* [PATCH master] virtio: implement remove callbacks
@ 2021-09-16 9:34 Ahmad Fatoum
2021-10-02 9:16 ` Sascha Hauer
0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2021-09-16 9:34 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
virtio parent device drivers (e.g. PCI and MMIO) create child devices
and free them on remove. The virtio drivers for the child devices (e.g.
block and console) however don't unregister with their respective
subsystems in the remove callbacks. So these subsystems may have stale
pointers pointing at removed devices. This is especially problematic for
the console driver, because the virtio console device_d will be removed,
but the console itself remains registered leading to a use-after-free
as soon as printf is invoked for the previously active console.
This leads to a crash when typing reset in
https://www.barebox.org/jsbarebox/?graphic=0
Fix this for all virtio drivers.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
drivers/block/virtio_blk.c | 6 ++++++
drivers/hw_random/core.c | 12 ++++++++++++
drivers/hw_random/virtio-rng.c | 6 ++++++
drivers/input/virtio_input.c | 5 +++--
drivers/serial/virtio_console.c | 14 ++++++++++++++
include/linux/hw_random.h | 2 ++
6 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index b7a83cf686c1..87ab505f8326 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -95,6 +95,7 @@ static int virtio_blk_probe(struct virtio_device *vdev)
return ret;
priv->vdev = vdev;
+ vdev->priv = priv;
devnum = cdev_find_free_index("virtioblk");
priv->blk.cdev.name = xasprintf("virtioblk%d", devnum);
@@ -115,8 +116,13 @@ static int virtio_blk_probe(struct virtio_device *vdev)
static void virtio_blk_remove(struct virtio_device *vdev)
{
+ struct virtio_blk_priv *priv = vdev->priv;
+
vdev->config->reset(vdev);
+ blockdevice_unregister(&priv->blk);
vdev->config->del_vqs(vdev);
+
+ free(priv);
}
static const struct virtio_device_id id_table[] = {
diff --git a/drivers/hw_random/core.c b/drivers/hw_random/core.c
index ee3d5a52ddf3..86214dc8bae7 100644
--- a/drivers/hw_random/core.c
+++ b/drivers/hw_random/core.c
@@ -92,6 +92,12 @@ static int hwrng_register_cdev(struct hwrng *rng)
return devfs_create(&rng->cdev);
}
+static void hwrng_unregister_cdev(struct hwrng *rng)
+{
+ devfs_remove(&rng->cdev);
+ free(rng->cdev.name);
+}
+
struct hwrng *hwrng_get_first(void)
{
if (list_empty(&hwrngs))
@@ -122,3 +128,9 @@ int hwrng_register(struct device_d *dev, struct hwrng *rng)
return err;
}
+
+void hwrng_unregister(struct hwrng *rng)
+{
+ hwrng_unregister_cdev(rng);
+ free(rng->buf);
+}
diff --git a/drivers/hw_random/virtio-rng.c b/drivers/hw_random/virtio-rng.c
index 7bdacc976e72..f0a3d3cb74e7 100644
--- a/drivers/hw_random/virtio-rng.c
+++ b/drivers/hw_random/virtio-rng.c
@@ -78,8 +78,14 @@ static int virtrng_probe(struct virtio_device *vdev)
static void virtrng_remove(struct virtio_device *vdev)
{
+ struct virtrng_info *vi = vdev->priv;
+
vdev->config->reset(vdev);
+ if (vi->hwrng_register_done)
+ hwrng_unregister(&vi->hwrng);
vdev->config->del_vqs(vdev);
+
+ kfree(vi);
}
static void virtrng_scan(struct virtio_device *vdev)
diff --git a/drivers/input/virtio_input.c b/drivers/input/virtio_input.c
index b354933209fc..b5430886ab84 100644
--- a/drivers/input/virtio_input.c
+++ b/drivers/input/virtio_input.c
@@ -259,10 +259,11 @@ static void virtinput_remove(struct virtio_device *vdev)
{
