diff mbox series

Netvsc: Call hv_unmap_memory() in the netvsc_device_remove()

Message ID 20220201163211.467423-1-ltykernel@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series Netvsc: Call hv_unmap_memory() in the netvsc_device_remove() | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 1 blamed authors not CCed: mikelley@microsoft.com; 1 maintainers not CCed: mikelley@microsoft.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 35 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Tianyu Lan Feb. 1, 2022, 4:32 p.m. UTC 
From: Tianyu Lan <Tianyu.Lan@microsoft.com>

netvsc_device_remove() calls vunmap() inside which should not be
called in the interrupt context. Current code calls hv_unmap_memory()
in the free_netvsc_device() which is rcu callback and maybe called
in the interrupt context. This will trigger BUG_ON(in_interrupt())
in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_
remove().

Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver")
Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
---
 drivers/net/hyperv/netvsc.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

Comments

Haiyang Zhang Feb. 1, 2022, 11:20 p.m. UTC | #1 
> -----Original Message-----
> From: Tianyu Lan <ltykernel@gmail.com>
> Sent: Tuesday, February 1, 2022 11:32 AM
> To: KY Srinivasan <kys@microsoft.com>; Haiyang Zhang <haiyangz@microsoft.com>; Stephen
> Hemminger <sthemmin@microsoft.com>; wei.liu@kernel.org; Dexuan Cui <decui@microsoft.com>;
> tglx@linutronix.de; mingo@redhat.com; bp@alien8.de; dave.hansen@linux.intel.com;
> x86@kernel.org; hpa@zytor.com; davem@davemloft.net; kuba@kernel.org; hch@infradead.org;
> m.szyprowski@samsung.com; robin.murphy@arm.com; Michael Kelley (LINUX)
> <mikelley@microsoft.com>
> Cc: Tianyu Lan <Tianyu.Lan@microsoft.com>; iommu@lists.linux-foundation.org; linux-
> hyperv@vger.kernel.org; linux-kernel@vger.kernel.org; netdev@vger.kernel.org
> Subject: [PATCH] Netvsc: Call hv_unmap_memory() in the netvsc_device_remove()
> 
> From: Tianyu Lan <Tianyu.Lan@microsoft.com>
> 
> netvsc_device_remove() calls vunmap() inside which should not be
> called in the interrupt context. Current code calls hv_unmap_memory()
> in the free_netvsc_device() which is rcu callback and maybe called
> in the interrupt context. This will trigger BUG_ON(in_interrupt())
> in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_
> remove().
> 
> Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver")
> Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
> ---
>  drivers/net/hyperv/netvsc.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index afa81a9480cc..f989f920d4ce 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -154,19 +154,15 @@ static void free_netvsc_device(struct rcu_head *head)
> 
>  	kfree(nvdev->extension);
> 
> -	if (nvdev->recv_original_buf) {
> -		hv_unmap_memory(nvdev->recv_buf);
> +	if (nvdev->recv_original_buf)
>  		vfree(nvdev->recv_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->recv_buf);
> -	}
> 
> -	if (nvdev->send_original_buf) {
> -		hv_unmap_memory(nvdev->send_buf);
> +	if (nvdev->send_original_buf)
>  		vfree(nvdev->send_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->send_buf);
> -	}
> 
>  	bitmap_free(nvdev->send_section_map);
> 
> @@ -765,6 +761,12 @@ void netvsc_device_remove(struct hv_device *device)
>  		netvsc_teardown_send_gpadl(device, net_device, ndev);
>  	}
> 
> +	if (net_device->recv_original_buf)
> +		hv_unmap_memory(net_device->recv_buf);
> +
> +	if (net_device->send_original_buf)
> +		hv_unmap_memory(net_device->send_buf);
> +
>  	/* Release all resources */
>  	free_netvsc_device_rcu(net_device);
>  }

Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Michael Kelley (LINUX) Feb. 2, 2022, 5:05 p.m. UTC | #2 
From: Tianyu Lan <ltykernel@gmail.com> Sent: Tuesday, February 1, 2022 8:32 AM
> 
> netvsc_device_remove() calls vunmap() inside which should not be
> called in the interrupt context. Current code calls hv_unmap_memory()
> in the free_netvsc_device() which is rcu callback and maybe called
> in the interrupt context. This will trigger BUG_ON(in_interrupt())
> in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_
> remove().

I think this change can fail to call hv_unmap_memory() in an error case.

