Patch "vdpa/mlx5: Avoid processing works if workqueue was destroyed" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 8 Jul 2022 16:53:31 -0400

This is a note to let you know that I've just added the patch titled

    vdpa/mlx5: Avoid processing works if workqueue was destroyed

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vdpa-mlx5-avoid-processing-works-if-workqueue-was-de.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c264e9eda48ab0a18955994020bd9cd69abbb51e
Author: Eli Cohen <elic@xxxxxxxxxx>
Date:   Mon Mar 21 16:13:03 2022 +0200

    vdpa/mlx5: Avoid processing works if workqueue was destroyed
    
    [ Upstream commit ad6dc1daaf29f97f23cc810d60ee01c0e83f4c6b ]
    
    If mlx5_vdpa gets unloaded while a VM is running, the workqueue will be
    destroyed. However, vhost might still have reference to the kick
    function and might attempt to push new works. This could lead to null
    pointer dereference.
    
    To fix this, set mvdev->wq to NULL just before destroying and verify
    that the workqueue is not NULL in mlx5_vdpa_kick_vq before attempting to
    push a new work.
    
    Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting")
    Signed-off-by: Eli Cohen <elic@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220321141303.9586-1-elic@xxxxxxxxxx
    Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 174895372e7f..467a349dc26c 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1641,7 +1641,7 @@ static void mlx5_vdpa_kick_vq(struct vdpa_device *vdev, u16 idx)
 		return;
 
 	if (unlikely(is_ctrl_vq_idx(mvdev, idx))) {
-		if (!mvdev->cvq.ready)
+		if (!mvdev->wq || !mvdev->cvq.ready)
 			return;
 
 		queue_work(mvdev->wq, &ndev->cvq_ent.work);
@@ -2626,9 +2626,12 @@ static void mlx5_vdpa_dev_del(struct vdpa_mgmt_dev *v_mdev, struct vdpa_device *
 	struct mlx5_vdpa_mgmtdev *mgtdev = container_of(v_mdev, struct mlx5_vdpa_mgmtdev, mgtdev);
 	struct mlx5_vdpa_dev *mvdev = to_mvdev(dev);
 	struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
+	struct workqueue_struct *wq;
 
 	mlx5_notifier_unregister(mvdev->mdev, &ndev->nb);
-	destroy_workqueue(mvdev->wq);
+	wq = mvdev->wq;
+	mvdev->wq = NULL;
+	destroy_workqueue(wq);
 	_vdpa_unregister_device(dev);
 	mgtdev->ndev = NULL;
 }






