From patchwork Tue Dec 17 05:36:08 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 3359271 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id CE53AC0D4A for ; Tue, 17 Dec 2013 05:36:36 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0D0092035E for ; Tue, 17 Dec 2013 05:36:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2E61620320 for ; Tue, 17 Dec 2013 05:36:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751274Ab3LQFgc (ORCPT ); Tue, 17 Dec 2013 00:36:32 -0500 Received: from mx1.redhat.com ([209.132.183.28]:61350 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751007Ab3LQFgb (ORCPT ); Tue, 17 Dec 2013 00:36:31 -0500 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rBH5aP91001141 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 17 Dec 2013 00:36:25 -0500 Received: from jason-ThinkPad-T430s.redhat.com (dhcp-66-71-178.eng.nay.redhat.com [10.66.71.178] (may be forged)) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id rBH5aHBt024332; Tue, 17 Dec 2013 00:36:19 -0500 From: Jason Wang To: kvm@vger.kernel.org, rusty@rustcorp.com.au Cc: nab@linux-iscsi.org, linux-scsi@vger.kernel.org, virtualization@lists.linux-foundation.org, Asias He , stable@vger.kernel.org, Jason Wang Subject: [PATCH V2] virtio-scsi: Fix hotcpu_notifier use-after-free with virtscsi_freeze Date: Tue, 17 Dec 2013 13:36:08 +0800 Message-Id: <1387258568-11309-1-git-send-email-jasowang@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Asias He vqs are freed in virtscsi_freeze but the hotcpu_notifier is not unregistered. We will have a use-after-free usage when the notifier callback is called after virtscsi_freeze. Fixes: 285e71ea6f3583a85e27cb2b9a7d8c35d4c0d558 ("virtio-scsi: reset virtqueue affinity when doing cpu hotplug") Cc: stable@vger.kernel.org Signed-off-by: Asias He Reviewed-by: Paolo Bonzini Signed-off-by: Jason Wang --- Changes from V1: - Add "Fixes" line - CC stable --- drivers/scsi/virtio_scsi.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c index c3173dc..16bfd50 100644 --- a/drivers/scsi/virtio_scsi.c +++ b/drivers/scsi/virtio_scsi.c @@ -956,6 +956,10 @@ static void virtscsi_remove(struct virtio_device *vdev) #ifdef CONFIG_PM_SLEEP static int virtscsi_freeze(struct virtio_device *vdev) { + struct Scsi_Host *sh = virtio_scsi_host(vdev); + struct virtio_scsi *vscsi = shost_priv(sh); + + unregister_hotcpu_notifier(&vscsi->nb); virtscsi_remove_vqs(vdev); return 0; } @@ -964,8 +968,17 @@ static int virtscsi_restore(struct virtio_device *vdev) { struct Scsi_Host *sh = virtio_scsi_host(vdev); struct virtio_scsi *vscsi = shost_priv(sh); + int err; + + err = virtscsi_init(vdev, vscsi); + if (err) + return err; + + err = register_hotcpu_notifier(&vscsi->nb); + if (err) + vdev->config->del_vqs(vdev); - return virtscsi_init(vdev, vscsi); + return err; } #endif