Jason Wang
2021-Jul-05 03:48 UTC
[RFC PATCH] vhost-vdpa: mark vhost device invalid to reflect vdpa device unregistration
? 2021/7/5 ??4:52, gautam.dawar at xilinx.com ??:> vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > @@ -1091,11 +1122,13 @@ static void vhost_vdpa_remove(struct vdpa_device *vdpa) > opened = atomic_cmpxchg(&v->opened, 0, 1); > if (!opened) > break; > - wait_for_completion_timeout(&v->completion, > - msecs_to_jiffies(1000)); > - dev_warn_once(&v->dev, > - "%s waiting for/dev/%s to be closed\n", > - __func__, dev_name(&v->dev)); > + if (!wait_for_completion_timeout(&v->completion, > + msecs_to_jiffies(1000))) { > + dev_warn(&v->dev, > + "%s/dev/%s in use, continue..\n", > + __func__, dev_name(&v->dev)); > + break; > + } > } while (1); > > put_device(&v->dev); > + v->dev_invalid = true;Besides the mapping handling mentioned by Michael. I think this can lead use-after-free. put_device may release the memory. Another fundamental issue, vDPA is the parent of vhost-vDPA device. I'm not sure the device core can allow the parent to go away first. Thanks
Jason Wang
2021-Jul-05 05:11 UTC
[RFC PATCH] vhost-vdpa: mark vhost device invalid to reflect vdpa device unregistration
? 2021/7/5 ??11:48, Jason Wang ??:> > ? 2021/7/5 ??4:52, gautam.dawar at xilinx.com ??: >> ????? vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); >> @@ -1091,11 +1122,13 @@ static void vhost_vdpa_remove(struct >> vdpa_device *vdpa) >> ????????? opened = atomic_cmpxchg(&v->opened, 0, 1); >> ????????? if (!opened) >> ????????????? break; >> -??????? wait_for_completion_timeout(&v->completion, >> -??????????????????????? msecs_to_jiffies(1000)); >> -??????? dev_warn_once(&v->dev, >> -????????????????? "%s waiting for/dev/%s to be closed\n", >> -????????????????? __func__, dev_name(&v->dev)); >> +??????? if (!wait_for_completion_timeout(&v->completion, >> +??????????????????????? msecs_to_jiffies(1000))) { >> +??????????? dev_warn(&v->dev, >> +???????????????? "%s/dev/%s in use, continue..\n", >> +???????????????? __func__, dev_name(&v->dev)); >> +??????????? break; >> +??????? } >> ????? } while (1); >> ? ????? put_device(&v->dev); >> +??? v->dev_invalid = true; > > > Besides the mapping handling mentioned by Michael. I think this can > lead use-after-free. put_device may release the memory. > > Another fundamental issue, vDPA is the parent of vhost-vDPA device. > I'm not sure the device core can allow the parent to go away first.Or this probably means you need couple the fd loosely with the vhost-vDPA device. Thanks> > Thanks > >