mirror
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/drivers
History
Andrea Parri (Microsoft) a765ed47e4 PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() 
Dexuan wrote:

  "[...]  when we disable AccelNet, the host PCI VSP driver sends a
   PCI_EJECT message first, and the channel callback may set
   hpdev->state to hv_pcichild_ejecting on a different CPU.  This can
   cause hv_compose_msi_msg() to exit from the loop and 'return', and
   the on-stack variable 'ctxt' is invalid.  Now, if the response
   message from the host arrives, the channel callback will try to
   access the invalid 'ctxt' variable, and this may cause a crash."

Schematically:

  Hyper-V sends PCI_EJECT msg
    hv_pci_onchannelcallback()
      state = hv_pcichild_ejecting
                                       hv_compose_msi_msg()
                                         alloc and init comp_pkt
                                         state == hv_pcichild_ejecting
  Hyper-V sends VM_PKT_COMP msg
    hv_pci_onchannelcallback()
      retrieve address of comp_pkt
                                         'free' comp_pkt and return
      comp_pkt->completion_func()

Dexuan also showed how the crash can be triggered after introducing
suitable delays in the driver code, thus validating the 'assumption'
that the host can still normally respond to the guest's compose_msi
request after the host has started to eject the PCI device.

Fix the synchronization by leveraging the requestor lock as follows:

  - Before 'return'-ing in hv_compose_msi_msg(), remove the ID (while
    holding the requestor lock) associated to the completion packet.

  - Retrieve the address *and call ->completion_func() within a same
    (requestor) critical section in hv_pci_onchannelcallback().

