From: "Michael S. Tsirkin" <mst@redhat.com>
To: gautam.dawar@xilinx.com
Cc: kvm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, gdawar@xilinx.com,
virtualization@lists.linux-foundation.org, martinh@xilinx.com,
hanand@xilinx.com
Subject: Re: [RFC PATCH] vhost-vdpa: mark vhost device invalid to reflect vdpa device unregistration
Date: Sun, 4 Jul 2021 17:50:14 -0400 [thread overview]
Message-ID: <20210704174856-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20210704205205.6132-1-gdawar@xilinx.com>
On Mon, Jul 05, 2021 at 02:22:04AM +0530, gautam.dawar@xilinx.com wrote:
> From: Gautam Dawar <gdawar@xilinx.com>
>
> As mentioned in Bug 213179, any malicious user-space application can render
> a module registering a vDPA device to hang forever. This will typically
> surface when vdpa_device_unregister() is called from the function
> responsible for module unload, leading rmmod commands to not return.
>
> This patch unblocks the caller module by continuing with the clean-up
> but after marking the vhost device as unavailable. For future requests
> from user-space application, the vhost device availability is checked
> first and if it has gone unavailable, such requests are denied.
>
> Signed-off-by: Gautam Dawar <gdawar@xilinx.com>
I don't seem mappings handled below. Did I miss it?
> ---
> drivers/vhost/vdpa.c | 45 ++++++++++++++++++++++++++++++++++++++------
> 1 file changed, 39 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index e4b7d26649d8..623bc7f0c0ca 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -47,6 +47,7 @@ struct vhost_vdpa {
> int minor;
> struct eventfd_ctx *config_ctx;
> int in_batch;
> + int dev_invalid;
> struct vdpa_iova_range range;
> };
>
> @@ -61,6 +62,11 @@ static void handle_vq_kick(struct vhost_work *work)
> struct vhost_vdpa *v = container_of(vq->dev, struct vhost_vdpa, vdev);
> const struct vdpa_config_ops *ops = v->vdpa->config;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return;
> + }
> ops->kick_vq(v->vdpa, vq - v->vqs);
> }
>
> @@ -120,6 +126,11 @@ static void vhost_vdpa_reset(struct vhost_vdpa *v)
> {
> struct vdpa_device *vdpa = v->vdpa;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return;
> + }
> vdpa_reset(vdpa);
> v->in_batch = 0;
> }
> @@ -367,6 +378,11 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
> u32 idx;
> long r;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
> r = get_user(idx, (u32 __user *)argp);
> if (r < 0)
> return r;
> @@ -450,6 +466,11 @@ static long vhost_vdpa_unlocked_ioctl(struct file *filep,
> return 0;
> }
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
> mutex_lock(&d->mutex);
>
> switch (cmd) {
> @@ -745,8 +766,13 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
> const struct vdpa_config_ops *ops = vdpa->config;
> int r = 0;
>
> - mutex_lock(&dev->mutex);
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
>
> + mutex_lock(&dev->mutex);
> r = vhost_dev_check_owner(dev);
> if (r)
> goto unlock;
> @@ -949,6 +975,11 @@ static vm_fault_t vhost_vdpa_fault(struct vm_fault *vmf)
> struct vm_area_struct *vma = vmf->vma;
> u16 index = vma->vm_pgoff;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return VM_FAULT_NOPAGE;
> + }
> notify = ops->get_vq_notification(vdpa, index);
>
> vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
> @@ -1091,11 +1122,13 @@ static void vhost_vdpa_remove(struct vdpa_device *vdpa)
> opened = atomic_cmpxchg(&v->opened, 0, 1);
> if (!opened)
> break;
> - wait_for_completion_timeout(&v->completion,
> - msecs_to_jiffies(1000));
> - dev_warn_once(&v->dev,
> - "%s waiting for /dev/%s to be closed\n",
> - __func__, dev_name(&v->dev));
> + if (!wait_for_completion_timeout(&v->completion,
> + msecs_to_jiffies(1000))) {
> + dev_warn(&v->dev,
> + "%s /dev/%s in use, continue..\n",
> + __func__, dev_name(&v->dev));
> + break;
> + }
When you have an arbitrary timeout you know something's not entirely
robust ...
> } while (1);
>
> put_device(&v->dev);
> + v->dev_invalid = true;
> --
> 2.30.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com>
To: gautam.dawar@xilinx.com
Cc: martinh@xilinx.com, hanand@xilinx.com, gdawar@xilinx.com,
Jason Wang <jasowang@redhat.com>,
kvm@vger.kernel.org, virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] vhost-vdpa: mark vhost device invalid to reflect vdpa device unregistration
Date: Sun, 4 Jul 2021 17:50:14 -0400 [thread overview]
Message-ID: <20210704174856-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20210704205205.6132-1-gdawar@xilinx.com>
On Mon, Jul 05, 2021 at 02:22:04AM +0530, gautam.dawar@xilinx.com wrote:
> From: Gautam Dawar <gdawar@xilinx.com>
>
> As mentioned in Bug 213179, any malicious user-space application can render
> a module registering a vDPA device to hang forever. This will typically
> surface when vdpa_device_unregister() is called from the function
> responsible for module unload, leading rmmod commands to not return.
