[1/2] vfio/mtty: Fix eventfd leak
Commit Message
Found via kmemleak, eventfd context is leaked if not explicitly torn
down by userspace. Clear pointers to track released contexts. Also
remove unused irq_fd field in mtty structure, set but never used.
Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
Comments
On 10/13/23 21:56, Alex Williamson wrote:
> Found via kmemleak, eventfd context is leaked if not explicitly torn
> down by userspace. Clear pointers to track released contexts. Also
> remove unused irq_fd field in mtty structure, set but never used.
This could be 2 different patches, one cleanup and one fix.
> Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
> samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
> 1 file changed, 23 insertions(+), 5 deletions(-)
>
> diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
> index 5af00387c519..0a2760818e46 100644
> --- a/samples/vfio-mdev/mtty.c
> +++ b/samples/vfio-mdev/mtty.c
> @@ -127,7 +127,6 @@ struct serial_port {
> /* State of each mdev device */
> struct mdev_state {
> struct vfio_device vdev;
> - int irq_fd;
> struct eventfd_ctx *intx_evtfd;
> struct eventfd_ctx *msi_evtfd;
> int irq_index;
> @@ -938,8 +937,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> {
> if (flags & VFIO_IRQ_SET_DATA_NONE) {
> pr_info("%s: disable INTx\n", __func__);
> - if (mdev_state->intx_evtfd)
> + if (mdev_state->intx_evtfd) {
> eventfd_ctx_put(mdev_state->intx_evtfd);
> + mdev_state->intx_evtfd = NULL;
> + }
> break;
> }
>
> @@ -955,7 +956,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> break;
> }
Shouln't mdev_state->intx_evtfd value be tested before calling
eventfd_ctx() ?
Thanks,
C.
> mdev_state->intx_evtfd = evt;
> - mdev_state->irq_fd = fd;
> mdev_state->irq_index = index;
> break;
> }
> @@ -971,8 +971,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> break;
> case VFIO_IRQ_SET_ACTION_TRIGGER:
> if (flags & VFIO_IRQ_SET_DATA_NONE) {
> - if (mdev_state->msi_evtfd)
> + if (mdev_state->msi_evtfd) {
> eventfd_ctx_put(mdev_state->msi_evtfd);
> + mdev_state->msi_evtfd = NULL;
> + }
> pr_info("%s: disable MSI\n", __func__);
> mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
> break;
> @@ -993,7 +995,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> break;
> }
> mdev_state->msi_evtfd = evt;
> - mdev_state->irq_fd = fd;
> mdev_state->irq_index = index;
> }
> break;
> @@ -1262,6 +1263,22 @@ static unsigned int mtty_get_available(struct mdev_type *mtype)
> return atomic_read(&mdev_avail_ports) / type->nr_ports;
> }
>
> +static void mtty_close(struct vfio_device *vdev)
> +{
> + struct mdev_state *mdev_state =
> + container_of(vdev, struct mdev_state, vdev);
> +
> + if (mdev_state->intx_evtfd) {
> + eventfd_ctx_put(mdev_state->intx_evtfd);
> + mdev_state->intx_evtfd = NULL;
> + }
> + if (mdev_state->msi_evtfd) {
> + eventfd_ctx_put(mdev_state->msi_evtfd);
> + mdev_state->msi_evtfd = NULL;
> + }
> + mdev_state->irq_index = -1;
> +}
> +
> static const struct vfio_device_ops mtty_dev_ops = {
> .name = "vfio-mtty",
> .init = mtty_init_dev,
> @@ -1273,6 +1290,7 @@ static const struct vfio_device_ops mtty_dev_ops = {
> .unbind_iommufd = vfio_iommufd_emulated_unbind,
> .attach_ioas = vfio_iommufd_emulated_attach_ioas,
> .detach_ioas = vfio_iommufd_emulated_detach_ioas,
> + .close_device = mtty_close,
> };
>
> static struct mdev_driver mtty_driver = {
On Mon, 16 Oct 2023 09:52:41 +0200
Cédric Le Goater <clg@redhat.com> wrote:
> On 10/13/23 21:56, Alex Williamson wrote:
> > Found via kmemleak, eventfd context is leaked if not explicitly torn
> > down by userspace. Clear pointers to track released contexts. Also
> > remove unused irq_fd field in mtty structure, set but never used.
>
> This could be 2 different patches, one cleanup and one fix.
Of course.
> > Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
> > Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> > ---
> > samples/vfio-mdev/mtty.c | 28 +++++++++++++++++++++++-----
> > 1 file changed, 23 insertions(+), 5 deletions(-)
> >
> > diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
> > index 5af00387c519..0a2760818e46 100644
> > --- a/samples/vfio-mdev/mtty.c
> > +++ b/samples/vfio-mdev/mtty.c
> > @@ -127,7 +127,6 @@ struct serial_port {
> > /* State of each mdev device */
> > struct mdev_state {
> > struct vfio_device vdev;
> > - int irq_fd;
> > struct eventfd_ctx *intx_evtfd;
> > struct eventfd_ctx *msi_evtfd;
> > int irq_index;
> > @@ -938,8 +937,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> > {
> > if (flags & VFIO_IRQ_SET_DATA_NONE) {
> > pr_info("%s: disable INTx\n", __func__);
> > - if (mdev_state->intx_evtfd)
> > + if (mdev_state->intx_evtfd) {
> > eventfd_ctx_put(mdev_state->intx_evtfd);
> > + mdev_state->intx_evtfd = NULL;
> > + }
> > break;
> > }
> >
> > @@ -955,7 +956,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> > break;
> > }
>
> Shouln't mdev_state->intx_evtfd value be tested before calling
> eventfd_ctx() ?
