linux/drivers/hv
Michael Kelley 07a756a49f Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is
fully initialized, we can hit the panic below:

hv_utils: Registering HyperV Utility Driver
hv_vmbus: registering driver hv_utils
...
BUG: kernel NULL pointer dereference, address: 0000000000000000
CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1
RIP: 0010:hv_pkt_iter_first+0x12/0xd0
Call Trace:
...
 vmbus_recvpacket
 hv_kvp_onchannelcallback
 vmbus_on_event
 tasklet_action_common
 tasklet_action
 handle_softirqs
 irq_exit_rcu
 sysvec_hyperv_stimer0
 </IRQ>
 <TASK>
 asm_sysvec_hyperv_stimer0
...
 kvp_register_done
 hvt_op_read
 vfs_read
 ksys_read
 __x64_sys_read

This can happen because the KVP/VSS channel callback can be invoked
even before the channel is fully opened:
1) as soon as hv_kvp_init() -> hvutil_transport_init() creates
/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and
register itself to the driver by writing a message KVP_OP_REGISTER1 to the
file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and
reading the file for the driver's response, which is handled by
hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().

2) the problem with kvp_register_done() is that it can cause the
channel callback to be called even before the channel is fully opened,
and when the channel callback is starting to run, util_probe()->
vmbus_open() may have not initialized the ringbuffer yet, so the
callback can hit the panic of NULL pointer dereference.

To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in
__vmbus_open(), just before the first hv_ringbuffer_init(), and then we
unload and reload the driver hv_utils, and run the daemon manually within
the 10 seconds.

Fix the panic by reordering the steps in util_probe() so the char dev
entry used by the KVP or VSS daemon is not created until after
vmbus_open() has completed. This reordering prevents the race condition
from happening.

Reported-by: Dexuan Cui <decui@microsoft.com>
Fixes: e0fa3e5e7d ("Drivers: hv: utils: fix a race on userspace daemons registration")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Acked-by: Wei Liu <wei.liu@kernel.org>
Link: https://lore.kernel.org/r/20241106154247.2271-3-mhklinux@outlook.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Message-ID: <20241106154247.2271-3-mhklinux@outlook.com>
2024-12-09 18:44:15 +00:00
..
channel_mgmt.c Drivers: hv: vmbus: Add utility function for querying ring size 2024-04-11 14:55:53 +02:00
channel.c Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted 2024-04-10 21:33:33 +00:00
connection.c Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails 2024-04-10 21:33:32 +00:00
hv_balloon.c drivers: hv: Convert open-coded timeouts to secs_to_jiffies() 2024-12-09 18:44:14 +00:00
hv_common.c printk: Add a short description string to kmsg_dump() 2024-07-17 12:35:24 +02:00
hv_debugfs.c hv_debugfs: Make hv_debug_root static 2020-04-04 17:47:43 +01:00
hv_kvp.c Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet 2024-12-09 18:44:15 +00:00
hv_snapshot.c Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet 2024-12-09 18:44:15 +00:00
hv_trace_balloon.h hv_balloon: trace post_status 2018-03-06 09:57:17 -08:00
hv_trace.c hv: add SPDX license to trace 2018-03-28 13:24:56 +02:00
hv_trace.h Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE 2021-04-18 13:03:11 +00:00
hv_util.c Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet 2024-12-09 18:44:15 +00:00
hv_utils_transport.c Drivers: hv: utils: Make use of the helper macro LIST_HEAD() 2022-02-09 14:33:21 +00:00
hv_utils_transport.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 280 2019-06-05 17:36:36 +02:00
hv.c Drivers: hv: vmbus: Fix the misplaced function description 2024-08-03 00:13:01 +00:00
hyperv_vmbus.h Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet 2024-12-09 18:44:15 +00:00
Kconfig x86/hyperv: Use per cpu initial stack for vtl context 2024-03-08 23:40:09 +00:00
Makefile Drivers: hv: Remove fcopy driver 2024-04-11 14:55:53 +02:00
ring_buffer.c Drivers: hv: vmbus: Remove second way of mapping ring buffers 2023-04-17 19:19:04 +00:00
vmbus_drv.c drivers: hv: Convert open-coded timeouts to secs_to_jiffies() 2024-12-09 18:44:14 +00:00