>
> This patch unblocks the caller module by continuing with the clean-up
> but after marking the vhost device as unavailable. For future requests
> from user-space application, the vhost device availability is checked
> first and if it has gone unavailable, such requests are denied.
>
> Signed-off-by: Gautam Dawar <gdawar@xilinx.com>
I don't seem mappings handled below. Did I miss it?
> ---
> drivers/vhost/vdpa.c | 45 ++++++++++++++++++++++++++++++++++++++------
> 1 file changed, 39 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index e4b7d26649d8..623bc7f0c0ca 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -47,6 +47,7 @@ struct vhost_vdpa {
> int minor;
> struct eventfd_ctx *config_ctx;
> int in_batch;
> + int dev_invalid;
> struct vdpa_iova_range range;
> };
>
> @@ -61,6 +62,11 @@ static void handle_vq_kick(struct vhost_work *work)
> struct vhost_vdpa *v = container_of(vq->dev, struct vhost_vdpa, vdev);
> const struct vdpa_config_ops *ops = v->vdpa->config;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return;
> + }
> ops->kick_vq(v->vdpa, vq - v->vqs);
> }
>
> @@ -120,6 +126,11 @@ static void vhost_vdpa_reset(struct vhost_vdpa *v)
> {
> struct vdpa_device *vdpa = v->vdpa;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return;
> + }
> vdpa_reset(vdpa);
> v->in_batch = 0;
> }
> @@ -367,6 +378,11 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
> u32 idx;
> long r;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
> r = get_user(idx, (u32 __user *)argp);
> if (r < 0)
> return r;
> @@ -450,6 +466,11 @@ static long vhost_vdpa_unlocked_ioctl(struct file *filep,
> return 0;
> }
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
> mutex_lock(&d->mutex);
>
> switch (cmd) {
> @@ -745,8 +766,13 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
> const struct vdpa_config_ops *ops = vdpa->config;
> int r = 0;
>
> - mutex_lock(&dev->mutex);
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return -ENODEV;
> + }
>
> + mutex_lock(&dev->mutex);
> r = vhost_dev_check_owner(dev);
> if (r)
> goto unlock;
> @@ -949,6 +975,11 @@ static vm_fault_t vhost_vdpa_fault(struct vm_fault *vmf)
> struct vm_area_struct *vma = vmf->vma;
> u16 index = vma->vm_pgoff;
>
> + if (v->dev_invalid) {
> + dev_info(&v->dev,
> + "%s: vhost_vdpa device unavailable\n", __func__);
> + return VM_FAULT_NOPAGE;
> + }
> notify = ops->get_vq_notification(vdpa, index);
>
> vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
> @@ -1091,11 +1122,13 @@ static void vhost_vdpa_remove(struct vdpa_device *vdpa)
> opened = atomic_cmpxchg(&v->opened, 0, 1);
> if (!opened)
> break;
> - wait_for_completion_timeout(&v->completion,
> - msecs_to_jiffies(1000));
> - dev_warn_once(&v->dev,
> - "%s waiting for /dev/%s to be closed\n",
> - __func__, dev_name(&v->dev));
> + if (!wait_for_completion_timeout(&v->completion,
> + msecs_to_jiffies(1000))) {
> + dev_warn(&v->dev,
> + "%s /dev/%s in use, continue..\n",
> + __func__, dev_name(&v->dev));
> + break;
> + }
When you have an arbitrary timeout you know something's not entirely
robust ...
> } while (1);
>
> put_device(&v->dev);
> + v->dev_invalid = true;
> --
> 2.30.1
next prev parent reply other threads:[~2021-07-04 21:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-04 20:52 [RFC PATCH] vhost-vdpa: mark vhost device invalid to reflect vdpa device unregistration gautam.dawar
2021-07-04 21:50 ` Michael S. Tsirkin [this message]
2021-07-04 21:50 ` Michael S. Tsirkin
2021-07-05 3:48 ` Jason Wang
2021-07-05 3:48 ` Jason Wang
2021-07-05 5:11 ` Jason Wang
2021-07-05 5:11 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210704174856-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=gautam.dawar@xilinx.com \
--cc=gdawar@xilinx.com \
--cc=hanand@xilinx.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martinh@xilinx.com \
--cc=netdev@vger.kernel.org \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.