<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/char/virtio_console.c, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>virtio-console: avoid DMA from stack</title>
<updated>2017-05-09T06:19:26+00:00</updated>
<author>
<name>Omar Sandoval</name>
<email>osandov@fb.com</email>
</author>
<published>2017-02-01T08:02:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ce08bcbc3e4d70a496246fd774205a188dc86155'/>
<id>ce08bcbc3e4d70a496246fd774205a188dc86155</id>
<content type='text'>
commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.

put_chars() stuffs the buffer it gets into an sg, but that buffer may be
on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
manifested as printks getting turned into NUL bytes).

Signed-off-by: Omar Sandoval &lt;osandov@fb.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Cc: Brad Spengler &lt;spender@grsecurity.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.

put_chars() stuffs the buffer it gets into an sg, but that buffer may be
on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
manifested as printks getting turned into NUL bytes).

Signed-off-by: Omar Sandoval &lt;osandov@fb.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Cc: Brad Spengler &lt;spender@grsecurity.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: Unlock vqs while freeing buffers</title>
<updated>2016-11-24T15:23:26+00:00</updated>
<author>
<name>Matt Redfearn</name>
<email>matt.redfearn@imgtec.com</email>
</author>
<published>2016-10-11T11:05:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7265dbca7c6c7cf5de66af5c392f4387323a2087'/>
<id>7265dbca7c6c7cf5de66af5c392f4387323a2087</id>
<content type='text'>
commit 34563769e438d2881f62cf4d9badc4e589ac0ec0 upstream.

Commit c6017e793b93 ("virtio: console: add locks around buffer removal
in port unplug path") added locking around the freeing of buffers in the
vq. However, when free_buf() is called with can_sleep = true and rproc
is enabled, it calls dma_free_coherent() directly, requiring interrupts
to be enabled. Currently a WARNING is triggered due to the spin locking
around free_buf, with a call stack like this:

WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433
free_buf+0x1a8/0x288
Call Trace:
[&lt;8040c538&gt;] show_stack+0x74/0xc0
[&lt;80757240&gt;] dump_stack+0xd0/0x110
[&lt;80430d98&gt;] __warn+0xfc/0x130
[&lt;80430ee0&gt;] warn_slowpath_null+0x2c/0x3c
[&lt;807e7c6c&gt;] free_buf+0x1a8/0x288
[&lt;807ea590&gt;] remove_port_data+0x50/0xac
[&lt;807ea6a0&gt;] unplug_port+0xb4/0x1bc
[&lt;807ea858&gt;] virtcons_remove+0xb0/0xfc
[&lt;807b6734&gt;] virtio_dev_remove+0x58/0xc0
[&lt;807f918c&gt;] __device_release_driver+0xac/0x134
[&lt;807f924c&gt;] device_release_driver+0x38/0x50
[&lt;807f7edc&gt;] bus_remove_device+0xfc/0x130
[&lt;807f4b74&gt;] device_del+0x17c/0x21c
[&lt;807f4c38&gt;] device_unregister+0x24/0x38
[&lt;807b6b50&gt;] unregister_virtio_device+0x28/0x44

Fix this by restructuring the loops to allow the locks to only be taken
where it is necessary to protect the vqs, and release it while the
buffer is being freed.

Fixes: c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path")
Signed-off-by: Matt Redfearn &lt;matt.redfearn@imgtec.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 34563769e438d2881f62cf4d9badc4e589ac0ec0 upstream.

Commit c6017e793b93 ("virtio: console: add locks around buffer removal
in port unplug path") added locking around the freeing of buffers in the
vq. However, when free_buf() is called with can_sleep = true and rproc
is enabled, it calls dma_free_coherent() directly, requiring interrupts
to be enabled. Currently a WARNING is triggered due to the spin locking
around free_buf, with a call stack like this:

WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433
free_buf+0x1a8/0x288
Call Trace:
[&lt;8040c538&gt;] show_stack+0x74/0xc0
[&lt;80757240&gt;] dump_stack+0xd0/0x110
[&lt;80430d98&gt;] __warn+0xfc/0x130
[&lt;80430ee0&gt;] warn_slowpath_null+0x2c/0x3c
[&lt;807e7c6c&gt;] free_buf+0x1a8/0x288
[&lt;807ea590&gt;] remove_port_data+0x50/0xac
[&lt;807ea6a0&gt;] unplug_port+0xb4/0x1bc
[&lt;807ea858&gt;] virtcons_remove+0xb0/0xfc
[&lt;807b6734&gt;] virtio_dev_remove+0x58/0xc0
[&lt;807f918c&gt;] __device_release_driver+0xac/0x134
[&lt;807f924c&gt;] device_release_driver+0x38/0x50
[&lt;807f7edc&gt;] bus_remove_device+0xfc/0x130
[&lt;807f4b74&gt;] device_del+0x17c/0x21c
[&lt;807f4c38&gt;] device_unregister+0x24/0x38
[&lt;807b6b50&gt;] unregister_virtio_device+0x28/0x44

Fix this by restructuring the loops to allow the locks to only be taken
where it is necessary to protect the vqs, and release it while the
buffer is being freed.

