forked from luck/tmp_suning_uos_patched
4f3dbdf47e
Reported syzkaller: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass] PGD 0 Oops: 0002 [#1] SMP CPU: 1 PID: 125 Comm: kworker/1:1 Not tainted 4.9.0+ #1 Workqueue: kvm-irqfd-cleanup irqfd_shutdown [kvm] task: ffff9bbe0dfbb900 task.stack: ffffb61802014000 RIP: 0010:irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass] Call Trace: irqfd_shutdown+0x66/0xa0 [kvm] process_one_work+0x16b/0x480 worker_thread+0x4b/0x500 kthread+0x101/0x140 ? process_one_work+0x480/0x480 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x25/0x30 RIP: irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass] RSP: ffffb61802017e20 CR2: 0000000000000008 The syzkaller folks reported a NULL pointer dereference that due to unregister an consumer which fails registration before. The syzkaller creates two VMs w/ an equal eventfd occasionally. So the second VM fails to register an irqbypass consumer. It will make irqfd as inactive and queue an workqueue work to shutdown irqfd and unregister the irqbypass consumer when eventfd is closed. However, the second consumer has been initialized though it fails registration. So the token(same as the first VM's) is taken to unregister the consumer through the workqueue, the consumer of the first VM is found and unregistered, then NULL deref incurred in the path of deleting consumer from the consumers list. This patch fixes it by making irq_bypass_register/unregister_consumer() looks for the consumer entry based on consumer pointer itself instead of token matching. Reported-by: Dmitry Vyukov <dvyukov@google.com> Suggested-by: Alex Williamson <alex.williamson@redhat.com> Cc: stable@vger.kernel.org Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
268 lines
6.0 KiB
C
268 lines
6.0 KiB
C
/*
|
|
* IRQ offload/bypass manager
|
|
*
|
|
* Copyright (C) 2015 Red Hat, Inc.
|
|
* Copyright (c) 2015 Linaro Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* Various virtualization hardware acceleration techniques allow bypassing or
|
|
* offloading interrupts received from devices around the host kernel. Posted
|
|
* Interrupts on Intel VT-d systems can allow interrupts to be received
|
|
* directly by a virtual machine. ARM IRQ Forwarding allows forwarded physical
|
|
* interrupts to be directly deactivated by the guest. This manager allows
|
|
* interrupt producers and consumers to find each other to enable this sort of
|
|
* bypass.
|
|
*/
|
|
|
|
#include <linux/irqbypass.h>
|
|
#include <linux/list.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
|
|
MODULE_LICENSE("GPL v2");
|
|
MODULE_DESCRIPTION("IRQ bypass manager utility module");
|
|
|
|
static LIST_HEAD(producers);
|
|
static LIST_HEAD(consumers);
|
|
static DEFINE_MUTEX(lock);
|
|
|
|
/* @lock must be held when calling connect */
|
|
static int __connect(struct irq_bypass_producer *prod,
|
|
struct irq_bypass_consumer *cons)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (prod->stop)
|
|
prod->stop(prod);
|
|
if (cons->stop)
|
|
cons->stop(cons);
|
|
|
|
if (prod->add_consumer)
|
|
ret = prod->add_consumer(prod, cons);
|
|
|
|
if (!ret) {
|
|
ret = cons->add_producer(cons, prod);
|
|
if (ret && prod->del_consumer)
|
|
prod->del_consumer(prod, cons);
|
|
}
|
|
|
|
if (cons->start)
|
|
cons->start(cons);
|
|
if (prod->start)
|
|
prod->start(prod);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* @lock must be held when calling disconnect */
|
|
static void __disconnect(struct irq_bypass_producer *prod,
|
|
struct irq_bypass_consumer *cons)
|
|
{
|
|
if (prod->stop)
|
|
prod->stop(prod);
|
|
if (cons->stop)
|
|
cons->stop(cons);
|
|
|
|
cons->del_producer(cons, prod);
|
|
|
|
if (prod->del_consumer)
|
|
prod->del_consumer(prod, cons);
|
|
|
|
if (cons->start)
|
|
cons->start(cons);
|
|
if (prod->start)
|
|
prod->start(prod);
|
|
}
|
|
|
|
/**
|
|
* irq_bypass_register_producer - register IRQ bypass producer
|
|
* @producer: pointer to producer structure
|
|
*
|
|
* Add the provided IRQ producer to the list of producers and connect
|
|
* with any matching token found on the IRQ consumers list.
