From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Sjur Brændeland" <sjurbren@gmail.com>
Cc: linux-kernel@vger.kernel.org, "Guzman Lugo,
Fernadndo" <fernando.lugo@ti.com>,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH] virtio: Don't access device data after unregistration.
Date: Mon, 3 Sep 2012 23:18:47 +0300 [thread overview]
Message-ID: <20120903201847.GC6181@redhat.com> (raw)
In-Reply-To: <CAJK669aRsbOOmjmT+K8OHYvenOhkYWuSOx6nBM7hxC_C4mmw-g@mail.gmail.com>
On Mon, Sep 03, 2012 at 04:50:10PM +0200, Sjur Brændeland wrote:
> Hi Michael,
>
> >> Fix panic in virtio.c when CONFIG_DEBUG_SLAB is set.
> >
> > What's the root cause of the panic?
>
> I believe the cause of the panic is calling
> ida_simple_remove(&virtio_index_ida, dev->index);
> when the dev structure is "poisoned" after kfree.
> It might be the "BUG_ON((int)id < 0)" that bites...
>
> >> Use device_del() and put_device() instead of
> >> device_unregister(), and access device data before
> >> calling put_device().
>
> > Why does this help? Does device_unregister free the
> > device so dev->index access crashes?
>
> Yes, if device ref-count is one when calling unregister
> the device is freed.
Interesting. Where exactly? Note that:
struct rproc_vdev {
struct list_head node;
struct rproc *rproc;
struct virtio_device vdev;
struct rproc_vring vring[RVDEV_NUM_VRINGS];
unsigned long dfeatures;
unsigned long gfeatures;
};
kfree(&proc_vdev->vdev) is unlikely to be the right thing to do.
> > If yes virtio_pci_remove will crash too
> > as it accesses the device after the
> > call to unregister_virtio_device so the
> > fix won't be effective.
>
> I discovered this using the remoteproc framework.
> It might be that device is unregistered with ref-count greater
> than one normally, in that case this bug will not show up.
>
> Regards,
> Sjur
It might be remoteproc has an unrelated bug?
--
MST
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Sjur Brændeland" <sjurbren@gmail.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
linux-kernel@vger.kernel.org, "Guzman Lugo,
Fernadndo" <fernando.lugo@ti.com>,
virtualization@lists.linux-foundation.org,
Ohad Ben-Cohen <ohad@wizery.com>
Subject: Re: [PATCH] virtio: Don't access device data after unregistration.
Date: Mon, 3 Sep 2012 23:18:47 +0300 [thread overview]
Message-ID: <20120903201847.GC6181@redhat.com> (raw)
In-Reply-To: <CAJK669aRsbOOmjmT+K8OHYvenOhkYWuSOx6nBM7hxC_C4mmw-g@mail.gmail.com>
On Mon, Sep 03, 2012 at 04:50:10PM +0200, Sjur Brændeland wrote:
> Hi Michael,
>
> >> Fix panic in virtio.c when CONFIG_DEBUG_SLAB is set.
> >
> > What's the root cause of the panic?
>
> I believe the cause of the panic is calling
> ida_simple_remove(&virtio_index_ida, dev->index);
> when the dev structure is "poisoned" after kfree.
> It might be the "BUG_ON((int)id < 0)" that bites...
>
> >> Use device_del() and put_device() instead of
> >> device_unregister(), and access device data before
> >> calling put_device().
>
> > Why does this help? Does device_unregister free the
> > device so dev->index access crashes?
>
> Yes, if device ref-count is one when calling unregister
> the device is freed.
Interesting. Where exactly? Note that:
struct rproc_vdev {
struct list_head node;
struct rproc *rproc;
struct virtio_device vdev;
struct rproc_vring vring[RVDEV_NUM_VRINGS];
unsigned long dfeatures;
unsigned long gfeatures;
};
kfree(&proc_vdev->vdev) is unlikely to be the right thing to do.
> > If yes virtio_pci_remove will crash too
> > as it accesses the device after the
> > call to unregister_virtio_device so the
> > fix won't be effective.
>
> I discovered this using the remoteproc framework.
> It might be that device is unregistered with ref-count greater
> than one normally, in that case this bug will not show up.
>
> Regards,
> Sjur
It might be remoteproc has an unrelated bug?
--
MST
next prev parent reply other threads:[~2012-09-03 20:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-03 13:50 [PATCH] virtio: Don't access device data after unregistration sjur.brandeland
2012-09-03 14:14 ` Michael S. Tsirkin
2012-09-03 14:14 ` Michael S. Tsirkin
2012-09-03 14:50 ` Sjur Brændeland
2012-09-03 14:50 ` Sjur Brændeland
2012-09-03 20:18 ` Michael S. Tsirkin [this message]
2012-09-03 20:18 ` Michael S. Tsirkin
2012-09-04 12:12 ` Sjur Brændeland
2012-09-04 12:12 ` Sjur Brændeland
2012-09-04 14:13 ` Michael S. Tsirkin
2012-09-04 14:13 ` Michael S. Tsirkin
-- strict thread matches above, loose matches on Subject: below --
2012-09-03 13:50 sjur.brandeland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120903201847.GC6181@redhat.com \
--to=mst@redhat.com \
--cc=fernando.lugo@ti.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sjurbren@gmail.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.