAP. Thanks, Stefano
Apparently Analagous Threads
- [PATCH v2 1/3] vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
- [PATCH v2 1/3] vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
- [PATCH v2 1/3] vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
- [PATCH v2 1/3] vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
- [PATCH 0/4] vsock/virtio: several fixes in the .probe() and .remove()