search for: virtio_pci_release_dev

Commit 31a3ddda166cda86d2b5111e09ba4bda5239fae6 introduced a use after free in virtio-pci. The main issue is that the release method signals removal of the virtio device, while remove signals removal of the pci device. For example, on driver removal or hot-unplug, virtio_pci_release_dev is called before virtio_pci_remove. We then might get a crash as virtio_pci_remove tries to use the device freed by virtio_pci_release_dev. We allocate/free all resources together with the pci device, so we can leave the release method empty. Signed-off-by: Michael S. Tsirkin <mst at redhat.co...

Commit 31a3ddda166cda86d2b5111e09ba4bda5239fae6 introduced a use after free in virtio-pci. The main issue is that the release method signals removal of the virtio device, while remove signals removal of the pci device. For example, on driver removal or hot-unplug, virtio_pci_release_dev is called before virtio_pci_remove. We then might get a crash as virtio_pci_remove tries to use the device freed by virtio_pci_release_dev. We allocate/free all resources together with the pci device, so we can leave the release method empty. Signed-off-by: Michael S. Tsirkin <mst at redhat.co...

This is based on Sasha's patch, with some tweaks. Michael S. Tsirkin (2): virtio_pci: device-specific release callback virtio_pci: document why we defer kfree Sasha Levin (1): virtio_pci: defer kfree until release callback drivers/virtio/virtio_pci_common.h | 1 - drivers/virtio/virtio_pci_common.c | 9 --------- drivers/virtio/virtio_pci_legacy.c | 12 +++++++++++- 3 files

This is based on Sasha's patch, with some tweaks. Michael S. Tsirkin (2): virtio_pci: device-specific release callback virtio_pci: document why we defer kfree Sasha Levin (1): virtio_pci: defer kfree until release callback drivers/virtio/virtio_pci_common.h | 1 - drivers/virtio/virtio_pci_common.c | 9 --------- drivers/virtio/virtio_pci_legacy.c | 12 +++++++++++- 3 files

...833..24956c5 100644 --- a/drivers/virtio/virtio_pci_common.h +++ b/drivers/virtio/virtio_pci_common.h @@ -146,7 +146,6 @@ const char *vp_bus_name(struct virtio_device *vdev); * - ignore the affinity request if we're using INTX */ int vp_set_vq_affinity(struct virtqueue *vq, int cpu); -void virtio_pci_release_dev(struct device *); int virtio_pci_legacy_probe(struct pci_dev *pci_dev, const struct pci_device_id *id); diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c index 7bc69a4..08d0b04 100644 --- a/drivers/virtio/virtio_pci_common.c +++ b/drivers/virtio/virtio_...

...833..24956c5 100644 --- a/drivers/virtio/virtio_pci_common.h +++ b/drivers/virtio/virtio_pci_common.h @@ -146,7 +146,6 @@ const char *vp_bus_name(struct virtio_device *vdev); * - ignore the affinity request if we're using INTX */ int vp_set_vq_affinity(struct virtqueue *vq, int cpu); -void virtio_pci_release_dev(struct device *); int virtio_pci_legacy_probe(struct pci_dev *pci_dev, const struct pci_device_id *id); diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c index 7bc69a4..08d0b04 100644 --- a/drivers/virtio/virtio_pci_common.c +++ b/drivers/virtio/virtio_...

...tate is assumed to be gone. When the port is finally released (close() called), we call device_destroy() on the port's device. This results in the parent device's structures to be freed as well. This includes the PCI regions for the virtio-console PCI device. Once this is done, however, virtio_pci_release_dev() kicks in, as the last ref to the virtio device is now gone, and attempts to do pci_iounmap(pci_dev, vp_dev->ioaddr); pci_release_regions(pci_dev); pci_disable_device(pci_dev); which results in a double-free warning. Move the code that releases regions, etc., to the virtio_pci...

...tate is assumed to be gone. When the port is finally released (close() called), we call device_destroy() on the port's device. This results in the parent device's structures to be freed as well. This includes the PCI regions for the virtio-console PCI device. Once this is done, however, virtio_pci_release_dev() kicks in, as the last ref to the virtio device is now gone, and attempts to do pci_iounmap(pci_dev, vp_dev->ioaddr); pci_release_regions(pci_dev); pci_disable_device(pci_dev); which results in a double-free warning. Move the code that releases regions, etc., to the virtio_pci...

A crash was observed when a device gets removed while a port is in use. When the port gets removed, we tried to free vq buffers. The vq no longer exists at this stage, just ensure we don't access it. The second patch fixes a warning where the pci region is already freed. I'm not sure what or how the region gets freed, any clues there will be helpful. Thanks, Amit Amit Shah (2):

A crash was observed when a device gets removed while a port is in use. When the port gets removed, we tried to free vq buffers. The vq no longer exists at this stage, just ensure we don't access it. The second patch fixes a warning where the pci region is already freed. I'm not sure what or how the region gets freed, any clues there will be helpful. Thanks, Amit Amit Shah (2):

KASan detected a use-after-free error in virtio-pci remove code. In virtio_pci_remove(), vp_dev is still used after being freed in unregister_virtio_device() (in virtio_pci_release_dev() more precisely). To fix, keep a reference until cleanup is done. Fixes: 63bd62a08ca4 ("virtio_pci: defer kfree until release callback") Reported-by: Jerome Marchand <jmarchan at redhat.com> Cc: stable at vger.kernel.org Cc: Sasha Levin <sasha.levin at oracle.com> Signed-of...

