Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.2.78 2016-02-27T14:28:44Z 2016-02-27T14:28:44Z Michael S. Tsirkin mst@redhat.com 2016-01-14T14:00:41Z urn:sha1:407d1634d56b841279e1478253c212ea27bb7ea0 commit 2989be09a8a9d62a785137586ad941f916e08f83 upstream. KASan detected a use-after-free error in virtio-pci remove code. In virtio_pci_remove(), vp_dev is still used after being freed in unregister_virtio_device() (in virtio_pci_release_dev() more precisely). To fix, keep a reference until cleanup is done. Fixes: 63bd62a08ca4 ("virtio_pci: defer kfree until release callback") Reported-by: Jerome Marchand <jmarchan@redhat.com> Cc: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Jerome Marchand <jmarchan@redhat.com> [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2015-02-20T00:49:34Z Michael S. Tsirkin mst@redhat.com 2015-01-04T15:28:27Z urn:sha1:c578662ec973f2cdc5e7a81f9fec1bfb45440342 commit a1eb03f546d651a8f39c7d0692b1f7f5b4e7e3cd upstream. The reason we defer kfree until release function is because it's a general rule for kobjects: kfree of the reference counter itself is only legal in the release function. Previous patch didn't make this clear, document this in code. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2015-02-20T00:49:34Z Sasha Levin sasha.levin@oracle.com 2015-01-02T19:47:40Z urn:sha1:119d5897cc5f9f73e352a1c647d21b9d506b8c0a commit 63bd62a08ca45a0c804c3c89777edc7f76a2d6da upstream. A struct device which has just been unregistered can live on past the point at which a driver decides to drop it's initial reference to the kobject gained on allocation. This implies that when releasing a virtio device, we can't free a struct virtio_device until the underlying struct device has been released, which might not happen immediately on device_unregister(). Unfortunately, this is exactly what virtio pci does: it has an empty release callback, and frees memory immediately after unregistering the device. This causes an easy to reproduce crash if CONFIG_DEBUG_KOBJECT_RELEASE it enabled. To fix, free the memory only once we know the device is gone in the release callback. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2015-02-20T00:49:34Z Wanlong Gao gaowanlong@cn.fujitsu.com 2012-12-11T00:34:50Z urn:sha1:ddabe0f7922dc94249030ce3f3f7cae9ef34dbe3 commit 9bffdca8c64a72ac54c47a552734ab457bc720d4 upstream. Use dev_to_virtio wrapper in virtio to make code clearly. Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2014-04-30T15:23:22Z Rusty Russell rusty@rustcorp.com.au 2014-03-13T00:53:38Z urn:sha1:d7a04a3b663789ecfd80c4eeea742c73d3ccb540 commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream. When adding or removing 100G from a balloon: BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367] We have a wait_event_interruptible(), but the condition is always true (more ballooning to do) so we don't ever sleep. We also have a wait_event() for the host to ack, but that is also always true as QEMU is synchronous for balloon operations. Reported-by: Gopesh Kumar Chaudhary <gopchaud@in.ibm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2013-08-02T20:14:52Z Michael S. Tsirkin mst@redhat.com 2013-07-09T10:19:18Z urn:sha1:1e079ec5c16199e63c9c5e0e346a0fdf47681f32 commit cc229884d3f77ec3b1240e467e0236c3e0647c0c upstream. This adds a way to check ring empty state after enable_cb outside any locks. Will be used by virtio_net. Note: there's room for more optimization: caller is likely to have a memory barrier already, which means we might be able to get rid of a barrier here. Deferring this optimization until we do some benchmarking. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> [wg: Backported to 3.2] Signed-off-by: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2013-01-03T03:32:58Z Will Deacon will.deacon@arm.com 2012-10-19T13:03:33Z urn:sha1:1e02c9c8133e41c623596f5b09eb9185a2f69bcc commit b92b1b89a33c172c075edccf6afb0edc41d851fd upstream. Virtio devices may attempt to add descriptors to a virtqueue from atomic context using GFP_ATOMIC allocation. This is problematic because such allocations can fall outside of the lowmem mapping, causing virt_to_phys to report bogus physical addresses which are subsequently passed to userspace via the buffers for the virtual device. This patch masks out __GFP_HIGH and __GFP_HIGHMEM from the requested flags when allocating descriptors for a virtqueue. If an atomic allocation is requested and later fails, we will return -ENOSPC which will be handled by the driver. Cc: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2011-11-24T02:34:48Z Michael S. Tsirkin mst@redhat.com 2011-11-17T15:41:15Z urn:sha1:e6af578c5305be693a1bc7f4dc7b51dd82d41425 virtio pci device reset actually just does an I/O write, which in PCI is really posted, that is it can complete on CPU before the device has received it. Further, interrupts might have been pending on another CPU, so device callback might get invoked after reset. This conflicts with how drivers use reset, which is typically: reset unregister a callback running after reset completed can race with unregister, potentially leading to use after free bugs. Fix by flushing out the write, and flushing pending interrupts. This assumes that device is never reset from its vq/config callbacks, or in parallel with being added/removed, document this assumption. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2011-11-24T02:34:47Z Sasha Levin levinsasha928@gmail.com 2011-11-15T14:17:18Z urn:sha1:fe1a7fe2c4456679b3402f04268bdfafca7b127a Guest features selector spelling mistake. Cc: Pawel Moll <pawel.moll@arm.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: virtualization@lists.linux-foundation.org Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2011-11-24T02:34:47Z Heiko Carstens heiko.carstens@de.ibm.com 2011-11-15T09:13:24Z urn:sha1:bd20817f733ceb0291e0449106307ffc939006ba Fix this compile error on s390: CC [M] drivers/virtio/virtio_mmio.o drivers/virtio/virtio_mmio.c: In function 'vm_get_features': drivers/virtio/virtio_mmio.c:107:2: error: implicit declaration of function 'writel' Cc: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Acked-by: Pawel Moll <pawel.moll@arm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>