From: Alex Williamson <alex.williamson@redhat.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: kvm@vger.kernel.org, linux-doc@vger.kernel.org,
David Airlie <airlied@linux.ie>,
dri-devel@lists.freedesktop.org,
Kirti Wankhede <kwankhede@nvidia.com>,
Max Gurtovoy <mgurtovoy@nvidia.com>,
Vineeth Vijayan <vneethv@linux.ibm.com>,
Diana Craciun <diana.craciun@oss.nxp.com>,
Leon Romanovsky <leonro@nvidia.com>,
Christoph Hellwig <hch@lst.de>,
linux-s390@vger.kernel.org,
Matthew Rosato <mjrosato@linux.ibm.com>,
Jonathan Corbet <corbet@lwn.net>,
Halil Pasic <pasic@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
intel-gfx@lists.freedesktop.org, Zhi Wang <zhi.a.wang@intel.com>,
Jason Herne <jjherne@linux.ibm.com>,
Eric Farman <farman@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Eric Auger <eric.auger@redhat.com>,
Harald Freudenberger <freude@linux.ibm.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
intel-gvt-dev@lists.freedesktop.org, "Raj,
Ashok" <ashok.raj@intel.com>,
Tony Krowiak <akrowiak@linux.ibm.com>,
Yishai Hadas <yishaih@nvidia.com>,
Cornelia Huck <cohuck@redhat.com>,
Peter Oberparleiter <oberpar@linux.ibm.com>
Subject: Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe()
Date: Tue, 20 Jul 2021 16:54:51 -0600 [thread overview]
Message-ID: <20210720165451.625dddd4.alex.williamson@redhat.com> (raw)
In-Reply-To: <20210720224955.GD1117491@nvidia.com>
On Tue, 20 Jul 2021 19:49:55 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:
> On Tue, Jul 20, 2021 at 04:01:27PM -0600, Alex Williamson wrote:
> > On Tue, 20 Jul 2021 14:42:48 -0300
> > Jason Gunthorpe <jgg@nvidia.com> wrote:
> >
> > > Compared to mbochs_remove() two cases are missing from the
> > > vfio_register_group_dev() unwind. Add them in.
> > >
> > > Fixes: 681c1615f891 ("vfio/mbochs: Convert to use vfio_register_group_dev()")
> > > Reported-by: Cornelia Huck <cohuck@redhat.com>
> > > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> > > samples/vfio-mdev/mbochs.c | 7 +++++--
> > > 1 file changed, 5 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/samples/vfio-mdev/mbochs.c b/samples/vfio-mdev/mbochs.c
> > > index e81b875b4d87b4..501845b08c0974 100644
> > > +++ b/samples/vfio-mdev/mbochs.c
> > > @@ -553,11 +553,14 @@ static int mbochs_probe(struct mdev_device *mdev)
> > >
> > > ret = vfio_register_group_dev(&mdev_state->vdev);
> > > if (ret)
> > > - goto err_mem;
> > > + goto err_bytes;
> > > dev_set_drvdata(&mdev->dev, mdev_state);
> > > return 0;
> > >
> > > +err_bytes:
> > > + mbochs_used_mbytes -= mdev_state->type->mbytes;
> > > err_mem:
> > > + kfree(mdev_state->pages);
> > > kfree(mdev_state->vconfig);
> > > kfree(mdev_state);
> > > return ret;
> > > @@ -567,8 +570,8 @@ static void mbochs_remove(struct mdev_device *mdev)
> > > {
> > > struct mdev_state *mdev_state = dev_get_drvdata(&mdev->dev);
> > >
> > > - mbochs_used_mbytes -= mdev_state->type->mbytes;
> > > vfio_unregister_group_dev(&mdev_state->vdev);
> > > + mbochs_used_mbytes -= mdev_state->type->mbytes;
> > > kfree(mdev_state->pages);
> > > kfree(mdev_state->vconfig);
> > > kfree(mdev_state);
> >
> > Hmm, doesn't this suggest we need another atomic conversion? (untested)
>
> Sure why not, I can add this as another patch
>
> > @@ -567,11 +573,11 @@ static void mbochs_remove(struct mdev_device *mdev)
> > {
> > struct mdev_state *mdev_state = dev_get_drvdata(&mdev->dev);
> >
> > - mbochs_used_mbytes -= mdev_state->type->mbytes;
> > vfio_unregister_group_dev(&mdev_state->vdev);
> > kfree(mdev_state->pages);
> > kfree(mdev_state->vconfig);
> > kfree(mdev_state);
> > + atomic_add(mdev_state->type->mbytes, &mbochs_avail_mbytes);
>
> This should be up after the vfio_unregister_group_dev(), it is a use after free?
