linux/drivers
Vitaly Kuznetsov f1940d4e9c Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver
The following crash happens when a never-used device is unbound from
uio_hv_generic driver:

 kernel BUG at mm/slub.c:321!
 invalid opcode: 0000 [#1] SMP PTI
 CPU: 0 PID: 4001 Comm: bash Kdump: loaded Tainted: G               X --------- ---  5.14.0-0.rc2.23.el9.x86_64 #1
 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008  12/07/2018
 RIP: 0010:__slab_free+0x1d5/0x3d0
...
 Call Trace:
  ? pick_next_task_fair+0x18e/0x3b0
  ? __cond_resched+0x16/0x40
  ? vunmap_pmd_range.isra.0+0x154/0x1c0
  ? __vunmap+0x22d/0x290
  ? hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus]
  kfree+0x331/0x380
  ? hv_uio_remove+0x43/0x60 [uio_hv_generic]
  hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus]
  vmbus_free_ring+0x21/0x60 [hv_vmbus]
  hv_uio_remove+0x4f/0x60 [uio_hv_generic]
  vmbus_remove+0x23/0x30 [hv_vmbus]
  __device_release_driver+0x17a/0x230
  device_driver_detach+0x3c/0xa0
  unbind_store+0x113/0x130
...

The problem appears to be that we free 'ring_info->pkt_buffer' twice:
first, when the device is unbound from in-kernel driver (netvsc in this
case) and second from hv_uio_remove(). Normally, ring buffer is supposed
to be re-initialized from hv_uio_open() but this happens when UIO device
is being opened and this is not guaranteed to happen.

Generally, it is OK to call hv_ringbuffer_cleanup() twice for the same
channel (which is being handed over between in-kernel drivers and UIO) even
if we didn't call hv_ringbuffer_init() in between. We, however, need to
avoid kfree() call for an already freed pointer.

Fixes: adae1e931a ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20210831143916.144983-1-vkuznets@redhat.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
2021-09-03 11:00:06 +00:00
..
accessibility TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
acpi Merge branch 'acpi-pm' 2021-08-20 21:11:43 +02:00
amba
android
ata libata-5.14-2021-07-30 2021-07-30 10:56:47 -07:00
atm Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
auxdisplay
base PM: domains: Improve runtime PM performance state handling 2021-08-25 20:15:54 +02:00
bcma
block block-5.14-2021-08-27 2021-08-27 16:08:29 -07:00
bluetooth TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
bus Networking fixes for 5.14(-rc8?), including fixes from can and bpf. 2021-08-26 13:20:22 -07:00
cdrom block: remove REQ_OP_SCSI_{IN,OUT} 2021-06-30 15:34:19 -06:00
char tpm_ftpm_tee: Free and unregister TEE shared memory during kexec 2021-07-21 07:55:50 +02:00
clk One hot fix for a NULL pointer deref in the Renesas usb clk driver 2021-08-29 12:52:17 -07:00
clocksource This round has a diffstat dominated by Qualcomm clk drivers. Honestly though 2021-07-01 13:26:16 -07:00
comedi Staging / IIO driver patches for 5.14-rc1 2021-07-05 14:01:53 -07:00
connector
counter counter: interrupt-cnt: Add const qualifier for actions_list array 2021-06-13 17:00:18 +01:00
cpufreq Merge branch 'cpufreq/arm/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm 2021-08-17 20:52:07 +02:00
cpuidle cpuidle: teo: Rename two local variables in teo_select() 2021-08-03 15:18:57 +02:00
crypto ARM: SoC changes for 5.14 2021-07-10 09:22:44 -07:00
cxl cxl/pci: Rename CXL REGLOC ID 2021-06-17 17:37:18 -07:00
dax Merge branch 'for-5.14/dax' into libnvdimm-fixes 2021-08-11 12:04:43 -07:00
