[PATCH v2 0/2] Drivers: vmbus: Fix rescind handling in uio_hv_generic

[PATCH v2 0/2] Drivers: vmbus: Fix rescind handling in uio_hv_generic

[Naman Jain]

Fix a few issues in rescind handling in uio_hv_generic driver.
Patches are based on latest linux-next tip.

Steps to reproduce issue:
* Probe uio_hv_generic driver and create channels to use fcopy
* Disable the guest service on host and then Enable it.
or
* repeatedly do cat "/dev/uioX" on the device created for fcopy.

Changes since v1:
https://lore.kernel.org/all/20240822110912.13735-1-namjain@linux.microsoft.com/
* Added stable kernel list to cc
* Updated commit messages for more information
* Explicitly handle rescind callback for primary channel only, and add
  comment: Saurabh, Michael.
* Rebase to latest tip.

Naman Jain (1):
  Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic

Saurabh Sengar (1):
  uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind

 drivers/hv/vmbus_drv.c       |  1 +
 drivers/uio/uio_hv_generic.c | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)


base-commit: 195a402a75791e6e0d96d9da27ca77671bc656a8
-- 
2.34.1

[PATCH v2 1/2] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind

[Naman Jain]

From: Saurabh Sengar <ssengar@linux.microsoft.com>

For primary VM Bus channels, primary_channel pointer is always NULL. This
pointer is valid only for the secondary channels. Also, rescind callback
is meant for primary channels only.

Fix NULL pointer dereference by retrieving the device_obj from the parent
for the primary channel.

Cc: stable@vger.kernel.org
Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
---
 drivers/uio/uio_hv_generic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
index b45653752301..e3e66a3e85a8 100644
--- a/drivers/uio/uio_hv_generic.c
+++ b/drivers/uio/uio_hv_generic.c
@@ -106,10 +106,11 @@ static void hv_uio_channel_cb(void *context)
 
 /*
  * Callback from vmbus_event when channel is rescinded.
+ * It is meant for rescind of primary channels only.
  */
 static void hv_uio_rescind(struct vmbus_channel *channel)
 {
-	struct hv_device *hv_dev = channel->primary_channel->device_obj;
+	struct hv_device *hv_dev = channel->device_obj;
 	struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
 
 	/*
-- 
2.34.1

[PATCH v2 2/2] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic

[Naman Jain]

Rescind offer handling relies on rescind callbacks for some of the
resources cleanup, if they are registered. It does not unregister
vmbus device for the primary channel closure, when callback is
registered. Without it, next onoffer does not come, rescind flag
remains set and device goes to unusable state.

Add logic to unregister vmbus for the primary channel in rescind callback
to ensure channel removal and relid release, and to ensure that next
onoffer can be received and handled properly.

Cc: stable@vger.kernel.org
Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
---
 drivers/hv/vmbus_drv.c       | 1 +
 drivers/uio/uio_hv_generic.c | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 7242c4920427..c405295b930a 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -1980,6 +1980,7 @@ void vmbus_device_unregister(struct hv_device *device_obj)
 	 */
 	device_unregister(&device_obj->device);
 }
+EXPORT_SYMBOL_GPL(vmbus_device_unregister);
 
 #ifdef CONFIG_ACPI
 /*
diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
index e3e66a3e85a8..870409599411 100644
--- a/drivers/uio/uio_hv_generic.c
+++ b/drivers/uio/uio_hv_generic.c
@@ -121,6 +121,14 @@ static void hv_uio_rescind(struct vmbus_channel *channel)
 
 	/* Wake up reader */
 	uio_event_notify(&pdata->info);
+
+	/*
+	 * With rescind callback registered, rescind path will not unregister the device
+	 * from vmbus when the primary channel is rescinded.
+	 * Without it, rescind handling is incomplete and next onoffer msg does not come.
+	 * Unregister the device from vmbus here.
+	 */
+	vmbus_device_unregister(channel->device_obj);
 }
 
 /* Sysfs API to allow mmap of the ring buffers
-- 
2.34.1

Re: [PATCH v2 2/2] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic

[Saurabh Singh Sengar]

On Thu, Aug 29, 2024 at 12:43:12PM +0530, Naman Jain wrote:
> Rescind offer handling relies on rescind callbacks for some of the
> resources cleanup, if they are registered. It does not unregister
> vmbus device for the primary channel closure, when callback is
> registered. Without it, next onoffer does not come, rescind flag
> remains set and device goes to unusable state.
> 
> Add logic to unregister vmbus for the primary channel in rescind callback
> to ensure channel removal and relid release, and to ensure that next
> onoffer can be received and handled properly.
> 
> Cc: stable@vger.kernel.org
> Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
> Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
> ---
>  drivers/hv/vmbus_drv.c       | 1 +
>  drivers/uio/uio_hv_generic.c | 8 ++++++++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 7242c4920427..c405295b930a 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -1980,6 +1980,7 @@ void vmbus_device_unregister(struct hv_device *device_obj)
>  	 */
>  	device_unregister(&device_obj->device);
>  }
> +EXPORT_SYMBOL_GPL(vmbus_device_unregister);
>  
>  #ifdef CONFIG_ACPI
>  /*
> diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> index e3e66a3e85a8..870409599411 100644
> --- a/drivers/uio/uio_hv_generic.c
> +++ b/drivers/uio/uio_hv_generic.c
> @@ -121,6 +121,14 @@ static void hv_uio_rescind(struct vmbus_channel *channel)
>  
>  	/* Wake up reader */
>  	uio_event_notify(&pdata->info);
> +
> +	/*
> +	 * With rescind callback registered, rescind path will not unregister the device
> +	 * from vmbus when the primary channel is rescinded.
> +	 * Without it, rescind handling is incomplete and next onoffer msg does not come.
> +	 * Unregister the device from vmbus here.
> +	 */
> +	vmbus_device_unregister(channel->device_obj);
>  }
>  
>  /* Sysfs API to allow mmap of the ring buffers
> -- 
> 2.34.1
>

