From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zeng Tao <prime.zeng@hisilicon.com>, Qian Cai <cai@lca.pw>,
Alex Williamson <alex.williamson@redhat.com>,
Sasha Levin <sashal@kernel.org>,
kvm@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 90/90] vfio/pci: fix racy on error and request eventfd ctx
Date: Thu, 17 Sep 2020 22:14:55 -0400 [thread overview]
Message-ID: <20200918021455.2067301-90-sashal@kernel.org> (raw)
In-Reply-To: <20200918021455.2067301-1-sashal@kernel.org>
From: Zeng Tao <prime.zeng@hisilicon.com>
[ Upstream commit b872d0640840018669032b20b6375a478ed1f923 ]
The vfio_pci_release call will free and clear the error and request
eventfd ctx while these ctx could be in use at the same time in the
function like vfio_pci_request, and it's expected to protect them under
the vdev->igate mutex, which is missing in vfio_pci_release.
This issue is introduced since commit 1518ac272e78 ("vfio/pci: fix memory
leaks of eventfd ctx"),and since commit 5c5866c593bb ("vfio/pci: Clear
error and request eventfd ctx after releasing"), it's very easily to
trigger the kernel panic like this:
[ 9513.904346] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 9513.913091] Mem abort info:
[ 9513.915871] ESR = 0x96000006
[ 9513.918912] EC = 0x25: DABT (current EL), IL = 32 bits
[ 9513.924198] SET = 0, FnV = 0
[ 9513.927238] EA = 0, S1PTW = 0
[ 9513.930364] Data abort info:
[ 9513.933231] ISV = 0, ISS = 0x00000006
[ 9513.937048] CM = 0, WnR = 0
[ 9513.940003] user pgtable: 4k pages, 48-bit VAs, pgdp=0000007ec7d12000
[ 9513.946414] [0000000000000008] pgd=0000007ec7d13003, p4d=0000007ec7d13003, pud=0000007ec728c003, pmd=0000000000000000
[ 9513.956975] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 9513.962521] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio hclge hns3 hnae3 [last unloaded: vfio_pci]
[ 9513.972998] CPU: 4 PID: 1327 Comm: bash Tainted: G W 5.8.0-rc4+ #3
[ 9513.980443] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B270.01 05/08/2020
[ 9513.989274] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
[ 9513.994827] pc : _raw_spin_lock_irqsave+0x48/0x88
[ 9513.999515] lr : eventfd_signal+0x6c/0x1b0
[ 9514.003591] sp : ffff800038a0b960
[ 9514.006889] x29: ffff800038a0b960 x28: ffff007ef7f4da10
[ 9514.012175] x27: ffff207eefbbfc80 x26: ffffbb7903457000
[ 9514.017462] x25: ffffbb7912191000 x24: ffff007ef7f4d400
[ 9514.022747] x23: ffff20be6e0e4c00 x22: 0000000000000008
[ 9514.028033] x21: 0000000000000000 x20: 0000000000000000
[ 9514.033321] x19: 0000000000000008 x18: 0000000000000000
[ 9514.038606] x17: 0000000000000000 x16: ffffbb7910029328
[ 9514.043893] x15: 0000000000000000 x14: 0000000000000001
[ 9514.049179] x13: 0000000000000000 x12: 0000000000000002
[ 9514.054466] x11: 0000000000000000 x10: 0000000000000a00
[ 9514.059752] x9 : ffff800038a0b840 x8 : ffff007ef7f4de60
[ 9514.065038] x7 : ffff007fffc96690 x6 : fffffe01faffb748
[ 9514.070324] x5 : 0000000000000000 x4 : 0000000000000000
[ 9514.075609] x3 : 0000000000000000 x2 : 0000000000000001
[ 9514.080895] x1 : ffff007ef7f4d400 x0 : 0000000000000000
[ 9514.086181] Call trace:
[ 9514.088618] _raw_spin_lock_irqsave+0x48/0x88
[ 9514.092954] eventfd_signal+0x6c/0x1b0
[ 9514.096691] vfio_pci_request+0x84/0xd0 [vfio_pci]
[ 9514.101464] vfio_del_group_dev+0x150/0x290 [vfio]
[ 9514.106234] vfio_pci_remove+0x30/0x128 [vfio_pci]
[ 9514.111007] pci_device_remove+0x48/0x108
[ 9514.115001] device_release_driver_internal+0x100/0x1b8
[ 9514.120200] device_release_driver+0x28/0x38
[ 9514.124452] pci_stop_bus_device+0x68/0xa8
[ 9514.128528] pci_stop_and_remove_bus_device+0x20/0x38
[ 9514.133557] pci_iov_remove_virtfn+0xb4/0x128
[ 9514.137893] sriov_disable+0x3c/0x108
[ 9514.141538] pci_disable_sriov+0x28/0x38
[ 9514.145445] hns3_pci_sriov_configure+0x48/0xb8 [hns3]
[ 9514.150558] sriov_numvfs_store+0x110/0x198
[ 9514.154724] dev_attr_store+0x44/0x60
[ 9514.158373] sysfs_kf_write+0x5c/0x78
[ 9514.162018] kernfs_fop_write+0x104/0x210
[ 9514.166010] __vfs_write+0x48/0x90
[ 9514.169395] vfs_write+0xbc/0x1c0
[ 9514.172694] ksys_write+0x74/0x100
[ 9514.176079] __arm64_sys_write+0x24/0x30
[ 9514.179987] el0_svc_common.constprop.4+0x110/0x200
[ 9514.184842] do_el0_svc+0x34/0x98
[ 9514.188144] el0_svc+0x14/0x40
[ 9514.191185] el0_sync_handler+0xb0/0x2d0
[ 9514.195088] el0_sync+0x140/0x180
[ 9514.198389] Code: b9001020 d2800000 52800022 f9800271 (885ffe61)
[ 9514.204455] ---[ end trace 648de00c8406465f ]---
[ 9514.212308] note: bash[1327] exited with preempt_count 1
Cc: Qian Cai <cai@lca.pw>
Cc: Alex Williamson <alex.williamson@redhat.com>
Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx")
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index c08cff0ca08df..237d5aceb302d 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -392,14 +392,19 @@ static void vfio_pci_release(void *device_data)
if (!(--vdev->refcnt)) {
vfio_spapr_pci_eeh_release(vdev->pdev);
vfio_pci_disable(vdev);
+ mutex_lock(&vdev->igate);
if (vdev->err_trigger) {
eventfd_ctx_put(vdev->err_trigger);
vdev->err_trigger = NULL;
}
+ mutex_unlock(&vdev->igate);
+
+ mutex_lock(&vdev->igate);
if (vdev->req_trigger) {
eventfd_ctx_put(vdev->req_trigger);
vdev->req_trigger = NULL;
}
+ mutex_unlock(&vdev->igate);
}
mutex_unlock(&driver_lock);
--
2.25.1
prev parent reply other threads:[~2020-09-18 2:16 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-18 2:13 [PATCH AUTOSEL 4.9 01/90] scsi: aacraid: fix illegal IO beyond last LBA Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 02/90] m68k: q40: Fix info-leak in rtc_ioctl Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 03/90] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 04/90] ASoC: kirkwood: fix IRQ error handling Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 05/90] ata: sata_mv, avoid trigerrable BUG_ON Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 06/90] PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 07/90] clk/ti/adpll: allocate room for terminating null Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 08/90] mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 09/90] mfd: mfd-core: Protect against NULL call-back function pointer Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 10/90] tracing: Adding NULL checks for trace_array descriptor pointer Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 11/90] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 12/90] RDMA/i40iw: Fix potential use after free Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 13/90] xfs: fix attr leaf header freemap.size underflow Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 14/90] RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 15/90] debugfs: Fix !DEBUG_FS debugfs_create_automount Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 16/90] CIFS: Properly process SMB3 lease breaks Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 17/90] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 18/90] neigh_stat_seq_next() should increase position index Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 19/90] rt_cpu_seq_next " Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 20/90] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 21/90] media: ti-vpe: cal: Restrict DMA to avoid memory corruption Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 22/90] ACPI: EC: Reference count query handlers under lock Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 23/90] efi/arm: Defer probe of PCIe backed efifb on DT systems Sasha Levin
2020-09-18 6:25 ` Ard Biesheuvel
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 24/90] dmaengine: zynqmp_dma: fix burst length configuration Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 25/90] tracing: Set kernel_stack's caller size properly Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 26/90] ext4: make dioread_nolock the default Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 27/90] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 28/90] Bluetooth: Fix refcount use-after-free issue Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 29/90] mm: pagewalk: fix termination condition in walk_pte_range() Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 30/90] Bluetooth: prefetch channel before killing sock Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 31/90] KVM: fix overflow of zero page refcount with ksm running Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 32/90] ALSA: hda: Clear RIRB status before reading WP Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 33/90] skbuff: fix a data race in skb_queue_len() Sasha Levin
2020-09-18 2:13 ` [PATCH AUTOSEL 4.9 34/90] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 35/90] selinux: sel_avc_get_stat_idx should increase position index Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 36/90] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 37/90] scsi: lpfc: Fix coverity errors in fmdi attribute handling Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 38/90] drm/omap: fix possible object reference leak Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 39/90] RDMA/rxe: Fix configuration of atomic queue pair attributes Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 40/90] KVM: x86: fix incorrect comparison in trace event Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 41/90] x86/pkeys: Add check for pkey "overflow" Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 42/90] bpf: Remove recursion prevention from rcu free callback Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 43/90] dmaengine: tegra-apb: Prevent race conditions on channel's