From patchwork Mon Mar  9 22:43:17 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg Kurz <groug@kaod.org>
X-Patchwork-Id: 1251855
Return-Path: <slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48btYM37r7z9sPJ
	for <incoming@patchwork.ozlabs.org>;
	Tue, 10 Mar 2020 09:43:35 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=kaod.org
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 48btYM2M5CzDqSR
	for <incoming@patchwork.ozlabs.org>;
	Tue, 10 Mar 2020 09:43:35 +1100 (AEDT)
X-Original-To: slof@lists.ozlabs.org
Delivered-To: slof@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=softfail (domain owner discourages use of this
	host) smtp.mailfrom=kaod.org (client-ip=148.163.158.5;
	helo=mx0a-001b2d01.pphosted.com; envelope-from=groug@kaod.org;
	receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dmarc=none (p=none dis=none) header.from=kaod.org
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
	[148.163.158.5])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 48btY9287kzDqSB
	for <slof@lists.ozlabs.org>; Tue, 10 Mar 2020 09:43:25 +1100 (AEDT)
Received: from pps.filterd (m0098414.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
	029MTff8034334
	for <slof@lists.ozlabs.org>; Mon, 9 Mar 2020 18:43:22 -0400
Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101])
	by mx0b-001b2d01.pphosted.com with ESMTP id 2ynr9cnfn1-1
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
	for <slof@lists.ozlabs.org>; Mon, 09 Mar 2020 18:43:22 -0400
Received: from localhost
	by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <slof@lists.ozlabs.org> from <groug@kaod.org>;
	Mon, 9 Mar 2020 22:43:20 -0000
Received: from b06avi18626390.portsmouth.uk.ibm.com (9.149.26.192)
	by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP
	Gateway: Authorized Use Only! Violators will be prosecuted;
	(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
	Mon, 9 Mar 2020 22:43:19 -0000
Received: from b06wcsmtp001.portsmouth.uk.ibm.com
	(b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160])
	by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0)
	with ESMTP id 029MgJV045744458
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Mon, 9 Mar 2020 22:42:19 GMT
Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 89510A4070;
	Mon,  9 Mar 2020 22:43:18 +0000 (GMT)
Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 69259A406D;
	Mon,  9 Mar 2020 22:43:18 +0000 (GMT)
Received: from bahia.lan (unknown [9.145.41.106])
	by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP;
	Mon,  9 Mar 2020 22:43:18 +0000 (GMT)
From: Greg Kurz <groug@kaod.org>
To: slof@lists.ozlabs.org
Date: Mon, 09 Mar 2020 23:43:17 +0100
In-Reply-To: <158379377926.1643521.5206856271270861535.stgit@bahia.lan>
References: <158379377926.1643521.5206856271270861535.stgit@bahia.lan>
User-Agent: StGit/unknown-version
MIME-Version: 1.0
X-TM-AS-GCONF: 00
x-cbid: 20030922-0020-0000-0000-000003B215E6
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 20030922-0021-0000-0000-0000220A5EFF
Message-Id: <158379379767.1643521.14377247892349314162.stgit@bahia.lan>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,
	18.0.572 definitions=2020-03-09_11:2020-03-09,
	2020-03-09 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	mlxlogscore=999 spamscore=0
	suspectscore=62 malwarescore=0 adultscore=0 mlxscore=0 bulkscore=0
	lowpriorityscore=0 clxscore=1034 impostorscore=0 phishscore=0
	priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.12.0-2001150001 definitions=main-2003090136
Subject: [SLOF] [PATCH 3/3] virtio-serial: Close device completely
X-BeenThere: slof@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Patches for https://github.com/aik/SLOF" <slof.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/slof>,
	<mailto:slof-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/slof/>
List-Post: <mailto:slof@lists.ozlabs.org>
List-Help: <mailto:slof-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/slof>,
	<mailto:slof-request@lists.ozlabs.org?subject=subscribe>
Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "SLOF" <slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Alexey Kardashevskiy <aik@ozlabs.ru>

Linux closes stdout at the end of prom_init which triggers the FW quiesce
code which closes the virtio-serial instance. This misses stopping the
virtio queues. However this seemed working for a little longer (until the
Linux driver took over) till 300384f3dc68 which moved the VQ descriptors
around which caused use-after-free corruption.

This adds virtio_queue_term_vq(), cleanup in the forth driver and a few
checks.

Fixes: 300384f3dc68 ("virtio: Store queue descriptors in virtio_device")
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
[groug: - fix changelog
        - don't restore emit]
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 board-qemu/slof/virtio-serial.fs |    3 +++
 lib/libvirtio/virtio-serial.c    |    7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/board-qemu/slof/virtio-serial.fs b/board-qemu/slof/virtio-serial.fs
index e307231ed0dc..ac55ffcc8ebb 100644
--- a/board-qemu/slof/virtio-serial.fs
+++ b/board-qemu/slof/virtio-serial.fs
@@ -21,6 +21,7 @@ virtio-setup-vd VALUE virtiodev
 : shutdown  ( -- )
     virtiodev virtio-serial-shutdown
     FALSE to initialized?
+    0 to virtiodev
 ;
 
 : virtio-serial-term-emit
@@ -58,6 +59,7 @@ virtiodev virtio-serial-init drop
 ;
 
 : write ( addr len -- actual )
+    virtiodev 0= IF nip EXIT THEN
     tuck
     0 ?DO
         dup c@ virtiodev SWAP virtio-serial-putchar
@@ -68,6 +70,7 @@ virtiodev virtio-serial-init drop
 
 : read ( addr len -- actual )
     0= IF drop 0 EXIT THEN
+    virtiodev 0= IF nip EXIT THEN
     virtiodev virtio-serial-haschar 0= IF 0 swap c! -2 EXIT THEN
     virtiodev virtio-serial-getchar swap c! 1
 ;
diff --git a/lib/libvirtio/virtio-serial.c b/lib/libvirtio/virtio-serial.c
index d1503a44f433..92afb02014b2 100644
--- a/lib/libvirtio/virtio-serial.c
+++ b/lib/libvirtio/virtio-serial.c
@@ -102,6 +102,10 @@ void virtio_serial_shutdown(struct virtio_device *dev)
 	/* Quiesce device */
 	virtio_set_status(dev, VIRTIO_STAT_FAILED);
 
+	/* Stop queues */
+	virtio_queue_term_vq(dev, &dev->vq[TX_Q], TX_Q);
+	virtio_queue_term_vq(dev, &dev->vq[RX_Q], RX_Q);
+
 	/* Reset device */
 	virtio_reset_device(dev);
 }
@@ -114,6 +118,9 @@ int virtio_serial_putchar(struct virtio_device *dev, char c)
 	uint16_t last_used_idx, avail_idx;
 	struct vqs *vq = &dev->vq[TX_Q];
 
+	if (!vq->desc)
+		return 0;
+
 	avail_idx = virtio_modern16_to_cpu(dev, vq->avail->idx);
 
 	last_used_idx = vq->used->idx;