If netvsc_init_buf() fails after hv_map_memory() succeeds for the receive
buffer or for the send buffer, no corresponding hv_unmap_memory() will
be done.  The failure in netvsc_init_buf() will cause netvsc_connect_vsp()
to fail, so netvsc_add_device() will "goto close" where free_netvsc_device()
will be called.  But free_netvsc_device() no longer calls hv_unmap_memory(),
so it won't ever happen.   netvsc_device_remove() is never called in this case
because netvsc_add_device() failed.

Michael

> 
> Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver")
> Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
> ---
>  drivers/net/hyperv/netvsc.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index afa81a9480cc..f989f920d4ce 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -154,19 +154,15 @@ static void free_netvsc_device(struct rcu_head *head)
> 
>  	kfree(nvdev->extension);
> 
> -	if (nvdev->recv_original_buf) {
> -		hv_unmap_memory(nvdev->recv_buf);
> +	if (nvdev->recv_original_buf)
>  		vfree(nvdev->recv_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->recv_buf);
> -	}
> 
> -	if (nvdev->send_original_buf) {
> -		hv_unmap_memory(nvdev->send_buf);
> +	if (nvdev->send_original_buf)
>  		vfree(nvdev->send_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->send_buf);
> -	}
> 
>  	bitmap_free(nvdev->send_section_map);
> 
> @@ -765,6 +761,12 @@ void netvsc_device_remove(struct hv_device *device)
>  		netvsc_teardown_send_gpadl(device, net_device, ndev);
>  	}
> 
> +	if (net_device->recv_original_buf)
> +		hv_unmap_memory(net_device->recv_buf);
> +
> +	if (net_device->send_original_buf)
> +		hv_unmap_memory(net_device->send_buf);
> +
>  	/* Release all resources */
>  	free_netvsc_device_rcu(net_device);
>  }
> --
> 2.25.1
Tianyu Lan Feb. 8, 2022, 2:19 p.m. UTC | #3 
On 2/3/2022 1:05 AM, Michael Kelley (LINUX) wrote:
> From: Tianyu Lan<ltykernel@gmail.com>  Sent: Tuesday, February 1, 2022 8:32 AM
>> netvsc_device_remove() calls vunmap() inside which should not be
>> called in the interrupt context. Current code calls hv_unmap_memory()
>> in the free_netvsc_device() which is rcu callback and maybe called
>> in the interrupt context. This will trigger BUG_ON(in_interrupt())
>> in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_
>> remove().
> I think this change can fail to call hv_unmap_memory() in an error case.
> 
> If netvsc_init_buf() fails after hv_map_memory() succeeds for the receive
> buffer or for the send buffer, no corresponding hv_unmap_memory() will
> be done.  The failure in netvsc_init_buf() will cause netvsc_connect_vsp()
> to fail, so netvsc_add_device() will "goto close" where free_netvsc_device()
> will be called.  But free_netvsc_device() no longer calls hv_unmap_memory(),
> so it won't ever happen.   netvsc_device_remove() is never called in this case
> because netvsc_add_device() failed.
> 

Hi Michael:
       Thanks for your review. Nice catch and will fix in the next
version.
diff mbox series

Patch

diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
index afa81a9480cc..f989f920d4ce 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -154,19 +154,15 @@  static void free_netvsc_device(struct rcu_head *head)
 
 	kfree(nvdev->extension);
 
-	if (nvdev->recv_original_buf) {
-		hv_unmap_memory(nvdev->recv_buf);
+	if (nvdev->recv_original_buf)
 		vfree(nvdev->recv_original_buf);
-	} else {
+	else
 		vfree(nvdev->recv_buf);
-	}
 
-	if (nvdev->send_original_buf) {
-		hv_unmap_memory(nvdev->send_buf);
+	if (nvdev->send_original_buf)
 		vfree(nvdev->send_original_buf);
-	} else {
+	else
 		vfree(nvdev->send_buf);
-	}
 
 	bitmap_free(nvdev->send_section_map);
 
@@ -765,6 +761,12 @@  void netvsc_device_remove(struct hv_device *device)
 		netvsc_teardown_send_gpadl(device, net_device, ndev);
 	}
 
+	if (net_device->recv_original_buf)
+		hv_unmap_memory(net_device->recv_buf);
+
+	if (net_device->send_original_buf)
+		hv_unmap_memory(net_device->send_buf);
+
 	/* Release all resources */
 	free_netvsc_device_rcu(net_device);
 }