Reported-by: Wei Hu <weh@microsoft.com>
Reported-by: Dexuan Cui <decui@microsoft.com>
Suggested-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20220419122325.10078-7-parri.andrea@gmail.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
 		2022-04-25 15:51:13 +00:00
..
accessibility
acpi Merge branch 'acpi-bus' 2022-04-08 19:50:44 +02:00
amba
android
ata ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-22 08:45:06 +09:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-17 13:56:58 -07:00
auxdisplay auxdisplay: lcd2s: Use array size explicitly in lcd2s_gotoxy() 2022-03-18 20:31:14 +01:00
base net: mdio: don't defer probe forever if PHY IRQ provider is missing 2022-04-08 14:17:55 -07:00
bcma Core MTD changes: 2022-03-25 13:35:34 -07:00
block block: null_blk: end timed out poll request 2022-04-14 10:16:33 -06:00
bluetooth Bluetooth: ath3k: remove superfluous header files 2022-03-18 17:12:09 +01:00
bus Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
cdrom cdrom: remove unused variable 2022-04-06 08:47:52 -06:00
char random: use memmove instead of memcpy for remaining 32 bytes 2022-04-16 12:53:31 +02:00
clk A single revert to fix a boot regression seen when clk_put() started 2022-04-03 12:21:14 -07:00
clocksource asm-generic updates for 5.18 2022-03-23 18:03:08 -07:00
comedi
connector
counter Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
cpufreq Merge branch 'cpufreq/arm/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm 2022-03-22 12:15:47 +01:00
cpuidle cpuidle: riscv: support non-SMP config 2022-04-19 17:42:08 -07:00
crypto virtio: features, fixes 2022-03-31 13:57:15 -07:00
cxl cxl/pci: Drop shadowed variable 2022-04-08 12:59:43 -07:00
dax dax for 5.18 2022-03-24 18:12:09 -07:00
dca
devfreq
dio
dma dmaengine: idxd: skip clearing device context when device is read-only 2022-04-20 17:24:43 +05:30
dma-buf dma-buf: handle empty dma_fence_arrays gracefully 2022-03-29 09:14:30 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-04-14 14:44:49 +02:00
eisa
extcon
firewire
firmware sound fixes for 5.18-rc4 2022-04-22 13:11:38 -07:00
fpga
fsi
gnss
gpio gpio: Request interrupts after IRQ is initialized 2022-04-22 13:59:19 -07:00
gpu Two fixes for the raspberrypi panel initialisation, one fix for a logic 2022-04-23 15:00:44 +10:00
greybus
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2022-04-01 10:14:32 -07:00
hsi
hv Drivers: hv: vmbus: Introduce {lock,unlock}_requestor() 2022-04-25 15:51:13 +00:00
hwmon Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
hwspinlock hwspinlock: sprd: Use struct_size() helper in devm_kzalloc() 2022-03-11 14:56:57 -06:00
hwtracing Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
i2c i2c: ismt: Fix undefined behavior due to shift overflowing the constant 2022-04-15 23:49:02 +02:00
i3c
idle cpuidle: intel_idle: Drop redundant backslash at line end 2022-03-17 14:32:59 +01:00
iio Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
infiniband RDMA/hfi1: Fix use-after-free bug for mm struct 2022-04-08 15:40:06 -03:00
input Input updates for v5.18-rc3 2022-04-23 09:52:07 -07:00
interconnect
iommu iommu/omap: Fix regression in probe for NULL pointer dereference 2022-04-08 11:16:29 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-05 16:33:47 +01:00
isdn mISDN: fix typo "frame to short" -> "frame too short" 2022-03-21 13:26:38 +00:00
leds LED updates for 5.18-rc1. Nothing major here, there are two drivers 2022-03-27 14:09:48 -07:00
macintosh
mailbox mailbox: ti-msgmgr: Operate mailbox in polled mode during system suspend 2022-03-12 19:33:30 -06:00
mcb
md block-5.18-2022-04-22 2022-04-23 09:46:44 -07:00
media media: si2157: unknown chip version Si2147-A30 ROM 0x50 2022-04-09 17:45:49 +02:00
memory memory: fsl_ifc: populate child nodes of buses and mfd devices 2022-04-06 09:39:16 +02:00
memstick
message scsi: message: fusion: Remove redundant variable dmp 2022-04-06 22:28:07 -04:00
mfd - New Drivers 2022-03-25 13:56:18 -07:00
misc habanalabs: Fix test build failures 2022-04-04 17:03:04 +02:00
mmc mmc: core: improve API to make clear mmc_hw_reset is for cards 2022-04-08 11:00:08 +02:00
most
mtd This pull request contains fixes for JFFS2, UBI and UBIFS 2022-03-31 16:09:41 -07:00
mux
net drivers: net: hippi: Fix deadlock in rr_close() 2022-04-21 10:30:45 +02:00
nfc spi: Updates for v5.18 2022-03-21 18:33:57 -07:00
ntb
nubus
nvdimm libnvdimm for 5.18 2022-03-30 10:04:11 -07:00
nvme nvme-pci: disable namespace identifiers for Qemu controllers 2022-04-15 06:56:17 +02:00
nvmem nvmem: brcm_nvram: parse NVRAM content into NVMEM cells 2022-03-18 14:08:36 +01:00
of Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
opp
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-03-29 21:37:12 +02:00
parport parport_pc: Also enable driver for PCI systems 2022-03-18 14:01:41 +01:00
pci PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() 2022-04-25 15:51:13 +00:00
pcmcia
peci
perf arm_pmu: Validate single/group leader events 2022-04-13 11:48:45 +01:00
phy phy: PHY_FSL_LYNX_28G should depend on ARCH_LAYERSCAPE 2022-03-29 08:45:16 -07:00
pinctrl Pin control bulk changes for the v5.18 kernel cycle 2022-03-28 11:52:53 -07:00
platform platform/x86: amd-pmc: Fix compilation without CONFIG_SUSPEND 2022-04-04 16:26:09 +02:00
pnp PNP update for 5.18-rc1 2022-03-21 14:46:01 -07:00
power power: supply: Reset err after not finding static battery 2022-04-13 12:05:22 +02:00
powercap
pps pps: generators: pps_gen_parport: Switch to use module_parport_driver() 2022-03-18 14:01:19 +01:00
ps3
ptp ptp: ocp: handle error from nvmem_device_find 2022-03-30 12:08:11 -07:00
pwm
rapidio
ras
regulator regulator: atc260x: Fix missing active_discharge_on setting 2022-04-04 08:59:43 +01:00
remoteproc remoteproc updates for v5.18 2022-03-30 10:50:48 -07:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-04 11:14:13 +02:00
rpmsg rpmsg: ctrl: Introduce new RPMSG_CREATE/RELEASE_DEV_IOCTL controls 2022-03-13 11:49:53 -05:00
rtc RTC for 5.18 2022-04-01 09:37:18 -07:00
s390 s390: cleanup timer API use 2022-03-27 22:18:39 +02:00
sbus
scsi scsi: sr: Do not leak information in ioctl 2022-04-18 22:48:31 -04:00
sh
siox
slimbus
soc Networking changes for 5.18. 2022-03-24 13:13:26 -07:00
soundwire Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
spi spi: Fixes for v5.18 2022-04-19 10:30:43 -07:00
spmi
ssb
staging staging: r8188eu: Fix PPPoE tag insertion on little endian systems 2022-04-04 16:35:20 +02:00
target Merge branch '5.18/scsi-queue' into 5.18/scsi-fixes 2022-04-06 21:46:54 -04:00
tc
tee ARM driver updates for 5.18 2022-03-23 18:23:13 -07:00
thermal Merge branch 'thermal-hfi' 2022-03-18 19:00:26 +01:00
thunderbolt Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
tty tty: serial: mpc52xx_uart: make rx/tx hooks return unsigned, part II. 2022-04-04 10:33:02 +02:00
uio
usb xen: branch for v5.18-rc1 2022-03-28 14:32:39 -07:00
vdpa virtio: fixes, cleanups 2022-04-05 10:40:52 -07:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-13 11:37:44 -06:00
vhost virtio: features, fixes 2022-03-31 13:57:15 -07:00
video fbdev: Fix unregistering of framebuffers without device 2022-04-06 21:12:28 +02:00
virt Random number generator fixes for Linux 5.18-rc1. 2022-03-31 14:51:34 -07:00
virtio virtio: fixes, cleanups 2022-04-05 10:40:52 -07:00
visorbus
vlynq
vme
w1 w1: w1_therm: Add support for Maxim MAX31850 thermoelement IF. 2022-03-18 14:07:09 +01:00
watchdog linux-watchdog 5.18-rc1 tag 2022-03-31 14:14:03 -07:00
xen xen: Convert kmap() to kmap_local_page() 2022-04-20 15:22:18 -05:00
zorro
Kconfig
Makefile