[1/2] vfio/mtty: Fix eventfd leak

Message ID 20231013195653.1222141-2-alex.williamson@redhat.com
State New
Headers
Series vfio/mtty: Add migration support |

Commit Message

Alex Williamson Oct. 13, 2023, 7:56 p.m. UTC
  Found via kmemleak, eventfd context is leaked if not explicitly torn
down by userspace.  Clear pointers to track released contexts.  Also
remove unused irq_fd field in mtty structure, set but never used.

Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
 samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)
  

Comments

Cédric Le Goater Oct. 16, 2023, 7:52 a.m. UTC | #1
On 10/13/23 21:56, Alex Williamson wrote:
> Found via kmemleak, eventfd context is leaked if not explicitly torn
> down by userspace.  Clear pointers to track released contexts.  Also
> remove unused irq_fd field in mtty structure, set but never used.

This could be 2 different patches, one cleanup and one fix.
  
> Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
>   samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
>   1 file changed, 23 insertions(+), 5 deletions(-)
> 
> diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
> index 5af00387c519..0a2760818e46 100644
> --- a/samples/vfio-mdev/mtty.c
> +++ b/samples/vfio-mdev/mtty.c
> @@ -127,7 +127,6 @@ struct serial_port {
>   /* State of each mdev device */
>   struct mdev_state {
>   	struct vfio_device vdev;
> -	int irq_fd;
>   	struct eventfd_ctx *intx_evtfd;
>   	struct eventfd_ctx *msi_evtfd;
>   	int irq_index;
> @@ -938,8 +937,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
>   		{
>   			if (flags & VFIO_IRQ_SET_DATA_NONE) {
>   				pr_info("%s: disable INTx\n", __func__);
> -				if (mdev_state->intx_evtfd)
> +				if (mdev_state->intx_evtfd) {
>   					eventfd_ctx_put(mdev_state->intx_evtfd);
> +					mdev_state->intx_evtfd = NULL;
> +				}
>   				break;
>   			}
>   
> @@ -955,7 +956,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
>   						break;
>   					}

Shouln't mdev_state->intx_evtfd value be tested before calling
eventfd_ctx() ?

Thanks,

C.


>   					mdev_state->intx_evtfd = evt;
> -					mdev_state->irq_fd = fd;
>   					mdev_state->irq_index = index;
>   					break;
>   				}
> @@ -971,8 +971,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
>   			break;
>   		case VFIO_IRQ_SET_ACTION_TRIGGER:
>   			if (flags & VFIO_IRQ_SET_DATA_NONE) {
> -				if (mdev_state->msi_evtfd)
> +				if (mdev_state->msi_evtfd) {
>   					eventfd_ctx_put(mdev_state->msi_evtfd);
> +					mdev_state->msi_evtfd = NULL;
> +				}
>   				pr_info("%s: disable MSI\n", __func__);
>   				mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
>   				break;
> @@ -993,7 +995,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
>   					break;
>   				}
>   				mdev_state->msi_evtfd = evt;
> -				mdev_state->irq_fd = fd;
>   				mdev_state->irq_index = index;
>   			}
>   			break;
> @@ -1262,6 +1263,22 @@ static unsigned int mtty_get_available(struct mdev_type *mtype)
>   	return atomic_read(&mdev_avail_ports) / type->nr_ports;
>   }
>   
> +static void mtty_close(struct vfio_device *vdev)
> +{
> +	struct mdev_state *mdev_state =
> +		container_of(vdev, struct mdev_state, vdev);
> +
> +	if (mdev_state->intx_evtfd) {
> +		eventfd_ctx_put(mdev_state->intx_evtfd);
> +		mdev_state->intx_evtfd = NULL;
> +	}
> +	if (mdev_state->msi_evtfd) {
> +		eventfd_ctx_put(mdev_state->msi_evtfd);
> +		mdev_state->msi_evtfd = NULL;
> +	}
> +	mdev_state->irq_index = -1;
> +}
> +
>   static const struct vfio_device_ops mtty_dev_ops = {
>   	.name = "vfio-mtty",
>   	.init = mtty_init_dev,
> @@ -1273,6 +1290,7 @@ static const struct vfio_device_ops mtty_dev_ops = {
>   	.unbind_iommufd	= vfio_iommufd_emulated_unbind,
>   	.attach_ioas	= vfio_iommufd_emulated_attach_ioas,
>   	.detach_ioas	= vfio_iommufd_emulated_detach_ioas,
> +	.close_device	= mtty_close,
>   };
>   
>   static struct mdev_driver mtty_driver = {
  
