* [Qemu-devel] [PATCH 0/2] vhost-user: fix crashes on disconnect when iommu is on @ 2017-06-30 16:04 Maxime Coquelin 2017-06-30 16:04 ` [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback Maxime Coquelin 2017-06-30 16:04 ` [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time Maxime Coquelin 0 siblings, 2 replies; 5+ messages in thread From: Maxime Coquelin @ 2017-06-30 16:04 UTC (permalink / raw) To: jasowang, mlureau, qemu-devel, mst; +Cc: Maxime Coquelin This two patches series aims at fixing a couple of crashes that happens when the vhost-user socket is closed and iommu enabled. Maxime Coquelin (2): vhost: ensure vhost_ops are set before calling iotlb callback vhost-user: unregister slave req handler at cleanup time hw/virtio/vhost-backend.c | 10 ++++++++-- hw/virtio/vhost-user.c | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) -- 2.9.4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback 2017-06-30 16:04 [Qemu-devel] [PATCH 0/2] vhost-user: fix crashes on disconnect when iommu is on Maxime Coquelin @ 2017-06-30 16:04 ` Maxime Coquelin 2017-06-30 16:33 ` Marc-André Lureau 2017-06-30 16:04 ` [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time Maxime Coquelin 1 sibling, 1 reply; 5+ messages in thread From: Maxime Coquelin @ 2017-06-30 16:04 UTC (permalink / raw) To: jasowang, mlureau, qemu-devel, mst; +Cc: Maxime Coquelin This patch fixes a crash that happens when vhost-user iommu support is enabled and vhost-user socket is closed. When it happens, if an IOTLB invalidation notification is sent by the IOMMU, vhost_ops's NULL pointer is dereferenced. Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> --- hw/virtio/vhost-backend.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hw/virtio/vhost-backend.c b/hw/virtio/vhost-backend.c index 4e31de1..cb055e8 100644 --- a/hw/virtio/vhost-backend.c +++ b/hw/virtio/vhost-backend.c @@ -309,7 +309,10 @@ int vhost_backend_update_device_iotlb(struct vhost_dev *dev, return -EINVAL; } - return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); + if (dev->vhost_ops && dev->vhost_ops->vhost_send_device_iotlb_msg) + return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); + + return -ENODEV; } int vhost_backend_invalidate_device_iotlb(struct vhost_dev *dev, @@ -321,7 +324,10 @@ int vhost_backend_invalidate_device_iotlb(struct vhost_dev *dev, imsg.size = len; imsg.type = VHOST_IOTLB_INVALIDATE; - return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); + if (dev->vhost_ops && dev->vhost_ops->vhost_send_device_iotlb_msg) + return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); + + return -ENODEV; } int vhost_backend_handle_iotlb_msg(struct vhost_dev *dev, -- 2.9.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback 2017-06-30 16:04 ` [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback Maxime Coquelin @ 2017-06-30 16:33 ` Marc-André Lureau 0 siblings, 0 replies; 5+ messages in thread From: Marc-André Lureau @ 2017-06-30 16:33 UTC (permalink / raw) To: Maxime Coquelin; +Cc: jasowang, qemu-devel, mst ----- Original Message ----- > This patch fixes a crash that happens when vhost-user iommu > support is enabled and vhost-user socket is closed. > > When it happens, if an IOTLB invalidation notification is sent > by the IOMMU, vhost_ops's NULL pointer is dereferenced. > > Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> looks fine to me, Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > hw/virtio/vhost-backend.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/hw/virtio/vhost-backend.c b/hw/virtio/vhost-backend.c > index 4e31de1..cb055e8 100644 > --- a/hw/virtio/vhost-backend.c > +++ b/hw/virtio/vhost-backend.c > @@ -309,7 +309,10 @@ int vhost_backend_update_device_iotlb(struct vhost_dev > *dev, > return -EINVAL; > } > > - return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); > + if (dev->vhost_ops && dev->vhost_ops->vhost_send_device_iotlb_msg) > + return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); > + > + return -ENODEV; > } > > int vhost_backend_invalidate_device_iotlb(struct vhost_dev *dev, > @@ -321,7 +324,10 @@ int vhost_backend_invalidate_device_iotlb(struct > vhost_dev *dev, > imsg.size = len; > imsg.type = VHOST_IOTLB_INVALIDATE; > > - return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); > + if (dev->vhost_ops && dev->vhost_ops->vhost_send_device_iotlb_msg) > + return dev->vhost_ops->vhost_send_device_iotlb_msg(dev, &imsg); > + > + return -ENODEV; > } > > int vhost_backend_handle_iotlb_msg(struct vhost_dev *dev, > -- > 2.9.4 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time 2017-06-30 16:04 [Qemu-devel] [PATCH 0/2] vhost-user: fix crashes on disconnect when iommu is on Maxime Coquelin 2017-06-30 16:04 ` [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback Maxime Coquelin @ 2017-06-30 16:04 ` Maxime Coquelin 2017-06-30 16:23 ` Marc-André Lureau 1 sibling, 1 reply; 5+ messages in thread From: Maxime Coquelin @ 2017-06-30 16:04 UTC (permalink / raw) To: jasowang, mlureau, qemu-devel, mst; +Cc: Maxime Coquelin If the backend sends a request just before closing the socket, the aio dispatcher might schedule its reading after the vhost device has been cleaned, leading to a NULL pointer dereference in slave_read(); vhost_user_cleanup() already closes the socket but it is not enough, the handler has to be unregistered. Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> --- hw/virtio/vhost-user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 958ee09..2203011 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -779,6 +779,7 @@ static int vhost_user_cleanup(struct vhost_dev *dev) u = dev->opaque; if (u->slave_fd >= 0) { + qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL); close(u->slave_fd); u->slave_fd = -1; } -- 2.9.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time 2017-06-30 16:04 ` [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time Maxime Coquelin @ 2017-06-30 16:23 ` Marc-André Lureau 0 siblings, 0 replies; 5+ messages in thread From: Marc-André Lureau @ 2017-06-30 16:23 UTC (permalink / raw) To: Maxime Coquelin; +Cc: jasowang, qemu-devel, mst ----- Original Message ----- > If the backend sends a request just before closing the socket, > the aio dispatcher might schedule its reading after the vhost > device has been cleaned, leading to a NULL pointer dereference > in slave_read(); > > vhost_user_cleanup() already closes the socket but it is not > enough, the handler has to be unregistered. > > Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > hw/virtio/vhost-user.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c > index 958ee09..2203011 100644 > --- a/hw/virtio/vhost-user.c > +++ b/hw/virtio/vhost-user.c > @@ -779,6 +779,7 @@ static int vhost_user_cleanup(struct vhost_dev *dev) > > u = dev->opaque; > if (u->slave_fd >= 0) { > + qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL); > close(u->slave_fd); > u->slave_fd = -1; > } > -- > 2.9.4 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-06-30 16:33 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-06-30 16:04 [Qemu-devel] [PATCH 0/2] vhost-user: fix crashes on disconnect when iommu is on Maxime Coquelin 2017-06-30 16:04 ` [Qemu-devel] [PATCH 1/2] vhost: ensure vhost_ops are set before calling iotlb callback Maxime Coquelin 2017-06-30 16:33 ` Marc-André Lureau 2017-06-30 16:04 ` [Qemu-devel] [PATCH 2/2] vhost-user: unregister slave req handler at cleanup time Maxime Coquelin 2017-06-30 16:23 ` Marc-André Lureau
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.