For the series,
Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com> 

Re: [PATCH v2 2/2] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic

[Wei Liu]

On Thu, Aug 29, 2024 at 06:40:16AM -0700, Saurabh Singh Sengar wrote:
> On Thu, Aug 29, 2024 at 12:43:12PM +0530, Naman Jain wrote:
> > Rescind offer handling relies on rescind callbacks for some of the
> > resources cleanup, if they are registered. It does not unregister
> > vmbus device for the primary channel closure, when callback is
> > registered. Without it, next onoffer does not come, rescind flag
> > remains set and device goes to unusable state.
> > 
> > Add logic to unregister vmbus for the primary channel in rescind callback
> > to ensure channel removal and relid release, and to ensure that next
> > onoffer can be received and handled properly.
> > 
> > Cc: stable@vger.kernel.org
> > Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
> > Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
> > ---
> >  drivers/hv/vmbus_drv.c       | 1 +
> >  drivers/uio/uio_hv_generic.c | 8 ++++++++
> >  2 files changed, 9 insertions(+)
> > 
> > diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> > index 7242c4920427..c405295b930a 100644
> > --- a/drivers/hv/vmbus_drv.c
> > +++ b/drivers/hv/vmbus_drv.c
> > @@ -1980,6 +1980,7 @@ void vmbus_device_unregister(struct hv_device *device_obj)
> >  	 */
> >  	device_unregister(&device_obj->device);
> >  }
> > +EXPORT_SYMBOL_GPL(vmbus_device_unregister);
> >  
> >  #ifdef CONFIG_ACPI
> >  /*
> > diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> > index e3e66a3e85a8..870409599411 100644
> > --- a/drivers/uio/uio_hv_generic.c
> > +++ b/drivers/uio/uio_hv_generic.c
> > @@ -121,6 +121,14 @@ static void hv_uio_rescind(struct vmbus_channel *channel)
> >  
> >  	/* Wake up reader */
> >  	uio_event_notify(&pdata->info);
> > +
> > +	/*
> > +	 * With rescind callback registered, rescind path will not unregister the device
> > +	 * from vmbus when the primary channel is rescinded.
> > +	 * Without it, rescind handling is incomplete and next onoffer msg does not come.
> > +	 * Unregister the device from vmbus here.
> > +	 */
> > +	vmbus_device_unregister(channel->device_obj);
> >  }
> >  
> >  /* Sysfs API to allow mmap of the ring buffers
> > -- 
> > 2.34.1
> >
> 
> For the series,
> Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com> 

Applied to hyperv-fixes, thanks.

> 

Re: [PATCH v2 2/2] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic

[Wei Liu]

On Thu, Sep 05, 2024 at 07:30:10AM +0000, Wei Liu wrote:
> On Thu, Aug 29, 2024 at 06:40:16AM -0700, Saurabh Singh Sengar wrote:
> > On Thu, Aug 29, 2024 at 12:43:12PM +0530, Naman Jain wrote:
> > > Rescind offer handling relies on rescind callbacks for some of the
> > > resources cleanup, if they are registered. It does not unregister
> > > vmbus device for the primary channel closure, when callback is
> > > registered. Without it, next onoffer does not come, rescind flag
> > > remains set and device goes to unusable state.
> > > 
> > > Add logic to unregister vmbus for the primary channel in rescind callback
> > > to ensure channel removal and relid release, and to ensure that next
> > > onoffer can be received and handled properly.
> > > 
> > > Cc: stable@vger.kernel.org
> > > Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
> > > Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
> > > ---
> > >  drivers/hv/vmbus_drv.c       | 1 +
> > >  drivers/uio/uio_hv_generic.c | 8 ++++++++
> > >  2 files changed, 9 insertions(+)
> > > 
> > > diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> > > index 7242c4920427..c405295b930a 100644
> > > --- a/drivers/hv/vmbus_drv.c
> > > +++ b/drivers/hv/vmbus_drv.c
> > > @@ -1980,6 +1980,7 @@ void vmbus_device_unregister(struct hv_device *device_obj)
> > >  	 */
> > >  	device_unregister(&device_obj->device);
> > >  }
> > > +EXPORT_SYMBOL_GPL(vmbus_device_unregister);
> > >  
> > >  #ifdef CONFIG_ACPI
> > >  /*
> > > diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> > > index e3e66a3e85a8..870409599411 100644
> > > --- a/drivers/uio/uio_hv_generic.c
> > > +++ b/drivers/uio/uio_hv_generic.c
> > > @@ -121,6 +121,14 @@ static void hv_uio_rescind(struct vmbus_channel *channel)
> > >  
> > >  	/* Wake up reader */
> > >  	uio_event_notify(&pdata->info);
> > > +
> > > +	/*
> > > +	 * With rescind callback registered, rescind path will not unregister the device
> > > +	 * from vmbus when the primary channel is rescinded.
> > > +	 * Without it, rescind handling is incomplete and next onoffer msg does not come.
> > > +	 * Unregister the device from vmbus here.
> > > +	 */
> > > +	vmbus_device_unregister(channel->device_obj);
> > >  }
> > >  
> > >  /* Sysfs API to allow mmap of the ring buffers
> > > -- 
> > > 2.34.1
> > >
> > 
> > For the series,
> > Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com> 
> 
> Applied to hyperv-fixes, thanks.

Since Greg has already applied this series, I am dropping them from my
tree.

> 
> >