Alex Williamson Oct. 16, 2023, 8:16 p.m. UTC | #2
On Mon, 16 Oct 2023 09:52:41 +0200
Cédric Le Goater <clg@redhat.com> wrote:

> On 10/13/23 21:56, Alex Williamson wrote:
> > Found via kmemleak, eventfd context is leaked if not explicitly torn
> > down by userspace.  Clear pointers to track released contexts.  Also
> > remove unused irq_fd field in mtty structure, set but never used.  
> 
> This could be 2 different patches, one cleanup and one fix.

Of course.

> > Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
> > Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> > ---
> >   samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
> >   1 file changed, 23 insertions(+), 5 deletions(-)
> > 
> > diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
> > index 5af00387c519..0a2760818e46 100644
> > --- a/samples/vfio-mdev/mtty.c
> > +++ b/samples/vfio-mdev/mtty.c
> > @@ -127,7 +127,6 @@ struct serial_port {
> >   /* State of each mdev device */
> >   struct mdev_state {
> >   	struct vfio_device vdev;
> > -	int irq_fd;
> >   	struct eventfd_ctx *intx_evtfd;
> >   	struct eventfd_ctx *msi_evtfd;
> >   	int irq_index;
> > @@ -938,8 +937,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> >   		{
> >   			if (flags & VFIO_IRQ_SET_DATA_NONE) {
> >   				pr_info("%s: disable INTx\n", __func__);
> > -				if (mdev_state->intx_evtfd)
> > +				if (mdev_state->intx_evtfd) {
> >   					eventfd_ctx_put(mdev_state->intx_evtfd);
> > +					mdev_state->intx_evtfd = NULL;
> > +				}
> >   				break;
> >   			}
> >   
> > @@ -955,7 +956,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> >   						break;
> >   					}  
> 
> Shouln't mdev_state->intx_evtfd value be tested before calling
> eventfd_ctx() ?

The state of mtty interrupt handling is really quite atrocious, it's a
pretty significant overhaul to really make it comply with the SET_IRQS
ioctl.  I'll see what I can do, but it's so broken that I hope you
won't insist on splitting out each fix.  Thanks,

Alex

> >   					mdev_state->intx_evtfd = evt;
> > -					mdev_state->irq_fd = fd;
> >   					mdev_state->irq_index = index;
> >   					break;
> >   				}
> > @@ -971,8 +971,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> >   			break;
> >   		case VFIO_IRQ_SET_ACTION_TRIGGER:
> >   			if (flags & VFIO_IRQ_SET_DATA_NONE) {
> > -				if (mdev_state->msi_evtfd)
> > +				if (mdev_state->msi_evtfd) {
> >   					eventfd_ctx_put(mdev_state->msi_evtfd);
> > +					mdev_state->msi_evtfd = NULL;
> > +				}
> >   				pr_info("%s: disable MSI\n", __func__);
> >   				mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
> >   				break;
> > @@ -993,7 +995,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> >   					break;
> >   				}
> >   				mdev_state->msi_evtfd = evt;
> > -				mdev_state->irq_fd = fd;
> >   				mdev_state->irq_index = index;
> >   			}
> >   			break;
> > @@ -1262,6 +1263,22 @@ static unsigned int mtty_get_available(struct mdev_type *mtype)
> >   	return atomic_read(&mdev_avail_ports) / type->nr_ports;
> >   }
> >   
> > +static void mtty_close(struct vfio_device *vdev)
> > +{
> > +	struct mdev_state *mdev_state =
> > +		container_of(vdev, struct mdev_state, vdev);
> > +
> > +	if (mdev_state->intx_evtfd) {
> > +		eventfd_ctx_put(mdev_state->intx_evtfd);
> > +		mdev_state->intx_evtfd = NULL;
> > +	}
> > +	if (mdev_state->msi_evtfd) {
> > +		eventfd_ctx_put(mdev_state->msi_evtfd);
> > +		mdev_state->msi_evtfd = NULL;
> > +	}
> > +	mdev_state->irq_index = -1;
> > +}
> > +
> >   static const struct vfio_device_ops mtty_dev_ops = {
> >   	.name = "vfio-mtty",
> >   	.init = mtty_init_dev,
> > @@ -1273,6 +1290,7 @@ static const struct vfio_device_ops mtty_dev_ops = {
> >   	.unbind_iommufd	= vfio_iommufd_emulated_unbind,
> >   	.attach_ioas	= vfio_iommufd_emulated_attach_ioas,
> >   	.detach_ioas	= vfio_iommufd_emulated_detach_ioas,
> > +	.close_device	= mtty_close,
> >   };
> >   
> >   static struct mdev_driver mtty_driver = {  
>
  