dca
devfreq PM / devfreq: passive: Fix get_target_freq when not using required-opp 2021-06-24 10:37:35 +09:00
dio
dma dmaengine fixes for v5.14 2021-08-06 11:08:24 -07:00
dma-buf Short summary of fixes pull: 2021-07-13 15:15:17 +02:00
edac EDAC/igen6: fix core dependency AGAIN 2021-07-15 11:59:59 -07:00
eisa
extcon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
firewire Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
firmware Ard says: 2021-08-15 06:38:26 -10:00
fpga fpga: dfl: fme: Fix cpu hotplug issue in performance reporting 2021-07-27 11:05:16 -07:00
fsi
gnss
gpio gpio: tqmx86: really make IRQ optional 2021-08-02 17:17:27 +02:00
gpu drm/imx: imx-drm alignment and plane offset fixes 2021-08-27 10:49:53 +10:00
greybus
hid HID: ft260: fix device removal due to USB disconnect 2021-07-29 12:38:32 +02:00
hsi
hv Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver 2021-09-03 11:00:06 +00:00
hwmon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
hwspinlock
hwtracing Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
i2c i2c: dev: zero out array used for i2c reads from userspace 2021-08-10 22:54:10 +02:00
i3c I3C for 5.14 2021-07-10 11:53:06 -07:00
idle
iio iio: adc: Fix incorrect exit of for-loop 2021-07-31 14:46:05 +01:00
infiniband RDMA/rxe: Zero out index member of struct rxe_queue 2021-08-20 15:48:58 -03:00
input This pull request contains the following changes for UML: 2021-07-09 10:19:13 -07:00
interconnect Revert "interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate" 2021-08-12 09:24:39 +03:00
iommu iommu/vt-d: Fix incomplete cache flush in intel_pasid_tear_down_entry() 2021-08-18 13:15:58 +02:00
ipack ipack: tpci200: fix memory leak in the tpci200_register 2021-08-13 10:24:37 +02:00
irqchip irqchip fixes for 5.14, take #1 2021-07-09 15:35:13 +02:00
isdn TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
leds This contains quite a lot of fixes, with more fixes in my inbox that 2021-07-03 11:57:42 -07:00
lightnvm
macintosh
mailbox mbox: add polarfire soc system controller mailbox 2021-06-26 12:06:48 -05:00
mcb mcb: Use DEFINE_RES_MEM() helper macro and fix the end address 2021-06-24 15:56:25 +02:00
md block-5.14-2021-08-07 2021-08-07 10:26:21 -07:00
media media: ipu3-cio2: Drop reference on error path in cio2_bridge_connect_sensor() 2021-08-26 18:52:30 +02:00
memory Memory controller drivers for v5.14 - Tegra SoC, part two 2021-06-16 17:36:30 -07:00
memstick for-5.14/block-2021-06-29 2021-06-30 12:12:56 -07:00
message scsi: message: mptfc: Switch from pci_ to dma_ API 2021-06-22 23:00:01 -04:00
mfd Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
misc Merge tag 'at24-fixes-for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-current 2021-07-20 22:28:56 +02:00
mmc Revert "mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711" 2021-08-27 16:30:36 +02:00
most
mtd MTD core fixes: 2021-08-16 06:36:01 -10:00
mux
net Revert "net: really fix the build..." 2021-08-26 11:08:32 -07:00
nfc nfc: nfcsim: fix use after free during module unload 2021-07-28 10:20:16 +01:00
ntb
nubus
nvdimm libnvdimm/region: Fix label activation vs errors 2021-08-11 11:54:43 -07:00
nvme block-5.14-2021-07-24 2021-07-24 12:57:06 -07:00
nvmem Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
of Devicetree updates for v5.14: 2021-07-03 10:54:08 -07:00
