summaryrefslogtreecommitdiff
path: root/drivers/virtio
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2010-02-25 19:08:55 +0200
committerMichael S. Tsirkin <mst@redhat.com>2010-02-28 20:39:11 +0200
commit3119815912a220bdac943dfbdfee640414c0c611 (patch)
treee8a6923ba0da89d7bb3cc9fd698f8c32a4a2f8ae /drivers/virtio
parent847f9c606cad121cebf984639e3eeee1c4db82f8 (diff)
downloadlwn-3119815912a220bdac943dfbdfee640414c0c611.tar.gz
lwn-3119815912a220bdac943dfbdfee640414c0c611.zip
virtio: fix out of range array access
I have observed the following error on virtio-net module unload: ------------[ cut here ]------------ WARNING: at kernel/irq/manage.c:858 __free_irq+0xa0/0x14c() Hardware name: Bochs Trying to free already-free IRQ 0 Modules linked in: virtio_net(-) virtio_blk virtio_pci virtio_ring virtio af_packet e1000 shpchp aacraid uhci_hcd ohci_hcd ehci_hcd [last unloaded: scsi_wait_scan] Pid: 1957, comm: rmmod Not tainted 2.6.33-rc8-vhost #24 Call Trace: [<ffffffff8103e195>] warn_slowpath_common+0x7c/0x94 [<ffffffff8103e204>] warn_slowpath_fmt+0x41/0x43 [<ffffffff810a7a36>] ? __free_pages+0x5a/0x70 [<ffffffff8107cc00>] __free_irq+0xa0/0x14c [<ffffffff8107cceb>] free_irq+0x3f/0x65 [<ffffffffa0081424>] vp_del_vqs+0x81/0xb1 [virtio_pci] [<ffffffffa0091d29>] virtnet_remove+0xda/0x10b [virtio_net] [<ffffffffa0075200>] virtio_dev_remove+0x22/0x4a [virtio] [<ffffffff812709ee>] __device_release_driver+0x66/0xac [<ffffffff81270ab7>] driver_detach+0x83/0xa9 [<ffffffff8126fc66>] bus_remove_driver+0x91/0xb4 [<ffffffff81270fcf>] driver_unregister+0x6c/0x74 [<ffffffffa0075418>] unregister_virtio_driver+0xe/0x10 [virtio] [<ffffffffa0091c4d>] fini+0x15/0x17 [virtio_net] [<ffffffff8106997b>] sys_delete_module+0x1c3/0x230 [<ffffffff81007465>] ? old_ich_force_enable_hpet+0x117/0x164 [<ffffffff813bb720>] ? do_page_fault+0x29c/0x2cc [<ffffffff81028e58>] sysenter_dispatch+0x7/0x27 ---[ end trace 15e88e4c576cc62b ]--- The bug is in virtio-pci: we use msix_vector as array index to get irq entry, but some vqs do not have a dedicated vector so this causes an out of bounds access. By chance, we seem to often get 0 value, which results in this error. Fix by verifying that vector is legal before using it as index. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Anthony Liguori <aliguori@us.ibm.com> Acked-by: Shirley Ma <xma@us.ibm.com> Acked-by: Amit Shah <amit.shah@redhat.com>
Diffstat (limited to 'drivers/virtio')
-rw-r--r--drivers/virtio/virtio_pci.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c
index 1d5191fab62e..1b6573216998 100644
--- a/drivers/virtio/virtio_pci.c
+++ b/drivers/virtio/virtio_pci.c
@@ -473,7 +473,8 @@ static void vp_del_vqs(struct virtio_device *vdev)
list_for_each_entry_safe(vq, n, &vdev->vqs, list) {
info = vq->priv;
- if (vp_dev->per_vq_vectors)
+ if (vp_dev->per_vq_vectors &&
+ info->msix_vector != VIRTIO_MSI_NO_VECTOR)
free_irq(vp_dev->msix_entries[info->msix_vector].vector,
vq);
vp_del_vq(vq);