Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2353355pxb; Mon, 20 Sep 2021 19:51:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy6cw8wcSgt3K9aHxYKBJ6/QKCsebazsdEJS/tYOORtEIpsEYAlz1Lw5G5g2sUxZIkEnO63 X-Received: by 2002:a17:906:781:: with SMTP id l1mr32704295ejc.289.1632192691067; Mon, 20 Sep 2021 19:51:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192691; cv=none; d=google.com; s=arc-20160816; b=qNrvo5eYRkUorCKidjQJK8rE/Z7jpzkCPqxIfGsqK5KtVbLvYn9/6E3Nxe41vX856J t1W4vhqBeWcgT0UmWuFrn7+MOU3Cqsikr4waYbFMlFJE372ZbV+GRc7BD3eOV17vjs3w HXXKqAlve2pNq2E58yaDpvkHOU1ZMCCj3OhEvLcIcCUFv47/ev0xfC28suF36IKnS163 yi2QKlLNO5ifEEiBKEEinis9wXU+Whz6HQQjpjCNrwUK/VC//dLWUNcz/kCL9OSzsUP7 GRLe51zAK9ybuGr+VlaSx6rYJ5oqDRKJeWC2vjsDEtmNqRfzgS9sBGfYrp2rqPh00n9y FfYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jLhGENj6sabJtZPSIzV+yhjGEhwxYmnejru+z/olS+c=; b=mkNUG4t36yaKgHF5/qt03NDJV/+UNgS5QMQeW0U0x9nQYlMPzaraLM2aygNi8QJJe4 DLIp8Z9JJglb9J7hw9imvfV30HJJnKcRRWnBmIaVM5xn2xt5r2gN06B+YbVfFVoDuK+f tGu07NsZciz7xk+KuvwpL2fOa59dq8N/3wqsqmL1ItjTUyt8QgehQ3dYLWrJ+N60vPtv lkPw4WgiaEdnVMadKieHj/SPfB1J/zMtqnnTLxr2Eg2wr3pKpCgVDbkXAlr8VRn7jHYH MwEgjgvDsK7etE0S5bHUAW+GSGmKBNVyTZJ833qbIVQrs8sVVfuUv9v045k/D95hLgE+ bdfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zlj5MXYS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 18si24277536ejc.508.2021.09.20.19.51.08; Mon, 20 Sep 2021 19:51:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zlj5MXYS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353952AbhITSqH (ORCPT + 99 others); Mon, 20 Sep 2021 14:46:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:56450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1382743AbhITSmT (ORCPT ); Mon, 20 Sep 2021 14:42:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0C9366334D; Mon, 20 Sep 2021 17:31:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632159109; bh=pw/YhXeLQgIy92tRrU+Uocd8/aJGDTn4x9qwe/4rOWY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zlj5MXYSR98o0sIBv2npf9ab0yVUwGFCz4B7vng+zJXoyc0i3qJjhdtLM1CGwg/oQ pIPDTy+VhaSzhitWZPCzxfIX2TVhxIlCXfuPHvCt2IodMK743enhOOi/TfsoJIAe0Y W+00+IdKXaOnTikfCcIm6SM4u4qHTKdYTnEkutxA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vitaly Kuznetsov , Andrea Parri , Michael Kelley , Wei Liu , Sasha Levin Subject: [PATCH 5.14 080/168] Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver Date: Mon, 20 Sep 2021 18:43:38 +0200 Message-Id: <20210920163924.269200445@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163921.633181900@linuxfoundation.org> References: <20210920163921.633181900@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vitaly Kuznetsov [ Upstream commit f1940d4e9cbe6208e7e77e433c587af108152a17 ] The following crash happens when a never-used device is unbound from uio_hv_generic driver: kernel BUG at mm/slub.c:321! invalid opcode: 0000 [#1] SMP PTI CPU: 0 PID: 4001 Comm: bash Kdump: loaded Tainted: G X --------- --- 5.14.0-0.rc2.23.el9.x86_64 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:__slab_free+0x1d5/0x3d0 ... Call Trace: ? pick_next_task_fair+0x18e/0x3b0 ? __cond_resched+0x16/0x40 ? vunmap_pmd_range.isra.0+0x154/0x1c0 ? __vunmap+0x22d/0x290 ? hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus] kfree+0x331/0x380 ? hv_uio_remove+0x43/0x60 [uio_hv_generic] hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus] vmbus_free_ring+0x21/0x60 [hv_vmbus] hv_uio_remove+0x4f/0x60 [uio_hv_generic] vmbus_remove+0x23/0x30 [hv_vmbus] __device_release_driver+0x17a/0x230 device_driver_detach+0x3c/0xa0 unbind_store+0x113/0x130 ... The problem appears to be that we free 'ring_info->pkt_buffer' twice: first, when the device is unbound from in-kernel driver (netvsc in this case) and second from hv_uio_remove(). Normally, ring buffer is supposed to be re-initialized from hv_uio_open() but this happens when UIO device is being opened and this is not guaranteed to happen. Generally, it is OK to call hv_ringbuffer_cleanup() twice for the same channel (which is being handed over between in-kernel drivers and UIO) even if we didn't call hv_ringbuffer_init() in between. We, however, need to avoid kfree() call for an already freed pointer. Fixes: adae1e931acd ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer") Signed-off-by: Vitaly Kuznetsov Reviewed-by: Andrea Parri Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20210831143916.144983-1-vkuznets@redhat.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin --- drivers/hv/ring_buffer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c index 2aee356840a2..314015d9e912 100644 --- a/drivers/hv/ring_buffer.c +++ b/drivers/hv/ring_buffer.c @@ -245,6 +245,7 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info) mutex_unlock(&ring_info->ring_buffer_mutex); kfree(ring_info->pkt_buffer); + ring_info->pkt_buffer = NULL; ring_info->pkt_buffer_size = 0; } -- 2.30.2