KASan detected a use-after-free error in virtio-pci remove code. In virtio_pci_remove(), vp_dev is still used after being freed in unregister_virtio_device() (in virtio_pci_release_dev() more precisely). To fix, keep a reference until cleanup is done. Fixes: 63bd62a08ca4 ("virtio_pci: defer kfree until release callback") Reported-by: Jerome Marchand <jmarchan at redhat.com> Cc: stable at vger.kernel.org Cc: Sasha Levin <sasha.levin at oracle.com> Signed-of...

...har *vp_bus_name(struct virtio_device *vdev); + +/* Setup the affinity for a virtqueue: + * - force the affinity for per vq vector + * - OR over all affinities for shared MSI + * - ignore the affinity request if we're using INTX + */ +int vp_set_vq_affinity(struct virtqueue *vq, int cpu); +void virtio_pci_release_dev(struct device *); + +#ifdef CONFIG_PM_SLEEP +extern const struct dev_pm_ops virtio_pci_pm_ops; +#endif + +#endif diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c index c8ca3f7..d73ceec 100644 --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -14,179 +14,10...

...har *vp_bus_name(struct virtio_device *vdev); + +/* Setup the affinity for a virtqueue: + * - force the affinity for per vq vector + * - OR over all affinities for shared MSI + * - ignore the affinity request if we're using INTX + */ +int vp_set_vq_affinity(struct virtqueue *vq, int cpu); +void virtio_pci_release_dev(struct device *); + +#ifdef CONFIG_PM_SLEEP +extern const struct dev_pm_ops virtio_pci_pm_ops; +#endif + +#endif diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c index c8ca3f7..d73ceec 100644 --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -14,179 +14,10...

...har *vp_bus_name(struct virtio_device *vdev); + +/* Setup the affinity for a virtqueue: + * - force the affinity for per vq vector + * - OR over all affinities for shared MSI + * - ignore the affinity request if we're using INTX + */ +int vp_set_vq_affinity(struct virtqueue *vq, int cpu); +void virtio_pci_release_dev(struct device *); + +#ifdef CONFIG_PM_SLEEP +extern const struct dev_pm_ops virtio_pci_pm_ops; +#endif + +#endif diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c index c8ca3f7..6c7e186 100644 --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -14,179 +14,10...

...har *vp_bus_name(struct virtio_device *vdev); + +/* Setup the affinity for a virtqueue: + * - force the affinity for per vq vector + * - OR over all affinities for shared MSI + * - ignore the affinity request if we're using INTX + */ +int vp_set_vq_affinity(struct virtqueue *vq, int cpu); +void virtio_pci_release_dev(struct device *); + +#ifdef CONFIG_PM_SLEEP +extern const struct dev_pm_ops virtio_pci_pm_ops; +#endif + +#endif diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c index c8ca3f7..6c7e186 100644 --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -14,179 +14,10...

Device VQs were getting freed twice: once in every devices removal functions, and then again in virtio_pci_legacy_remove(). Signed-off-by: Sasha Levin <sasha.levin at oracle.com> --- drivers/virtio/virtio_pci_legacy.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/virtio/virtio_pci_legacy.c b/drivers/virtio/virtio_pci_legacy.c index 6c76f0f..913ca23 100644 ---

Device VQs were getting freed twice: once in every devices removal functions, and then again in virtio_pci_legacy_remove(). Signed-off-by: Sasha Levin <sasha.levin at oracle.com> --- drivers/virtio/virtio_pci_legacy.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/virtio/virtio_pci_legacy.c b/drivers/virtio/virtio_pci_legacy.c index 6c76f0f..913ca23 100644 ---

...ure Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c index 1c4797e..995ab03 100644 --- a/drivers/virtio/virtio_pci_common.c +++ b/drivers/virtio/virtio_pci_common.c @@ -513,7 +513,7 @@ static void virtio_pci_release_dev(struct device *_d) static int virtio_pci_probe(struct pci_dev *pci_dev, const struct pci_device_id *id) { - struct virtio_pci_device *vp_dev; + struct virtio_pci_device *vp_dev, *reg_dev = NULL; int rc; /* allocate our structure and fill it out */ @@ -551,6 +551,8 @@ static int virt...

...ure Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c index 1c4797e..995ab03 100644 --- a/drivers/virtio/virtio_pci_common.c +++ b/drivers/virtio/virtio_pci_common.c @@ -513,7 +513,7 @@ static void virtio_pci_release_dev(struct device *_d) static int virtio_pci_probe(struct pci_dev *pci_dev, const struct pci_device_id *id) { - struct virtio_pci_device *vp_dev; + struct virtio_pci_device *vp_dev, *reg_dev = NULL; int rc; /* allocate our structure and fill it out */ @@ -551,6 +551,8 @@ static int virt...