struct virtio_input *vi = vdev->priv;
- poller_unregister(&vi->poller);
-
vdev->config->reset(vdev);
+ poller_unregister(&vi->poller);
+ input_device_unregister(&vi->idev);
vdev->config->del_vqs(vdev);
+
kfree(vi);
}
diff --git a/drivers/serial/virtio_console.c b/drivers/serial/virtio_console.c
index a1331035d9ef..a4adb77610f6 100644
--- a/drivers/serial/virtio_console.c
+++ b/drivers/serial/virtio_console.c
@@ -134,6 +134,8 @@ static int virtcons_probe(struct virtio_device *vdev)
virtcons = xzalloc(sizeof(*virtcons));
+ vdev->priv = virtcons;
+
virtcons->in_vq = vqs[0];
virtcons->out_vq = vqs[1];
@@ -150,6 +152,17 @@ static int virtcons_probe(struct virtio_device *vdev)
return console_register(&virtcons->cdev);
}
+static void virtcons_remove(struct virtio_device *vdev)
+{
+ struct virtio_console *virtcons = vdev->priv;
+
+ vdev->config->reset(vdev);
+ console_unregister(&virtcons->cdev);
+ vdev->config->del_vqs(vdev);
+
+ free(virtcons);
+}
+
static struct virtio_device_id id_table[] = {
{ VIRTIO_ID_CONSOLE, VIRTIO_DEV_ANY_ID },
{ 0 },
@@ -159,6 +172,7 @@ static struct virtio_driver virtio_console = {
.driver.name = "virtio_console",
.id_table = id_table,
.probe = virtcons_probe,
+ .remove = virtcons_remove,
};
device_virtio_driver(virtio_console);
diff --git a/include/linux/hw_random.h b/include/linux/hw_random.h
index bae442166c10..116afd9721e5 100644
--- a/include/linux/hw_random.h
+++ b/include/linux/hw_random.h
@@ -44,4 +44,6 @@ struct hwrng *hwrng_get_first(void);
static inline struct hwrng *hwrng_get_first(void) { return ERR_PTR(-ENODEV); };
#endif
+void hwrng_unregister(struct hwrng *rng);
+
#endif /* LINUX_HWRANDOM_H_ */
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH master] virtio: implement remove callbacks
2021-09-16 9:34 [PATCH master] virtio: implement remove callbacks Ahmad Fatoum
@ 2021-10-02 9:16 ` Sascha Hauer
0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2021-10-02 9:16 UTC (permalink / raw)
To: Ahmad Fatoum; +Cc: barebox
On Thu, Sep 16, 2021 at 11:34:58AM +0200, Ahmad Fatoum wrote:
> virtio parent device drivers (e.g. PCI and MMIO) create child devices
> and free them on remove. The virtio drivers for the child devices (e.g.
> block and console) however don't unregister with their respective
> subsystems in the remove callbacks. So these subsystems may have stale
> pointers pointing at removed devices. This is especially problematic for
> the console driver, because the virtio console device_d will be removed,
> but the console itself remains registered leading to a use-after-free
> as soon as printf is invoked for the previously active console.
>
> This leads to a crash when typing reset in
>
> https://www.barebox.org/jsbarebox/?graphic=0
>
> Fix this for all virtio drivers.
>
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> drivers/block/virtio_blk.c | 6 ++++++
> drivers/hw_random/core.c | 12 ++++++++++++
> drivers/hw_random/virtio-rng.c | 6 ++++++
> drivers/input/virtio_input.c | 5 +++--
> drivers/serial/virtio_console.c | 14 ++++++++++++++
> include/linux/hw_random.h | 2 ++
> 6 files changed, 43 insertions(+), 2 deletions(-)
Applied, thanks
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-02 9:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 9:34 [PATCH master] virtio: implement remove callbacks Ahmad Fatoum
2021-10-02 9:16 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox