* [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path
@ 2012-11-15 16:43 Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
On error recovery path in function vfio_create_group(), it should
unregister the IOMMU notifier for the new VFIO group. Otherwise it may
cause invalid memory access later when handling bus notifications.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/vfio.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 17830c9..3359ec2 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -191,6 +191,17 @@ static void vfio_container_put(struct vfio_container *container)
kref_put(&container->kref, vfio_container_release);
}
+static void vfio_group_unlock_and_free(struct vfio_group *group)
+{
+ mutex_unlock(&vfio.group_lock);
+ /*
+ * Unregister outside of lock. A spurious callback is harmless now
+ * that the group is no longer in vfio.group_list.
+ */
+ iommu_group_unregister_notifier(group->iommu_group, &group->nb);
+ kfree(group);
+}
+
/**
* Group objects - create, release, get, put, search
*/
@@ -229,8 +240,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
minor = vfio_alloc_group_minor(group);
if (minor < 0) {
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return ERR_PTR(minor);
}
@@ -239,8 +249,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
if (tmp->iommu_group == iommu_group) {
vfio_group_get(tmp);
vfio_free_group_minor(minor);
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return tmp;
}
}
@@ -249,8 +258,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
group, "%d", iommu_group_id(iommu_group));
if (IS_ERR(dev)) {
vfio_free_group_minor(minor);
- mutex_unlock(&vfio.group_lock);
- kfree(group);
+ vfio_group_unlock_and_free(group);
return (struct vfio_group *)dev; /* ERR_PTR */
}
@@ -274,16 +282,7 @@ static void vfio_group_release(struct kref *kref)
device_destroy(vfio.class, MKDEV(MAJOR(vfio.devt), group->minor));
list_del(&group->vfio_next);
vfio_free_group_minor(group->minor);
-
- mutex_unlock(&vfio.group_lock);
-
- /*
- * Unregister outside of lock. A spurious callback is harmless now
- * that the group is no longer in vfio.group_list.
- */
- iommu_group_unregister_notifier(group->iommu_group, &group->nb);
-
- kfree(group);
+ vfio_group_unlock_and_free(group);
}
static void vfio_group_put(struct vfio_group *group)
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
@ 2012-11-15 16:43 ` Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
Comments from dev_driver_string(),
/* dev->driver can change to NULL underneath us because of unbinding,
* so be careful about accessing it.
*/
So use ACCESS_ONCE() to guard access to dev->driver field.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/vfio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 3359ec2..0090212 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -465,8 +465,9 @@ static int vfio_dev_viable(struct device *dev, void *data)
{
struct vfio_group *group = data;
struct vfio_device *device;
+ struct device_driver *drv = ACCESS_ONCE(dev->driver);
- if (!dev->driver || vfio_whitelisted_driver(dev->driver))
+ if (!drv || vfio_whitelisted_driver(drv))
return 0;
device = vfio_group_get_device(group, dev);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init()
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
@ 2012-11-15 16:43 ` Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Jiang Liu @ 2012-11-15 16:43 UTC (permalink / raw)
To: Alex Williamson, Greg Kroah-Hartman
Cc: Jiang Liu, Joerg Roedel, kvm, linux-kernel, Hanjun Guo
The two labels for error recovery in function vfio_pci_init() is out of
order, so fix it.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
---
drivers/vfio/pci/vfio_pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 6968b72..d07fb7e 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -563,9 +563,9 @@ static int __init vfio_pci_init(void)
return 0;
-out_virqfd:
- vfio_pci_virqfd_exit();
out_driver:
+ vfio_pci_virqfd_exit();
+out_virqfd:
vfio_pci_uninit_perm_bits();
return ret;
}
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
@ 2012-11-15 18:31 ` Alex Williamson
2 siblings, 0 replies; 4+ messages in thread
From: Alex Williamson @ 2012-11-15 18:31 UTC (permalink / raw)
To: Jiang Liu
Cc: Greg Kroah-Hartman, Jiang Liu, Joerg Roedel, kvm, linux-kernel,
Hanjun Guo
On Fri, 2012-11-16 at 00:43 +0800, Jiang Liu wrote:
> On error recovery path in function vfio_create_group(), it should
> unregister the IOMMU notifier for the new VFIO group. Otherwise it may
> cause invalid memory access later when handling bus notifications.
>
> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
> ---
> drivers/vfio/vfio.c | 31 +++++++++++++++----------------
> 1 file changed, 15 insertions(+), 16 deletions(-)
Applied all 3, thanks!
Alex
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 17830c9..3359ec2 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -191,6 +191,17 @@ static void vfio_container_put(struct vfio_container *container)
> kref_put(&container->kref, vfio_container_release);
> }
>
> +static void vfio_group_unlock_and_free(struct vfio_group *group)
> +{
> + mutex_unlock(&vfio.group_lock);
> + /*
> + * Unregister outside of lock. A spurious callback is harmless now
> + * that the group is no longer in vfio.group_list.
> + */
> + iommu_group_unregister_notifier(group->iommu_group, &group->nb);
> + kfree(group);
> +}
> +
> /**
> * Group objects - create, release, get, put, search
> */
> @@ -229,8 +240,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
>
> minor = vfio_alloc_group_minor(group);
> if (minor < 0) {
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return ERR_PTR(minor);
> }
>
> @@ -239,8 +249,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
> if (tmp->iommu_group == iommu_group) {
> vfio_group_get(tmp);
> vfio_free_group_minor(minor);
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return tmp;
> }
> }
> @@ -249,8 +258,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
> group, "%d", iommu_group_id(iommu_group));
> if (IS_ERR(dev)) {
> vfio_free_group_minor(minor);
> - mutex_unlock(&vfio.group_lock);
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> return (struct vfio_group *)dev; /* ERR_PTR */
> }
>
> @@ -274,16 +282,7 @@ static void vfio_group_release(struct kref *kref)
> device_destroy(vfio.class, MKDEV(MAJOR(vfio.devt), group->minor));
> list_del(&group->vfio_next);
> vfio_free_group_minor(group->minor);
> -
> - mutex_unlock(&vfio.group_lock);
> -
> - /*
> - * Unregister outside of lock. A spurious callback is harmless now
> - * that the group is no longer in vfio.group_list.
> - */
> - iommu_group_unregister_notifier(group->iommu_group, &group->nb);
> -
> - kfree(group);
> + vfio_group_unlock_and_free(group);
> }
>
> static void vfio_group_put(struct vfio_group *group)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-11-15 18:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-15 16:43 [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Jiang Liu
2012-11-15 16:43 ` [PATCH v2 2/3] VFIO: use ACCESS_ONCE() to guard access to dev->driver Jiang Liu
2012-11-15 16:43 ` [PATCH v2 3/3] VFIO: fix out of order labels for error recovery in vfio_pci_init() Jiang Liu
2012-11-15 18:31 ` [PATCH v2 1/3] VFIO: unregister IOMMU notifier on error recovery path Alex Williamson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).