projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b917507)
vsock/virtio: fix flush of works during the .remove()
authorStefano Garzarella <sgarzare@redhat.com>
Fri, 5 Jul 2019 11:04:54 +0000 (13:04 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 8 Jul 2019 22:35:17 +0000 (15:35 -0700)
This patch moves the flush of works after vdev->config->del_vqs(vdev),
because we need to be sure that no workers run before to free the
'vsock' object.

Since we stopped the workers using the [tx|rx|event]_run flags,
we are sure no one is accessing the device while we are calling
vdev->config->reset(vdev), so we can safely move the workers' flush.

Before the vdev->config->del_vqs(vdev), workers can be scheduled
by VQ callbacks, so we must flush them after del_vqs(), to avoid
use-after-free of 'vsock' object.

Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/vmw_vsock/virtio_transport.c patch | blob | history

diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 4dbdce7746bd5a5b7df0b346966384401dcafceb..0815d1357861359ea5e11cda09911cda1607f264 100644 (file)
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -681,12 +681,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
        rcu_assign_pointer(the_virtio_vsock, NULL);
        synchronize_rcu();
 
-       flush_work(&vsock->loopback_work);
-       flush_work(&vsock->rx_work);
-       flush_work(&vsock->tx_work);
-       flush_work(&vsock->event_work);
-       flush_work(&vsock->send_pkt_work);
-
        /* Reset all connected sockets when the device disappear */
        vsock_for_each_connected_socket(virtio_vsock_reset_sock);
 
@@ -741,6 +735,15 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
        /* Delete virtqueues and flush outstanding callbacks if any */
        vdev->config->del_vqs(vdev);
 
+       /* Other works can be queued before 'config->del_vqs()', so we flush
+        * all works before to free the vsock object to avoid use after free.
+        */
+       flush_work(&vsock->loopback_work);
+       flush_work(&vsock->rx_work);
+       flush_work(&vsock->tx_work);
+       flush_work(&vsock->event_work);
+       flush_work(&vsock->send_pkt_work);
+
        mutex_unlock(&the_virtio_vsock_mutex);
 
        kfree(vsock);
John Crispins staging tree