Patch "PCI: hv: Fix a memory leak in hv_eject_device_work()" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 16 May 2019 22:07:28 -0400

This is a note to let you know that I've just added the patch titled

    PCI: hv: Fix a memory leak in hv_eject_device_work()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 50e8d77ba0e1e57675e72ea4244a3b7b0656d1f1
Author: Dexuan Cui <decui@xxxxxxxxxxxxx>
Date:   Wed May 15 15:42:07 2019 -0700

    PCI: hv: Fix a memory leak in hv_eject_device_work()
    
    [ Upstream commit 05f151a73ec2b23ffbff706e5203e729a995cdc2 ]
    
    When a device is created in new_pcichild_device(), hpdev->refs is set
    to 2 (i.e. the initial value of 1 plus the get_pcichild()).
    
    When we hot remove the device from the host, in a Linux VM we first call
    hv_pci_eject_device(), which increases hpdev->refs by get_pcichild() and
    then schedules a work of hv_eject_device_work(), so hpdev->refs becomes
    3 (let's ignore the paired get/put_pcichild() in other places). But in
    hv_eject_device_work(), currently we only call put_pcichild() twice,
    meaning the 'hpdev' struct can't be freed in put_pcichild().
    
    Add one put_pcichild() to fix the memory leak.
    
    The device can also be removed when we run "rmmod pci-hyperv". On this
    path (hv_pci_remove() -> hv_pci_bus_exit() -> hv_pci_devices_present()),
    hpdev->refs is 2, and we do correctly call put_pcichild() twice in
    pci_devices_present_work().
    
    Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
    Signed-off-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
    [lorenzo.pieralisi@xxxxxxx: commit log rework]
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@xxxxxxx>
    Reviewed-by: Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx>
    Reviewed-by:  Michael Kelley <mikelley@xxxxxxxxxxxxx>
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
index 53d1c08cef4dc..292450c7da625 100644
--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -1941,6 +1941,7 @@ static void hv_eject_device_work(struct work_struct *work)
 			 VM_PKT_DATA_INBAND, 0);
 
 	put_pcichild(hpdev, hv_pcidev_ref_childlist);
+	put_pcichild(hpdev, hv_pcidev_ref_initial);
 	put_pcichild(hpdev, hv_pcidev_ref_pnp);
 	put_hvpcibus(hpdev->hbus);
 }