opp opp: core: Check for pending links before reading required_opp pointers 2021-08-23 12:44:55 +05:30
parisc kernel.h: split out panic and oops helpers 2021-07-01 11:06:04 -07:00
parport
pci PCI/MSI: Skip masking MSI-X on Xen PV 2021-08-27 00:27:15 +02:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-07-23 08:08:54 +02:00
perf drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() 2021-06-17 19:45:24 +01:00
phy USB / Thunderbolt patches for 5.14-rc1 2021-07-05 14:16:22 -07:00
pinctrl pinctrl: amd: Fix an issue with shutdown when system set to s0ix 2021-08-12 11:16:40 +02:00
platform platform/x86: gigabyte-wmi: add support for B450M S2H V2 2021-08-18 19:39:31 +02:00
pnp Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
power power: supply: Fix fall-through warnings for Clang 2021-07-13 14:50:47 -05:00
powercap
pps
ps3
ptp ptp_pch: Restore dependency on PCI 2021-08-16 11:11:06 +01:00
pwm pwm: ep93xx: Ensure configuring period and duty_cycle isn't wrongly skipped 2021-07-08 16:09:30 +02:00
rapidio
ras
regulator regulator: Fixes for v5.14 2021-07-21 12:37:49 -07:00
remoteproc remoteproc updates for v5.14 2021-07-07 10:50:03 -07:00
reset reset: reset-zynqmp: Fixed the argument data type 2021-08-23 12:55:18 +02:00
rpmsg rpmsg: core: Add driver_data for rpmsg_device_id 2021-06-18 13:13:40 -07:00
rtc RTC for 5.14 2021-07-10 16:19:10 -07:00
s390 Networking fixes for 5.14-rc6, including fixes from netfilter, bpf, 2021-08-12 16:24:03 -10:00
sbus
scsi SCSI fixes on 20210828 2021-08-28 11:39:16 -07:00
sh
siox siox: Simplify error handling via dev_err_probe() 2021-06-24 15:46:34 +02:00
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-13 10:22:30 +02:00
soc NXP/FSL SoC driver fixes for v5.14 2021-08-16 22:42:02 +02:00
soundwire Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
spi spi: Fixes for v5.14 2021-08-06 11:15:02 -07:00
spmi spmi: hisi-spmi-controller: move driver from staging 2021-06-25 10:02:05 +02:00
ssb ssb: use DEVICE_ATTR_ADMIN_RW() helper macro 2021-06-15 13:11:56 +03:00
staging Revert "media: dvb header files: move some headers to staging" 2021-08-23 09:49:09 -07:00
target scsi: target: Fix NULL dereference on XCOPY completion 2021-07-20 23:18:22 -04:00
tc
tee tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag 2021-07-21 07:55:50 +02:00
thermal - Add rk3568 sensor support (Finley Xiao) 2021-07-10 11:43:25 -07:00
thunderbolt Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels" 2021-07-27 18:14:25 +02:00
tty serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts. 2021-07-30 13:06:19 +02:00
uio
usb usb: gadget: u_audio: fix race condition on endpoint stop 2021-08-27 16:07:23 +02:00
vdpa virtio,vhost,vdpa: bugfixes 2021-08-16 06:16:25 -10:00
vfio VFIO update for v5.14-rc1 2021-07-03 11:49:33 -07:00
vhost vringh: Use wiov->used to check for read/write desc order 2021-08-11 06:44:24 -04:00
video drm fixes for 5.14-rc2 2021-07-16 11:14:54 -07:00
virt virt: acrn: Do hcall_destroy_vm() before resource release 2021-07-27 16:48:45 +02:00
virtio virtio-mem: fix sleeping in RCU read side section in virtio_mem_online_page_cb() 2021-08-27 11:39:36 -07:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.14-rc1 tag 2021-07-07 12:57:46 -07:00
xen xen: branch for v5.14-rc6 2021-08-14 06:31:22 -10:00
zorro
Kconfig ide: remove the legacy ide driver 2021-06-16 08:53:58 -06:00
Makefile hyperv-next for 5.14 2021-06-29 11:21:35 -07:00