Vitaly Kuznetsov f1940d4e9c Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver ... The following crash happens when a never-used device is unbound from uio_hv_generic driver: kernel BUG at mm/slub.c:321! invalid opcode: 0000 [#1] SMP PTI CPU: 0 PID: 4001 Comm: bash Kdump: loaded Tainted: G X --------- --- 5.14.0-0.rc2.23.el9.x86_64 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:__slab_free+0x1d5/0x3d0 ... Call Trace: ? pick_next_task_fair+0x18e/0x3b0 ? __cond_resched+0x16/0x40 ? vunmap_pmd_range.isra.0+0x154/0x1c0 ? __vunmap+0x22d/0x290 ? hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus] kfree+0x331/0x380 ? hv_uio_remove+0x43/0x60 [uio_hv_generic] hv_ringbuffer_cleanup+0x36/0x40 [hv_vmbus] vmbus_free_ring+0x21/0x60 [hv_vmbus] hv_uio_remove+0x4f/0x60 [uio_hv_generic] vmbus_remove+0x23/0x30 [hv_vmbus] __device_release_driver+0x17a/0x230 device_driver_detach+0x3c/0xa0 unbind_store+0x113/0x130 ... The problem appears to be that we free 'ring_info->pkt_buffer' twice: first, when the device is unbound from in-kernel driver (netvsc in this case) and second from hv_uio_remove(). Normally, ring buffer is supposed to be re-initialized from hv_uio_open() but this happens when UIO device is being opened and this is not guaranteed to happen. Generally, it is OK to call hv_ringbuffer_cleanup() twice for the same channel (which is being handed over between in-kernel drivers and UIO) even if we didn't call hv_ringbuffer_init() in between. We, however, need to avoid kfree() call for an already freed pointer. Fixes: adae1e931a ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer") Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Reviewed-by: Andrea Parri <parri.andrea@gmail.com> Reviewed-by: Michael Kelley <mikelley@microsoft.com> Link: https://lore.kernel.org/r/20210831143916.144983-1-vkuznets@redhat.com Signed-off-by: Wei Liu <wei.liu@kernel.org>		2021-09-03 11:00:06 +00:00
..
channel.c	scsi: storvsc: Use blk_mq_unique_tag() to generate requestIDs	2021-05-14 17:39:32 +00:00
channel_mgmt.c	Drivers: hv: vmbus: Fix duplicate CPU assignments within a device	2021-07-19 09:26:31 +00:00
connection.c	drivers: hv: Fix missing error code in vmbus_connect()	2021-06-02 15:16:36 +00:00
hv.c	drivers: hv: Create a consistent pattern for checking Hyper-V hypercall status	2021-04-21 09:49:19 +00:00
hv_balloon.c	hv_balloon: Remove redundant assignment to region_start	2021-05-14 17:37:45 +00:00
hv_common.c	hyperv-next for 5.14	2021-06-29 11:21:35 -07:00
hv_debugfs.c	hv_debugfs: Make hv_debug_root static	2020-04-04 17:47:43 +01:00
hv_fcopy.c	Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer	2021-05-14 17:37:46 +00:00
hv_kvp.c	Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer	2021-05-14 17:37:46 +00:00
hv_snapshot.c	hv_utils: Add validation for untrusted Hyper-V values	2021-02-05 09:55:42 +00:00
hv_trace.c
hv_trace.h	Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE	2021-04-18 13:03:11 +00:00
hv_trace_balloon.h
hv_util.c	hv_utils: Fix passing zero to 'PTR_ERR' warning	2021-05-18 10:50:46 +00:00
hv_utils_transport.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 280	2019-06-05 17:36:36 +02:00
hv_utils_transport.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 280	2019-06-05 17:36:36 +02:00
hyperv_vmbus.h	Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer	2021-05-14 17:37:46 +00:00
Kconfig	x86/Hyper-V: Support for free page reporting	2021-03-24 11:35:24 +00:00
Makefile	Drivers: hv: Move Hyper-V extended capability check to arch neutral code	2021-06-05 10:22:34 +00:00
ring_buffer.c	Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver	2021-09-03 11:00:06 +00:00
vmbus_drv.c	kernel.h: split out panic and oops helpers	2021-07-01 11:06:04 -07:00