* [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path
@ 2012-11-15 16:43 Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
On error recovery path in function vfio_create_group(), it should
unregister the IOMMU notifier for the new VFIO group. Otherwise it may
cause invalid memory access later when handling bus notifications.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/vfio.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 17830c9..3359ec2 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -191,6 +191,17 @@ static void vfio_container_put(struct vfio_container *container)
kref_put(&container->kref, vfio_container_release);
}
+static void vfio_group_unlock_and_free(struct vfio_group *group)
+{
+ mutex_unlock(&vfio.group_lock);
+ /*
+ * Unregister outside of lock. A spurious callback is harmless now
+ * that the group is no longer in vfio.group_list.
+ */
+ iommu_group_unregister_notifier(group->iommu_group, &group->nb);
+ kfree(group);
+}
+
/**
* Group objects - create, release, get, put, search
*/
@@ -229,8 +240,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
minor = vfio_alloc_group_minor(group);
if (minor < 0) {
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return ERR_PTR(minor);
}
@@ -239,8 +249,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
if (tmp->iommu_group == iommu_group) {
vfio_group_get(tmp);
vfio_free_group_minor(minor);
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return tmp;
}
}
@@ -249,8 +258,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
group, "%d", iommu_group_id(iommu_group));
if (IS_ERR(dev)) {
vfio_free_group_minor(minor);
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return (struct vfio_group *)dev; /* ERR_PTR */
}
@@ -274,16 +282,7 @@ static void vfio_group_release(struct kref *kref)
device_destroy(vfio.class, MKDEV(MAJOR(vfio.devt), group->minor));
list_del(&group->vfio_next);
vfio_free_group_minor(group->minor);
-
- mutex_unlock(&vfio.group_lock);
-
- /*
- * Unregister outside of lock. A spurious callback is harmless now
- * that the group is no longer in vfio.group_list.
- */
- iommu_group_unregister_notifier(group->iommu_group, &group->nb);
-
- kfree(group);
+ vfio_group_unlock_and_free(group);
}
static void vfio_group_put(struct vfio_group *group)
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
@ 2012-11-15 16:43 ` Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
Comments from dev_driver_string(),
/* dev->driver can change to NULL underneath us because of unbinding,
* so be careful about accessing it.
*/
So use ACCESS_ONCE() to guard access to dev->driver field.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/vfio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 3359ec2..0090212 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -465,8 +465,9 @@ static int vfio_dev_viable(struct device *dev, void *data)
{
struct vfio_group *group = data;
struct vfio_device *device;
+ struct device_driver *drv = ACCESS_ONCE(dev->driver);
- if (!dev->driver || vfio_whitelisted_driver(dev->driver))
+ if (!drv || vfio_whitelisted_driver(drv))
return 0;
device = vfio_group_get_device(group, dev);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init()
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
@ 2012-11-15 16:43 ` Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
The two labels for error recovery in function vfio_pci_init() is out of
order, so fix it.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/pci/vfio_pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 6968b72..d07fb7e 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -563,9 +563,9 @@ static int __init vfio_pci_init(void)
return 0;
-out_virqfd:
- vfio_pci_virqfd_exit();
out_driver:
+ vfio_pci_virqfd_exit();
+out_virqfd:
vfio_pci_uninit_perm_bits();
return ret;
}
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
@ 2012-11-15 18:31 ` Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Alex Williamson @ 2012-11-15 18:31 UTC (permalink / raw)
To: Jiang Liu
Cc: Greg Kroah-Hartman, Jiang Liu, Joerg Roedel, kvm, linux-kernel,
Hanjun Guo
On Fri, 2012-11-16 at 00:43 +0800, Jiang Liu wrote:
> On error recovery path in function vfio_create_group(), it should
> unregister the IOMMU notifier for the new VFIO group. Otherwise it may
> cause invalid memory access later when handling bus notifications.
>
> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
> ---
> drivers/vfio/vfio.c | 31 +++++++++++++++----------------
> 1 file changed, 15 insertions(+), 16 deletions(-)
Applied all 3, thanks!
Alex
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 17830c9..3359ec2 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -191,6 +191,17 @@ static void vfio_container_put(struct vfio_container *container)
> kref_put(&container->kref, vfio_container_release);
> }
>
> +static void vfio_group_unlock_and_free(struct vfio_group *group)
> +{
> + mutex_unlock(&vfio.group_lock);
> + /*
> + * Unregister outside of lock. A spurious callback is harmless now
> + * that the group is no longer in vfio.group_list.
> + */
> + iommu_group_unregister_notifier(group->iommu_group, &group->nb);
> + kfree(group);
> +}
> +
> /**
> * Group objects - create, release, get, put, search
> */
> @@ -229,8 +240,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
>
> minor = vfio_alloc_group_minor(group);
> if (minor < 0) {
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return ERR_PTR(minor);
> }
>
> @@ -239,8 +249,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
> if (tmp->iommu_group == iommu_group) {
> vfio_group_get(tmp);
> vfio_free_group_minor(minor);
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return tmp;
> }
> }
> @@ -249,8 +258,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
> group, "%d", iommu_group_id(iommu_group));
> if (IS_ERR(dev)) {
> vfio_free_group_minor(minor);
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return (struct vfio_group *)dev; /* ERR_PTR */
> }
>
> @@ -274,16 +282,7 @@ static void vfio_group_release(struct kref *kref)
> device_destroy(vfio.class, MKDEV(MAJOR(vfio.devt), group->minor));
> list_del(&group->vfio_next);
> vfio_free_group_minor(group->minor);
> -
> - mutex_unlock(&vfio.group_lock);
> -
> - /*
> - * Unregister outside of lock. A spurious callback is harmless now
> - * that the group is no longer in vfio.group_list.
> - */
> - iommu_group_unregister_notifier(group->iommu_group, &group->nb);
> -
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> }
>
> static void vfio_group_put(struct vfio_group *group)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-11-15 18:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.