Fixes: c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path")
Signed-off-by: Matt Redfearn &lt;matt.redfearn@imgtec.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>virtio_console: avoid config access from irq</title>
<updated>2015-04-09T11:14:04+00:00</updated>
<author>
<name>Michael S. Tsirkin</name>
<email>mst@redhat.com</email>
</author>
<published>2015-03-05T00:15:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=02f08b635dd5a27298f8c2187c1f02b7d066091c'/>
<id>02f08b635dd5a27298f8c2187c1f02b7d066091c</id>
<content type='text'>
commit eeb8a7e8bb123e84daeef84f5a2eab99ad2839a2 upstream.

when multiport is off, virtio console invokes config access from irq
context, config access is blocking on s390.
Fix this up by scheduling work from config irq - similar to what we do
for multiport configs.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eeb8a7e8bb123e84daeef84f5a2eab99ad2839a2 upstream.

when multiport is off, virtio console invokes config access from irq
context, config access is blocking on s390.
Fix this up by scheduling work from config irq - similar to what we do
for multiport configs.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio_console: init work unconditionally</title>
<updated>2015-04-09T11:14:03+00:00</updated>
<author>
<name>Michael S. Tsirkin</name>
<email>mst@redhat.com</email>
</author>
<published>2015-03-05T00:15:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a4b192f16751b031360af03bb73600a6025cd2d'/>
<id>8a4b192f16751b031360af03bb73600a6025cd2d</id>
<content type='text'>
commit 4f6e24ed9de8634d6471ef86b382cba6d4e57ca8 upstream.

when multiport is off, we don't initialize config work,
but we then cancel uninitialized control_work on freeze.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4f6e24ed9de8634d6471ef86b382cba6d4e57ca8 upstream.

when multiport is off, we don't initialize config work,
but we then cancel uninitialized control_work on freeze.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: prevent use-after-free of port name in port unplug</title>
<updated>2013-08-09T03:32:16+00:00</updated>
<author>
<name>Amit Shah</name>
<email>amit.shah@redhat.com</email>
</author>
<published>2013-08-07T06:24:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3b868a4073cdedf395f26d843874414e0e0e9cfd'/>
<id>3b868a4073cdedf395f26d843874414e0e0e9cfd</id>
<content type='text'>
Remove the debugfs path before freeing port-&gt;name, to prevent a possible
use-after-free.

Reported-by: Jason Wang &lt;jasowang@redhat.com&gt;
Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove the debugfs path before freeing port-&gt;name, to prevent a possible
use-after-free.

Reported-by: Jason Wang &lt;jasowang@redhat.com&gt;
Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' into virtio-next</title>
<updated>2013-08-09T03:30:39+00:00</updated>
<author>
<name>Rusty Russell</name>
<email>rusty@rustcorp.com.au</email>
</author>
<published>2013-08-09T03:30:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=11489736177c5930514482b4db7af862d945335d'/>
<id>11489736177c5930514482b4db7af862d945335d</id>
<content type='text'>
The next commit gets conflicts because it relies on patches which were
cc:stable and thus had to be merged into Linus' tree before the coming
merge window.  So pull in master now.

Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The next commit gets conflicts because it relies on patches which were
cc:stable and thus had to be merged into Linus' tree before the coming
merge window.  So pull in master now.

Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: cleanup an error message</title>
<updated>2013-07-30T06:24:30+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2013-07-30T06:24:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3f0d0c9b47e09d47fcb755fed786a1ee88e110b5'/>
<id>3f0d0c9b47e09d47fcb755fed786a1ee88e110b5</id>
<content type='text'>
The PTR_ERR(NULL) here is not useful.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The PTR_ERR(NULL) here is not useful.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: fix locking around send_sigio_to_port()</title>
<updated>2013-07-29T05:20:49+00:00</updated>
<author>
<name>Amit Shah</name>
<email>amit.shah@redhat.com</email>
</author>
<published>2013-07-29T04:55:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=314081f1025e9ea77b69261f21183e9be18a6f91'/>
<id>314081f1025e9ea77b69261f21183e9be18a6f91</id>
<content type='text'>
send_sigio_to_port() checks the value of guest_connected, which we
always modify under the inbuf_lock; make sure invocations of
send_sigio_to_port() have take the inbuf_lock around the call.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
send_sigio_to_port() checks the value of guest_connected, which we
always modify under the inbuf_lock; make sure invocations of
send_sigio_to_port() have take the inbuf_lock around the call.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: add locking in port unplug path</title>
<updated>2013-07-29T05:20:48+00:00</updated>
<author>
<name>Amit Shah</name>
<email>amit.shah@redhat.com</email>
</author>
<published>2013-07-29T04:54:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5549fb25811710585d5ec77a0e6a1fbc8808df93'/>
<id>5549fb25811710585d5ec77a0e6a1fbc8808df93</id>
<content type='text'>
Port unplug can race with close() in port_fops_release().
port_fops_release() already takes the necessary locks, ensure
unplug_port() does that too.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Port unplug can race with close() in port_fops_release().
port_fops_release() already takes the necessary locks, ensure
unplug_port() does that too.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: console: add locks around buffer removal in port unplug path</title>
<updated>2013-07-29T05:20:47+00:00</updated>
<author>
<name>Amit Shah</name>
<email>amit.shah@redhat.com</email>
</author>
<published>2013-07-29T04:53:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c6017e793b932e84b1c998f9b4c08d74ff0ea9c0'/>
<id>c6017e793b932e84b1c998f9b4c08d74ff0ea9c0</id>
<content type='text'>
The removal functions act on the vqs, and the vq operations need to be
locked.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The removal functions act on the vqs, and the vq operations need to be
locked.

Signed-off-by: Amit Shah &lt;amit.shah@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</pre>
</div>
</content>
</entry>
</feed>