|
|
*/
|
|
int irq_bypass_register_producer(struct irq_bypass_producer *producer)
|
|
{
|
|
struct irq_bypass_producer *tmp;
|
|
struct irq_bypass_consumer *consumer;
|
|
|
|
if (!producer->token)
|
|
return -EINVAL;
|
|
|
|
might_sleep();
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
return -ENODEV;
|
|
|
|
mutex_lock(&lock);
|
|
|
|
list_for_each_entry(tmp, &producers, node) {
|
|
if (tmp->token == producer->token) {
|
|
mutex_unlock(&lock);
|
|
module_put(THIS_MODULE);
|
|
return -EBUSY;
|
|
}
|
|
}
|
|
|
|
list_for_each_entry(consumer, &consumers, node) {
|
|
if (consumer->token == producer->token) {
|
|
int ret = __connect(producer, consumer);
|
|
if (ret) {
|
|
mutex_unlock(&lock);
|
|
module_put(THIS_MODULE);
|
|
return ret;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
list_add(&producer->node, &producers);
|
|
|
|
mutex_unlock(&lock);
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(irq_bypass_register_producer);
|
|
|
|
/**
|
|
* irq_bypass_unregister_producer - unregister IRQ bypass producer
|
|
* @producer: pointer to producer structure
|
|
*
|
|
* Remove a previously registered IRQ producer from the list of producers
|
|
* and disconnect it from any connected IRQ consumer.
|
|
*/
|
|
void irq_bypass_unregister_producer(struct irq_bypass_producer *producer)
|
|
{
|
|
struct irq_bypass_producer *tmp;
|
|
struct irq_bypass_consumer *consumer;
|
|
|
|
if (!producer->token)
|
|
return;
|
|
|
|
might_sleep();
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
return; /* nothing in the list anyway */
|
|
|
|
mutex_lock(&lock);
|
|
|
|
list_for_each_entry(tmp, &producers, node) {
|
|
if (tmp->token != producer->token)
|
|
continue;
|
|
|
|
list_for_each_entry(consumer, &consumers, node) {
|
|
if (consumer->token == producer->token) {
|
|
__disconnect(producer, consumer);
|
|
break;
|
|
}
|
|
}
|
|
|
|
list_del(&producer->node);
|
|
module_put(THIS_MODULE);
|
|
break;
|
|
}
|
|
|
|
mutex_unlock(&lock);
|
|
|
|
module_put(THIS_MODULE);
|
|
}
|
|
EXPORT_SYMBOL_GPL(irq_bypass_unregister_producer);
|
|
|
|
/**
|
|
* irq_bypass_register_consumer - register IRQ bypass consumer
|
|
* @consumer: pointer to consumer structure
|
|
*
|
|
* Add the provided IRQ consumer to the list of consumers and connect
|
|
* with any matching token found on the IRQ producer list.
|
|
*/
|
|
int irq_bypass_register_consumer(struct irq_bypass_consumer *consumer)
|
|
{
|
|
struct irq_bypass_consumer *tmp;
|
|
struct irq_bypass_producer *producer;
|
|
|
|
if (!consumer->token ||
|
|
!consumer->add_producer || !consumer->del_producer)
|
|
return -EINVAL;
|
|
|
|
might_sleep();
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
return -ENODEV;
|
|
|
|
mutex_lock(&lock);
|
|
|
|
list_for_each_entry(tmp, &consumers, node) {
|
|
if (tmp->token == consumer->token || tmp == consumer) {
|
|
mutex_unlock(&lock);
|
|
module_put(THIS_MODULE);
|
|
return -EBUSY;
|
|
}
|
|
}
|
|
|
|
list_for_each_entry(producer, &producers, node) {
|
|
if (producer->token == consumer->token) {
|
|
int ret = __connect(producer, consumer);
|
|
if (ret) {
|
|
mutex_unlock(&lock);
|
|
module_put(THIS_MODULE);
|
|
return ret;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
list_add(&consumer->node, &consumers);
|
|
|
|
mutex_unlock(&lock);
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(irq_bypass_register_consumer);
|
|
|
|
/**
|
|
* irq_bypass_unregister_consumer - unregister IRQ bypass consumer
|
|
* @consumer: pointer to consumer structure
|
|
*
|
|
* Remove a previously registered IRQ consumer from the list of consumers
|
|
* and disconnect it from any connected IRQ producer.
|
|
*/
|
|
void irq_bypass_unregister_consumer(struct irq_bypass_consumer *consumer)
|
|
{
|
|
struct irq_bypass_consumer *tmp;
|
|
struct irq_bypass_producer *producer;
|
|
|
|
if (!consumer->token)
|
|
return;
|
|
|
|
might_sleep();
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
return; /* nothing in the list anyway */
|
|
|
|
mutex_lock(&lock);
|
|
|
|
list_for_each_entry(tmp, &consumers, node) {
|
|
if (tmp != consumer)
|
|
continue;
|
|
|
|
list_for_each_entry(producer, &producers, node) {
|
|
if (producer->token == consumer->token) {
|
|
__disconnect(producer, consumer);
|
|
break;
|
|
}
|
|
}
|
|
|
|
list_del(&consumer->node);
|
|
module_put(THIS_MODULE);
|
|
break;
|
|
}
|
|
|
|
mutex_unlock(&lock);
|
|
|
|
module_put(THIS_MODULE);
|
|
}
|
|
EXPORT_SYMBOL_GPL(irq_bypass_unregister_consumer);
|