Patch

diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
index 5af00387c519..0a2760818e46 100644
--- a/samples/vfio-mdev/mtty.c
+++ b/samples/vfio-mdev/mtty.c
@@ -127,7 +127,6 @@  struct serial_port {
 /* State of each mdev device */
 struct mdev_state {
 	struct vfio_device vdev;
-	int irq_fd;
 	struct eventfd_ctx *intx_evtfd;
 	struct eventfd_ctx *msi_evtfd;
 	int irq_index;
@@ -938,8 +937,10 @@  static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
 		{
 			if (flags & VFIO_IRQ_SET_DATA_NONE) {
 				pr_info("%s: disable INTx\n", __func__);
-				if (mdev_state->intx_evtfd)
+				if (mdev_state->intx_evtfd) {
 					eventfd_ctx_put(mdev_state->intx_evtfd);
+					mdev_state->intx_evtfd = NULL;
+				}
 				break;
 			}
 
@@ -955,7 +956,6 @@  static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
 						break;
 					}
 					mdev_state->intx_evtfd = evt;
-					mdev_state->irq_fd = fd;
 					mdev_state->irq_index = index;
 					break;
 				}
@@ -971,8 +971,10 @@  static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
 			break;
 		case VFIO_IRQ_SET_ACTION_TRIGGER:
 			if (flags & VFIO_IRQ_SET_DATA_NONE) {
-				if (mdev_state->msi_evtfd)
+				if (mdev_state->msi_evtfd) {
 					eventfd_ctx_put(mdev_state->msi_evtfd);
+					mdev_state->msi_evtfd = NULL;
+				}
 				pr_info("%s: disable MSI\n", __func__);
 				mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
 				break;
@@ -993,7 +995,6 @@  static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
 					break;
 				}
 				mdev_state->msi_evtfd = evt;
-				mdev_state->irq_fd = fd;
 				mdev_state->irq_index = index;
 			}
 			break;
@@ -1262,6 +1263,22 @@  static unsigned int mtty_get_available(struct mdev_type *mtype)
 	return atomic_read(&mdev_avail_ports) / type->nr_ports;
 }
 
+static void mtty_close(struct vfio_device *vdev)
+{
+	struct mdev_state *mdev_state =
+		container_of(vdev, struct mdev_state, vdev);
+
+	if (mdev_state->intx_evtfd) {
+		eventfd_ctx_put(mdev_state->intx_evtfd);
+		mdev_state->intx_evtfd = NULL;
+	}
+	if (mdev_state->msi_evtfd) {
+		eventfd_ctx_put(mdev_state->msi_evtfd);
+		mdev_state->msi_evtfd = NULL;
+	}
+	mdev_state->irq_index = -1;
+}
+
 static const struct vfio_device_ops mtty_dev_ops = {
 	.name = "vfio-mtty",
 	.init = mtty_init_dev,
@@ -1273,6 +1290,7 @@  static const struct vfio_device_ops mtty_dev_ops = {
 	.unbind_iommufd	= vfio_iommufd_emulated_unbind,
 	.attach_ioas	= vfio_iommufd_emulated_attach_ioas,
 	.detach_ioas	= vfio_iommufd_emulated_detach_ioas,
+	.close_device	= mtty_close,
 };
 
 static struct mdev_driver mtty_driver = {