Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe()

[PATCH v2 00/14] Provide core infrastructure for managing open/release · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
[PATCH v2 01/14] vfio/samples: Remove module get/put · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 01/14] vfio/samples: Remove module get/put · Christoph Hellwig <hch@lst.de> · 2021-07-23
[PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Alex Williamson <hidden> · 2021-07-20
Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Alex Williamson <hidden> · 2021-07-20
Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Cornelia Huck <cohuck@redhat.com> · 2021-07-21
Re: [PATCH v2 02/14] vfio/mbochs: Fix missing error unwind in mbochs_probe() · Cornelia Huck <cohuck@redhat.com> · 2021-07-21
[PATCH v2 10/14] vfio/pci: Reorganize VFIO_DEVICE_PCI_HOT_RESET to use the device set · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 10/14] vfio/pci: Reorganize VFIO_DEVICE_PCI_HOT_RESET to use the device set · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 10/14] vfio/pci: Reorganize VFIO_DEVICE_PCI_HOT_RESET to use the device set · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 04/14] vfio: Provide better generic support for open/release vfio_device_ops · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 04/14] vfio: Provide better generic support for open/release vfio_device_ops · Cornelia Huck <cohuck@redhat.com> · 2021-07-22
Re: [PATCH v2 04/14] vfio: Provide better generic support for open/release vfio_device_ops · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 04/14] vfio: Provide better generic support for open/release vfio_device_ops · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 14/14] vfio: Remove struct vfio_device_ops open/release · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 14/14] vfio: Remove struct vfio_device_ops open/release · Christoph Hellwig <hch@lst.de> · 2021-07-23
[PATCH v2 03/14] vfio: Introduce a vfio_uninit_group_dev() API call · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 03/14] vfio: Introduce a vfio_uninit_group_dev() API call · Cornelia Huck <cohuck@redhat.com> · 2021-07-21
Re: [PATCH v2 03/14] vfio: Introduce a vfio_uninit_group_dev() API call · Christoph Hellwig <hch@lst.de> · 2021-07-23
[PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
Re: [PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 06/14] vfio/fsl: Move to the device set infrastructure · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 12/14] vfio/ap,ccw: Fix open/close when multiple device FDs are open · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
[PATCH v2 09/14] vfio/pci: Change vfio_pci_try_bus_reset() to use the dev_set · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 09/14] vfio/pci: Change vfio_pci_try_bus_reset() to use the dev_set · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 09/14] vfio/pci: Change vfio_pci_try_bus_reset() to use the dev_set · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 11/14] vfio/mbochs: Fix close when multiple device FDs are open · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 11/14] vfio/mbochs: Fix close when multiple device FDs are open · Christoph Hellwig <hch@lst.de> · 2021-07-23
[PATCH v2 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme · Cornelia Huck <cohuck@redhat.com> · 2021-07-22
Re: [PATCH v2 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 08/14] vfio/pci: Move to the device set infrastructure · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 08/14] vfio/pci: Move to the device set infrastructure · Christoph Hellwig <hch@lst.de> · 2021-07-23
Re: [PATCH v2 08/14] vfio/pci: Move to the device set infrastructure · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-23
[PATCH v2 13/14] vfio/gvt: Fix open/close when multiple device FDs are open · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 13/14] vfio/gvt: Fix open/close when multiple device FDs are open · Christoph Hellwig <hch@lst.de> · 2021-07-23
[PATCH v2 05/14] vfio/samples: Delete useless open/close · Jason Gunthorpe <jgg@nvidia.com> · 2021-07-20
Re: [PATCH v2 05/14] vfio/samples: Delete useless open/close · Christoph Hellwig <hch@lst.de> · 2021-07-23

From: Jason Gunthorpe <jgg@nvidia.com>
Date: 2021-07-20 22:50:51
Also in: dri-devel, intel-gfx, kvm, linux-s390

On Tue, Jul 20, 2021 at 04:01:27PM -0600, Alex Williamson wrote:

On Tue, 20 Jul 2021 14:42:48 -0300
Jason Gunthorpe [off-list ref] wrote:

quoted

Compared to mbochs_remove() two cases are missing from the
vfio_register_group_dev() unwind. Add them in.

Fixes: 681c1615f891 ("vfio/mbochs: Convert to use vfio_register_group_dev()")
Reported-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
 samples/vfio-mdev/mbochs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/samples/vfio-mdev/mbochs.c b/samples/vfio-mdev/mbochs.c
index e81b875b4d87b4..501845b08c0974 100644
+++ b/samples/vfio-mdev/mbochs.c

@@ -553,11 +553,14 @@ static int mbochs_probe(struct mdev_device *mdev)
 
 	ret = vfio_register_group_dev(&mdev_state->vdev);
 	if (ret)
-		goto err_mem;
+		goto err_bytes;
 	dev_set_drvdata(&mdev->dev, mdev_state);
 	return 0;
 
+err_bytes:
+	mbochs_used_mbytes -= mdev_state->type->mbytes;
 err_mem:
+	kfree(mdev_state->pages);
 	kfree(mdev_state->vconfig);
 	kfree(mdev_state);
 	return ret;

@@ -567,8 +570,8 @@ static void mbochs_remove(struct mdev_device *mdev)
 {
 	struct mdev_state *mdev_state = dev_get_drvdata(&mdev->dev);
 
-	mbochs_used_mbytes -= mdev_state->type->mbytes;
 	vfio_unregister_group_dev(&mdev_state->vdev);
+	mbochs_used_mbytes -= mdev_state->type->mbytes;
 	kfree(mdev_state->pages);
 	kfree(mdev_state->vconfig);
 	kfree(mdev_state);

Hmm, doesn't this suggest we need another atomic conversion?  (untested)

Sure why not, I can add this as another patch

quoted hunk ↗ jump to hunk

@@ -567,11 +573,11 @@ static void mbochs_remove(struct mdev_device *mdev)
 {
 	struct mdev_state *mdev_state = dev_get_drvdata(&mdev->dev);
 
-	mbochs_used_mbytes -= mdev_state->type->mbytes;
 	vfio_unregister_group_dev(&mdev_state->vdev);
 	kfree(mdev_state->pages);
 	kfree(mdev_state->vconfig);
 	kfree(mdev_state);
+	atomic_add(mdev_state->type->mbytes, &mbochs_avail_mbytes);

This should be up after the vfio_unregister_group_dev(), it is a use after free?

Jason

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help