Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754213AbbBDH32 (ORCPT ); Wed, 4 Feb 2015 02:29:28 -0500 Received: from mail-bl2on0117.outbound.protection.outlook.com ([65.55.169.117]:64184 "EHLO na01-bl2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751383AbbBDH30 convert rfc822-to-8bit (ORCPT ); Wed, 4 Feb 2015 02:29:26 -0500 From: Dexuan Cui To: Vitaly Kuznetsov , KY Srinivasan , "devel@linuxdriverproject.org" CC: Haiyang Zhang , "linux-kernel@vger.kernel.org" , Jason Wang Subject: RE: [PATCH 4/4] hyperv: netvsc: improve protection against rescind offer Thread-Topic: [PATCH 4/4] hyperv: netvsc: improve protection against rescind offer Thread-Index: AQHQP9L8UewVLqgGJk627GjRVSvMU5zgEGKA Date: Wed, 4 Feb 2015 07:29:09 +0000 Message-ID: References: <1422982839-3948-1-git-send-email-vkuznets@redhat.com> <1422982839-3948-5-git-send-email-vkuznets@redhat.com> In-Reply-To: <1422982839-3948-5-git-send-email-vkuznets@redhat.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [141.251.55.69] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-EOPAttributedMessage: 0 Authentication-Results: spf=pass (sender IP is 206.191.230.4) smtp.mailfrom=decui@microsoft.com; linuxdriverproject.org; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:206.191.230.4;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10019020)(6009001)(438002)(13464003)(377454003)(51704005)(22746005)(22756005)(62966003)(102836002)(77156002)(2501002)(2656002)(46102003)(55846006)(50466002)(46406003)(1511001)(2950100001)(2920100001)(86146001)(47776003)(87936001)(2900100001)(66066001)(92566002)(97756001)(54356999)(106116001)(106466001)(6806004)(86362001)(2421001)(104016003)(23726002)(575784001)(50986999)(19580405001)(86612001)(19580395003)(33656002)(76176999)(79686002);DIR:OUT;SFP:1102;SCL:1;SRVR:BY1PR0301MB0838;H:064-smtp-out.microsoft.com;FPR:;SPF:Pass;MLV:sfv;LANG:en; X-Microsoft-Antispam: UriScan:;UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB0838; X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004);SRVR:BY1PR0301MB0838; X-Forefront-PRVS: 04772EA191 X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB0838; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Feb 2015 07:29:21.4837 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[206.191.230.4] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0301MB0838 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1237; X-OriginatorOrg: microsoft.onmicrosoft.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2688 Lines: 73 > -----Original Message----- > From: Vitaly Kuznetsov [mailto:vkuznets@redhat.com] > Sent: Wednesday, February 4, 2015 1:01 AM > To: KY Srinivasan; devel@linuxdriverproject.org > Cc: Haiyang Zhang; linux-kernel@vger.kernel.org; Dexuan Cui; Jason Wang > Subject: [PATCH 4/4] hyperv: netvsc: improve protection against rescind offer > > The check added in commit c3582a2c4d0b ("hyperv: Add support for vNIC hot > removal") is incomplete as there is no synchronization between > vmbus_onoffer_rescind() and netvsc_send(). In case we get the offer after we > checked out_channel->rescind and before netvsc_send() finishes its job we can > get a crash as we'll be dealing with already freed channel. > > Make netvsc_send() take additional reference to the channel with newly > introduced vmbus_get_channel(), this guarantees we won't lose the channel. > We > can still get rescind while we're processing but this won't cause a crash. > > Reported-by: Jason Wang > Signed-off-by: Vitaly Kuznetsov > --- > drivers/net/hyperv/netvsc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c > index 9f49c01..d9b13a1 100644 > --- a/drivers/net/hyperv/netvsc.c > +++ b/drivers/net/hyperv/netvsc.c > @@ -763,11 +763,16 @@ int netvsc_send(struct hv_device *device, > out_channel = net_device->chn_table[packet->q_idx]; > if (out_channel == NULL) > out_channel = device->channel; > - packet->channel = out_channel; > + packet->channel = vmbus_get_channel(out_channel); > > - if (out_channel->rescind) > + if (!packet->channel) > return -ENODEV; > > + if (out_channel->rescind) { > + vmbus_put_channel(out_channel); IMO the patch doesn't resolve the real issue. At most it prevents the channel from disappearing in netvsc_send() only, while actually we also need to make sure the channel is not freed before the driver runs netvsc_remove() -> rndis_filter_device_remove() -> -> netvsc_device_remove() -> vmbus_close(). I suggest we add vmbus_get/put_channel() in vmbus_open/close()? -- Dexuan > + return -ENODEV; > + } > + > if (packet->page_buf_cnt) { > ret = vmbus_sendpacket_pagebuffer(out_channel, > packet->page_buf, > @@ -810,6 +815,7 @@ int netvsc_send(struct hv_device *device, > packet, ret); > } > > + vmbus_put_channel(packet->channel); > return ret; > } > > -- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/