Oops, yep. That or get the mbochs_type so we can mirror the _probe
setup. Same on the _probe unwind, but we've already got type->mbytes
there. Thanks,
Alex
next prev parent reply other threads:[~2021-07-20 22:54 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 17:42 [PATCH v2 00/14] Provide core infrastructure for managing open/release Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 01/14] vfio/samples: Remove module get/put Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() Jason Gunthorpe
2021-07-20 22:01 ` Alex Williamson
2021-07-20 22:49 ` Jason Gunthorpe
2021-07-20 22:54 ` Alex Williamson [this message]
2021-07-21 9:18 ` Cornelia Huck
2021-07-21 9:16 ` Cornelia Huck
2021-07-20 17:42 ` [PATCH v2 03/14] vfio: Introduce a vfio_uninit_group_dev() API call Jason Gunthorpe
2021-07-21 11:33 ` Cornelia Huck
2021-07-20 17:42 ` [PATCH v2 04/14] vfio: Provide better generic support for open/release vfio_device_ops Jason Gunthorpe
2021-07-22 14:42 ` Cornelia Huck
[not found] ` <20210723073914.GC864@lst.de>
2021-07-23 14:38 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 05/14] vfio/samples: Delete useless open/close Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure Jason Gunthorpe
[not found] ` <20210723074435.GA2795@lst.de>
2021-07-23 12:22 ` Jason Gunthorpe
[not found] ` <20210723122903.GA24436@lst.de>
2021-07-23 13:11 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme Jason Gunthorpe
2021-07-22 14:48 ` Cornelia Huck
[not found] ` <20210723074521.GB2795@lst.de>
2021-07-23 12:23 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 08/14] vfio/pci: Move to the device set infrastructure Jason Gunthorpe
[not found] ` <20210723074749.GC2795@lst.de>
2021-07-23 12:59 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 09/14] vfio/pci: Change vfio_pci_try_bus_reset() to use the dev_set Jason Gunthorpe
[not found] ` <20210723080543.GD2795@lst.de>
2021-07-23 13:30 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 10/14] vfio/pci: Reorganize VFIO_DEVICE_PCI_HOT_RESET to use the device set Jason Gunthorpe
[not found] ` <20210723081208.GE2795@lst.de>
2021-07-23 13:31 ` Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 11/14] vfio/mbochs: Fix close when multiple device FDs are open Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 12/14] vfio/ap, ccw: Fix open/close " Jason Gunthorpe
2021-07-20 17:42 ` [PATCH v2 13/14] vfio/gvt: " Jason Gunthorpe
2021-07-20 17:43 ` [PATCH v2 14/14] vfio: Remove struct vfio_device_ops open/release Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210720165451.625dddd4.alex.williamson@redhat.com \
--to=alex.williamson@redhat.com \
--cc=airlied@linux.ie \
--cc=akrowiak@linux.ibm.com \
--cc=ashok.raj@intel.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=corbet@lwn.net \
--cc=diana.craciun@oss.nxp.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=eric.auger@redhat.com \
--cc=farman@linux.ibm.com \
--cc=freude@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hch@lst.de \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-gvt-dev@lists.freedesktop.org \
--cc=jgg@nvidia.com \
--cc=jjherne@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=kwankhede@nvidia.com \
--cc=leonro@nvidia.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mgurtovoy@nvidia.com \
--cc=mjrosato@linux.ibm.com \
--cc=oberpar@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=rodrigo.vivi@intel.com \
--cc=vneethv@linux.ibm.com \
--cc=yishaih@nvidia.com \
--cc=zhi.a.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).