The state of mtty interrupt handling is really quite atrocious, it's a
pretty significant overhaul to really make it comply with the SET_IRQS
ioctl. I'll see what I can do, but it's so broken that I hope you
won't insist on splitting out each fix. Thanks,
Alex
> > mdev_state->intx_evtfd = evt;
> > - mdev_state->irq_fd = fd;
> > mdev_state->irq_index = index;
> > break;
> > }
> > @@ -971,8 +971,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> > break;
> > case VFIO_IRQ_SET_ACTION_TRIGGER:
> > if (flags & VFIO_IRQ_SET_DATA_NONE) {
> > - if (mdev_state->msi_evtfd)
> > + if (mdev_state->msi_evtfd) {
> > eventfd_ctx_put(mdev_state->msi_evtfd);
> > + mdev_state->msi_evtfd = NULL;
> > + }
> > pr_info("%s: disable MSI\n", __func__);
> > mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
> > break;
> > @@ -993,7 +995,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
> > break;
> > }
> > mdev_state->msi_evtfd = evt;
> > - mdev_state->irq_fd = fd;
> > mdev_state->irq_index = index;
> > }
> > break;
> > @@ -1262,6 +1263,22 @@ static unsigned int mtty_get_available(struct mdev_type *mtype)
> > return atomic_read(&mdev_avail_ports) / type->nr_ports;
> > }
> >
> > +static void mtty_close(struct vfio_device *vdev)
> > +{
> > + struct mdev_state *mdev_state =
> > + container_of(vdev, struct mdev_state, vdev);
> > +
> > + if (mdev_state->intx_evtfd) {
> > + eventfd_ctx_put(mdev_state->intx_evtfd);
> > + mdev_state->intx_evtfd = NULL;
> > + }
> > + if (mdev_state->msi_evtfd) {
> > + eventfd_ctx_put(mdev_state->msi_evtfd);
> > + mdev_state->msi_evtfd = NULL;
> > + }
> > + mdev_state->irq_index = -1;
> > +}
> > +
> > static const struct vfio_device_ops mtty_dev_ops = {
> > .name = "vfio-mtty",
> > .init = mtty_init_dev,
> > @@ -1273,6 +1290,7 @@ static const struct vfio_device_ops mtty_dev_ops = {
> > .unbind_iommufd = vfio_iommufd_emulated_unbind,
> > .attach_ioas = vfio_iommufd_emulated_attach_ioas,
> > .detach_ioas = vfio_iommufd_emulated_detach_ioas,
> > + .close_device = mtty_close,
> > };
> >
> > static struct mdev_driver mtty_driver = {
>
@@ -127,7 +127,6 @@ struct serial_port {
/* State of each mdev device */
struct mdev_state {
struct vfio_device vdev;
- int irq_fd;
struct eventfd_ctx *intx_evtfd;
struct eventfd_ctx *msi_evtfd;
int irq_index;
@@ -938,8 +937,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
{
if (flags & VFIO_IRQ_SET_DATA_NONE) {
pr_info("%s: disable INTx\n", __func__);
- if (mdev_state->intx_evtfd)
+ if (mdev_state->intx_evtfd) {
eventfd_ctx_put(mdev_state->intx_evtfd);
+ mdev_state->intx_evtfd = NULL;
+ }
break;
}
@@ -955,7 +956,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
break;
}
mdev_state->intx_evtfd = evt;
- mdev_state->irq_fd = fd;
mdev_state->irq_index = index;
break;
}
@@ -971,8 +971,10 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
break;
case VFIO_IRQ_SET_ACTION_TRIGGER:
if (flags & VFIO_IRQ_SET_DATA_NONE) {
- if (mdev_state->msi_evtfd)
+ if (mdev_state->msi_evtfd) {
eventfd_ctx_put(mdev_state->msi_evtfd);
+ mdev_state->msi_evtfd = NULL;
+ }
pr_info("%s: disable MSI\n", __func__);
mdev_state->irq_index = VFIO_PCI_INTX_IRQ_INDEX;
break;
@@ -993,7 +995,6 @@ static int mtty_set_irqs(struct mdev_state *mdev_state, uint32_t flags,
break;
}
mdev_state->msi_evtfd = evt;
- mdev_state->irq_fd = fd;
mdev_state->irq_index = index;
}
break;
@@ -1262,6 +1263,22 @@ static unsigned int mtty_get_available(struct mdev_type *mtype)
return atomic_read(&mdev_avail_ports) / type->nr_ports;
}
+static void mtty_close(struct vfio_device *vdev)
+{
+ struct mdev_state *mdev_state =
+ container_of(vdev, struct mdev_state, vdev);
+
+ if (mdev_state->intx_evtfd) {
+ eventfd_ctx_put(mdev_state->intx_evtfd);
+ mdev_state->intx_evtfd = NULL;
+ }
+ if (mdev_state->msi_evtfd) {
+ eventfd_ctx_put(mdev_state->msi_evtfd);
+ mdev_state->msi_evtfd = NULL;
+ }
+ mdev_state->irq_index = -1;
+}
+
static const struct vfio_device_ops mtty_dev_ops = {
.name = "vfio-mtty",
.init = mtty_init_dev,
@@ -1273,6 +1290,7 @@ static const struct vfio_device_ops mtty_dev_ops = {
.unbind_iommufd = vfio_iommufd_emulated_unbind,
.attach_ioas = vfio_iommufd_emulated_attach_ioas,
.detach_ioas = vfio_iommufd_emulated_detach_ioas,
+ .close_device = mtty_close,
};
static struct mdev_driver mtty_driver = {