Re: vfio: refcount_t: underflow; use-after-free.

2020-06-16 Thread Alex Williamson 
On Tue, 16 Jun 2020 10:50:52 +0200
Daniel Wagner  wrote:

> Hi,
> 
> I'm getting the warning below when starting a KVM the second time with an
> Emulex PCI card 'passthroughed' into a KVM. I'm terminating the session
> via 'ctrl-a x', not sure if this is relevant.
> 
> This is with 5.8-rc1. IIRC, older version didn't have this problem.

Thanks for the report, it's a new regression.  I've just posted a fix
for it.  Thanks,

Alex

vfio: refcount_t: underflow; use-after-free.

2020-06-16 Thread Daniel Wagner 
Hi,

I'm getting the warning below when starting a KVM the second time with an
Emulex PCI card 'passthroughed' into a KVM. I'm terminating the session
via 'ctrl-a x', not sure if this is relevant.

This is with 5.8-rc1. IIRC, older version didn't have this problem.

 modprobe -r lpfc
 modprobe vfio-pci ids=10df:f400
 qemu-system-x86_64 ... \
  -device vfio-pci,host=04:00.0 \
  -device vfio-pci,host=04:00.1 \
  -device vfio-pci,host=c1:00.0 \
  -device vfio-pci,host=c1:00.1 \
  ...


 vfio-pci :04:00.0: vfio_ecap_init: hiding ecap 0x19@0x20c
 vfio-pci :04:00.0: vfio_ecap_init: hiding ecap 0x26@0x238
 vfio-pci :04:00.0: vfio_ecap_init: hiding ecap 0x27@0x278
 [ cut here ]
 refcount_t: underflow; use-after-free.
 WARNING: CPU: 14 PID: 59978 at lib/refcount.c:28 
refcount_warn_saturate+0x8d/0xf0
 Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) 
nfs(E) lockd(E) grace(E) sunrpc(E) fscache(E) vfio_pci(E) vfio_virqfd(E) 
vfio_iommu_type1(E) vfio(E) af_packet(E) xt_tcpudp(E) ip6t_rpfilter(E) 
ip6t_REJECT(E) ipt_REJECT(E) xt_conntrack(E) ip_set(E) nfnetlink(E) 
ebtable_nat(E) ebtable_broute(E) ip6table_nat(E) ip6table_mangle(E) 
ip6table_raw(E) ip6table_security(E) iptable_nat(E) nf_nat(E) nf_conntrack(E) 
nf_defrag_ipv6(E) nf_defrag_ipv4(E) iptable_mangle(E) iptable_raw(E) 
iptable_security(E) ebtable_filter(E) ebtables(E) ip6table_filter(E) 
ip6_tables(E) iptable_filter(E) ip_tables(E) iscsi_ibft(E) x_tables(E) 
iscsi_boot_sysfs(E) bpfilter(E) rfkill(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) 
fat(E) intel_rapl_msr(E) intel_rapl_common(E) sb_edac(E) 
x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) iTCO_wdt(E) 
kvm_intel(E) iTCO_vendor_support(E) kvm(E) irqbypass(E) crc32_pclmul(E) 
ghash_clmulni_intel(E) aesni_intel(E) crypto_simd(E) cryptd(E)
  glue_helper(E) pcspkr(E) ipmi_ssif(E) bnx2x(E) lpc_ich(E) mfd_core(E) 
hpwdt(E) mdio(E) acpi_ipmi(E) ioatdma(E) hpilo(E) dca(E) ipmi_si(E) tg3(E) 
ipmi_devintf(E) libphy(E) ipmi_msghandler(E) acpi_tad(E) button(E) btrfs(E) 
libcrc32c(E) xor(E) raid6_pq(E) dm_service_time(E) sd_mod(E) mgag200(E) 
drm_vram_helper(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) 
fb_sys_fops(E) qla2xxx(E) cec(E) configfs(E) drm_ttm_helper(E) uhci_hcd(E) 
ehci_pci(E) nvme_fc(E) ehci_hcd(E) nvme_fabrics(E) ttm(E) nvme_core(E) drm(E) 
t10_pi(E) i2c_algo_bit(E) usbcore(E) crc32c_intel(E) scsi_transport_fc(E) 
hpsa(E) scsi_transport_sas(E) wmi(E) dm_mirror(E) dm_region_hash(E) dm_log(E) 
sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) 
scsi_mod(E) efivarfs(E) [last unloaded: nvmet]
 CPU: 14 PID: 59978 Comm: qemu-system-x86 Kdump: loaded Tainted: GE 
5.8.0-rc1-default #28
 Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 07/21/2019
 RIP: 0010:refcount_warn_saturate+0x8d/0xf0
 Code: 05 2c 11 17 01 01 e8 b2 1b c1 ff 0f 0b c3 80 3d 1f 11 17 01 00 75 ad 48 
c7 c7 b8 aa 56 a0 c6 05 0f 11 17 01 01 e8 93 1b c1 ff <0f> 0b c3 80 3d 03 11 17 
01 00 75 8e 48 c7 c7 60 aa 56 a0 c6 05 f3
 RSP: 0018:a10929087df0 EFLAGS: 00010282
 RAX:  RBX: 958bdb474b80 RCX: 
 RDX: 0001 RSI: 958bdf91ac90 RDI: 958bdf91ac90
 RBP: 958393e3e0f0 R08:  R09: 000e
 R10: 003b R11: a10929087c88 R12: 5617ef8baa70
 R13: 958405be2650 R14: 0038 R15: 958393e3e060
 FS:  7fbeb6c86600() GS:958bdf90() knlGS:
 CS:  0010 DS:  ES:  CR0: 80050033
 CR2: 5617edfbe108 CR3: 000f7f5e2004 CR4: 001626e0
 DR0:  DR1:  DR2: 
 DR3:  DR6: fffe0ff0 DR7: 0400
 Call Trace:
  vfio_pci_set_ctx_trigger_single+0x69/0xc0 [vfio_pci]
  vfio_pci_ioctl+0x2ea/0xe80 [vfio_pci]
  ? _copy_from_user+0x2c/0x60
  ? ksys_ioctl+0x92/0xb0
  ? vfio_pci_memory_lock_and_enable+0x80/0x80 [vfio_pci]
  ksys_ioctl+0x92/0xb0
  __x64_sys_ioctl+0x16/0x20
  do_syscall_64+0x4d/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fbeb0ca2ac7
 Code: Bad RIP value.
 RSP: 002b:7ffec9254908 EFLAGS: 0246 ORIG_RAX: 0010
 RAX: ffda RBX: 5617ef8baa70 RCX: 7fbeb0ca2ac7
 RDX: 5617ef8baa70 RSI: 3b6e RDI: 0038
 RBP: 5617ef722a30 R08:  R09: 
 R10: 0001 R11: 0246 R12: 0006
 R13: 5617ef722730 R14: 0005 R15: 5617ef721e50
 ---[ end trace fbd9c0c3c859d391 ]---
 irq 17: Affinity broken due to vector space exhaustion.
 vfio-pci :c1:00.0: vfio_ecap_init: hiding ecap 0x19@0x20c
 vfio-pci :c1:00.0: vfio_ecap_init: hiding ecap 0x26@0x238
 vfio-pci :c1:00.0: vfio_ecap_init: hiding ecap 0x27@0x278
 vfio-pci :04:00.0: vfio_bar_restore: reset recovery - restoring BARs
 vfio-pci :04:00.1: