release/5.2.32/vfio-pci-call-irq_bypass_unregister_producer-before-.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From ae2795b4be618eb3732fb44bc1e16ebf6a9bde7a Mon Sep 17 00:00:00 2001
 From: Jiang Yi <giangyi@amazon.com>
 Date: Wed, 27 Nov 2019 17:49:10 +0100
 Subject: [PATCH] vfio/pci: call irq_bypass_unregister_producer() before
  freeing irq

 commit d567fb8819162099035e546b11a736e29c2af0ea upstream.

 Since irq_bypass_register_producer() is called after request_irq(), we
 should do tear-down in reverse order: irq_bypass_unregister_producer()
 then free_irq().

 Specifically free_irq() may release resources required by the
 irqbypass del_producer() callback.  Notably an example provided by
 Marc Zyngier on arm64 with GICv4 that he indicates has the potential
 to wedge the hardware:

  free_irq(irq)
    __free_irq(irq)
      irq_domain_deactivate_irq(irq)
        its_irq_domain_deactivate()
          [unmap the VLPI from the ITS]

  kvm_arch_irq_bypass_del_producer(cons, prod)
    kvm_vgic_v4_unset_forwarding(kvm, irq, ...)
      its_unmap_vlpi(irq)
        [Unmap the VLPI from the ITS (again), remap the original LPI]

 Signed-off-by: Jiang Yi <giangyi@amazon.com>
 Cc: stable@vger.kernel.org # v4.4+
 Fixes: 6d7425f109d26 ("vfio: Register/unregister irq_bypass_producer")
 Link: https://lore.kernel.org/kvm/20191127164910.15888-1-giangyi@amazon.com
 Reviewed-by: Marc Zyngier <maz@kernel.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 [aw: commit log]
 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
 index 3fa3f728fb39..2056f3f85f59 100644
 --- a/drivers/vfio/pci/vfio_pci_intrs.c
 +++ b/drivers/vfio/pci/vfio_pci_intrs.c
 @@ -294,8 +294,8 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
  	irq = pci_irq_vector(pdev, vector);

  	if (vdev->ctx[vector].trigger) {
 -		free_irq(irq, vdev->ctx[vector].trigger);
  		irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
 +		free_irq(irq, vdev->ctx[vector].trigger);
  		kfree(vdev->ctx[vector].name);
  		eventfd_ctx_put(vdev->ctx[vector].trigger);
  		vdev->ctx[vector].trigger = NULL;
 --
 2.7.4
	From ae2795b4be618eb3732fb44bc1e16ebf6a9bde7a Mon Sep 17 00:00:00 2001
	From: Jiang Yi <giangyi@amazon.com>
	Date: Wed, 27 Nov 2019 17:49:10 +0100
	Subject: [PATCH] vfio/pci: call irq_bypass_unregister_producer() before
	freeing irq

	commit d567fb8819162099035e546b11a736e29c2af0ea upstream.

	Since irq_bypass_register_producer() is called after request_irq(), we
	should do tear-down in reverse order: irq_bypass_unregister_producer()
	then free_irq().

	Specifically free_irq() may release resources required by the
	irqbypass del_producer() callback. Notably an example provided by
	Marc Zyngier on arm64 with GICv4 that he indicates has the potential
	to wedge the hardware:

	free_irq(irq)
	__free_irq(irq)
	irq_domain_deactivate_irq(irq)
	its_irq_domain_deactivate()
	[unmap the VLPI from the ITS]

	kvm_arch_irq_bypass_del_producer(cons, prod)
	kvm_vgic_v4_unset_forwarding(kvm, irq, ...)
	its_unmap_vlpi(irq)
	[Unmap the VLPI from the ITS (again), remap the original LPI]

	Signed-off-by: Jiang Yi <giangyi@amazon.com>
	Cc: stable@vger.kernel.org # v4.4+
	Fixes: 6d7425f109d26 ("vfio: Register/unregister irq_bypass_producer")
	Link: https://lore.kernel.org/kvm/20191127164910.15888-1-giangyi@amazon.com
	Reviewed-by: Marc Zyngier <maz@kernel.org>
	Reviewed-by: Eric Auger <eric.auger@redhat.com>
	[aw: commit log]
	Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
	index 3fa3f728fb39..2056f3f85f59 100644
	--- a/drivers/vfio/pci/vfio_pci_intrs.c
	+++ b/drivers/vfio/pci/vfio_pci_intrs.c
	@@ -294,8 +294,8 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
	irq = pci_irq_vector(pdev, vector);

	if (vdev->ctx[vector].trigger) {
	- free_irq(irq, vdev->ctx[vector].trigger);
	irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
	+ free_irq(irq, vdev->ctx[vector].trigger);
	kfree(vdev->ctx[vector].name);
	eventfd_ctx_put(vdev->ctx[vector].trigger);
	vdev->ctx[vector].trigger = NULL;
	--
	2.7.4