RE: [PATCH] Netvsc: Call hv_unmap_memory() in the netvsc_device_remove()

"Michael Kelley (LINUX)" <mikelley@xxxxxxxxxxxxx> · Wed, 2 Feb 2022 17:05:20 +0000

From: Tianyu Lan <ltykernel@xxxxxxxxx> Sent: Tuesday, February 1, 2022 8:32 AM
> 
> netvsc_device_remove() calls vunmap() inside which should not be
> called in the interrupt context. Current code calls hv_unmap_memory()
> in the free_netvsc_device() which is rcu callback and maybe called
> in the interrupt context. This will trigger BUG_ON(in_interrupt())
> in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_
> remove().

I think this change can fail to call hv_unmap_memory() in an error case.

If netvsc_init_buf() fails after hv_map_memory() succeeds for the receive
buffer or for the send buffer, no corresponding hv_unmap_memory() will
be done.  The failure in netvsc_init_buf() will cause netvsc_connect_vsp()
to fail, so netvsc_add_device() will "goto close" where free_netvsc_device()
will be called.  But free_netvsc_device() no longer calls hv_unmap_memory(),
so it won't ever happen.   netvsc_device_remove() is never called in this case
because netvsc_add_device() failed.

Michael

> 
> Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver")
> Signed-off-by: Tianyu Lan <Tianyu.Lan@xxxxxxxxxxxxx>
> ---
>  drivers/net/hyperv/netvsc.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index afa81a9480cc..f989f920d4ce 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -154,19 +154,15 @@ static void free_netvsc_device(struct rcu_head *head)
> 
>  	kfree(nvdev->extension);
> 
> -	if (nvdev->recv_original_buf) {
> -		hv_unmap_memory(nvdev->recv_buf);
> +	if (nvdev->recv_original_buf)
>  		vfree(nvdev->recv_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->recv_buf);
> -	}
> 
> -	if (nvdev->send_original_buf) {
> -		hv_unmap_memory(nvdev->send_buf);
> +	if (nvdev->send_original_buf)
>  		vfree(nvdev->send_original_buf);
> -	} else {
> +	else
>  		vfree(nvdev->send_buf);
> -	}
> 
>  	bitmap_free(nvdev->send_section_map);
> 
> @@ -765,6 +761,12 @@ void netvsc_device_remove(struct hv_device *device)
>  		netvsc_teardown_send_gpadl(device, net_device, ndev);
>  	}
> 
> +	if (net_device->recv_original_buf)
> +		hv_unmap_memory(net_device->recv_buf);
> +
> +	if (net_device->send_original_buf)
> +		hv_unmap_memory(net_device->send_buf);
> +
>  	/* Release all resources */
>  	free_netvsc_device_rcu(net_device);
>  }
> --
> 2.25.1