freeing Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 44/90] media: go7007: Fix URB type for interrupt handling Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 45/90] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 46/90] timekeeping: Prevent 32bit truncation in scale64_check_overflow() Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 47/90] drm/amdgpu: increase atombios cmd timeout Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 48/90] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 49/90] media: tda10071: fix unsigned sign extension overflow Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 50/90] xfs: don't ever return a stale pointer from __xfs_dir3_free_read Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 51/90] tpm: ibmvtpm: Wait for buffer to be set before proceeding Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 52/90] tracing: Use address-of operator on section symbols Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 53/90] serial: 8250_port: Don't service RX FIFO if throttled Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 54/90] serial: 8250_omap: Fix sleeping function called from invalid context during probe Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 55/90] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 56/90] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 57/90] tools: gpio-hammer: Avoid potential overflow in main Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 58/90] SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 59/90] svcrdma: Fix leak of transport addresses Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 60/90] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 61/90] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 62/90] mm/filemap.c: clear page error before actual read Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 63/90] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 64/90] serial: uartps: Wait for tx_empty in console setup Sasha Levin
2020-09-28 20:11 ` Naresh Kamboju
2020-09-28 20:13 ` Naresh Kamboju
2020-09-29 6:59 ` Greg Kroah-Hartman
2020-09-29 17:39 ` Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 65/90] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 66/90] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 67/90] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 68/90] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 69/90] atm: fix a memory leak of vcc->user_back Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 70/90] phy: samsung: s5pv210-usb2: Add delay after reset Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 71/90] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 72/90] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 73/90] tty: serial: samsung: Correct clock selection logic Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 74/90] ALSA: hda: Fix potential race in unsol event handler Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 75/90] fuse: don't check refcount after stealing page Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 76/90] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 77/90] e1000: Do not perform reset in reset_task if we are already down Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 78/90] printk: handle blank console arguments passed in Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 79/90] btrfs: don't force read-only after error in drop snapshot Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 80/90] vfio/pci: fix memory leaks of eventfd ctx Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 81/90] perf util: Fix memory leak of prefix_if_not_in Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 82/90] perf kcore_copy: Fix module map when there are no modules loaded Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 83/90] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 84/90] ceph: fix potential race in ceph_check_caps Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 85/90] mtd: parser: cmdline: Support MTD names containing one or more colons Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 86/90] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 87/90] vfio/pci: Clear error and request eventfd ctx after releasing Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 88/90] cifs: Fix double add page to memcg when cifs_readpages Sasha Levin
2020-09-18 2:14 ` [PATCH AUTOSEL 4.9 89/90] selftests/x86/syscall_nt: Clear weird flags after each test Sasha Levin
2020-09-18 2:14 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200918021455.2067301-90-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alex.williamson@redhat.com \
--cc=cai@lca.pw \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=prime.zeng@hisilicon.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox