aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2021-11-03 20:43:03 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2021-11-03 20:43:03 +0000
commitb13a6827931f159ab616c5395bed207059347284 (patch)
tree0b2cc5a1806518c32b59650744d95ebeaa8f7400
parenta8c4f99a6723ec7a9de6830c47f650ba2f978f31 (diff)
downloadsrc-b13a6827931f159ab616c5395bed207059347284.tar.gz
src-b13a6827931f159ab616c5395bed207059347284.zip
Fix kernel panic in vmci driver initialization.
Approved by: so Security: EN-21:28.vmci
Diffstat
-rw-r--r--sys/dev/vmware/vmci/vmci.c9
-rw-r--r--sys/dev/vmware/vmci/vmci_event.c3
-rw-r--r--sys/dev/vmware/vmci/vmci_kernel_if.c48
-rw-r--r--sys/dev/vmware/vmci/vmci_kernel_if.h2
-rw-r--r--sys/dev/vmware/vmci/vmci_queue_pair.c3
5 files changed, 61 insertions, 4 deletions
diff --git a/sys/dev/vmware/vmci/vmci.c b/sys/dev/vmware/vmci/vmci.c
index dc029419e20d..90e28f95cc7a 100644
--- a/sys/dev/vmware/vmci/vmci.c
+++ b/sys/dev/vmware/vmci/vmci.c
@@ -233,8 +233,10 @@ vmci_detach(device_t dev)
vmci_components_cleanup();
- taskqueue_drain(taskqueue_thread, &sc->vmci_delayed_work_task);
- mtx_destroy(&sc->vmci_delayed_work_lock);
+ if mtx_initialized(&sc->vmci_spinlock) {
+ taskqueue_drain(taskqueue_thread, &sc->vmci_delayed_work_task);
+ mtx_destroy(&sc->vmci_delayed_work_lock);
+ }
if (sc->vmci_res0 != NULL)
bus_space_write_4(sc->vmci_iot0, sc->vmci_ioh0,
@@ -245,7 +247,8 @@ vmci_detach(device_t dev)
vmci_unmap_bars(sc);
- mtx_destroy(&sc->vmci_spinlock);
+ if mtx_initialized(&sc->vmci_spinlock)
+ mtx_destroy(&sc->vmci_spinlock);
pci_disable_busmaster(dev);
diff --git a/sys/dev/vmware/vmci/vmci_event.c b/sys/dev/vmware/vmci/vmci_event.c
index 9a932340a7b6..c34ff113978b 100644
--- a/sys/dev/vmware/vmci/vmci_event.c
+++ b/sys/dev/vmware/vmci/vmci_event.c
@@ -594,6 +594,9 @@ vmci_event_unregister_subscription(vmci_id sub_id)
{
struct vmci_subscription *s;
+ if (!vmci_initialized_lock(&subscriber_lock))
+ return NULL;
+
vmci_grab_lock_bh(&subscriber_lock);
s = vmci_event_find(sub_id);
if (s != NULL) {
diff --git a/sys/dev/vmware/vmci/vmci_kernel_if.c b/sys/dev/vmware/vmci/vmci_kernel_if.c
index 851c4c9df214..a550277500aa 100644
--- a/sys/dev/vmware/vmci/vmci_kernel_if.c
+++ b/sys/dev/vmware/vmci/vmci_kernel_if.c
@@ -70,7 +70,8 @@ void
vmci_cleanup_lock(vmci_lock *lock)
{
- mtx_destroy(lock);
+ if mtx_initialized(lock)
+ mtx_destroy(lock);
}
/*
@@ -168,6 +169,29 @@ vmci_release_lock_bh(vmci_lock *lock)
/*
*------------------------------------------------------------------------------
*
+ * vmci_initialized_lock
+ *
+ * Returns whether a lock has been initialized.
+ *
+ * Results:
+ * Return 1 if initialized or 0 if unininitialized.
+ *
+ * Side effects:
+ * None
+ *
+ *------------------------------------------------------------------------------
+ */
+
+int
+vmci_initialized_lock(vmci_lock *lock)
+{
+
+ return mtx_initialized(lock);
+}
+
+/*
+ *------------------------------------------------------------------------------
+ *
* vmci_alloc_kernel_mem
*
* Allocate physically contiguous memory for the VMCI driver.
@@ -449,6 +473,28 @@ vmci_mutex_release(vmci_mutex *mutex)
/*
*------------------------------------------------------------------------------
*
+ * vmci_mutex_initialized
+ *
+ * Returns whether a mutex has been initialized.
+ *
+ * Results:
+ * Return 1 if initialized or 0 if unininitialized.
+ *
+ * Side effects:
+ * None
+ *
+ *------------------------------------------------------------------------------
+ */
+
+int
+vmci_mutex_initialized(vmci_mutex *mutex)
+{
+
+ return mtx_initialized(mutex);
+}
+/*
+ *------------------------------------------------------------------------------
+ *
* vmci_alloc_queue --
*
* Allocates kernel queue pages of specified size with IOMMU mappings, plus
diff --git a/sys/dev/vmware/vmci/vmci_kernel_if.h b/sys/dev/vmware/vmci/vmci_kernel_if.h
index fc23eefe98e0..048e480b0698 100644
--- a/sys/dev/vmware/vmci/vmci_kernel_if.h
+++ b/sys/dev/vmware/vmci/vmci_kernel_if.h
@@ -48,6 +48,7 @@ void vmci_grab_lock(vmci_lock *lock);
void vmci_release_lock(vmci_lock *lock);
void vmci_grab_lock_bh(vmci_lock *lock);
void vmci_release_lock_bh(vmci_lock *lock);
+int vmci_initialized_lock(vmci_lock *lock);
void *vmci_alloc_kernel_mem(size_t size, int flags);
void vmci_free_kernel_mem(void *ptr, size_t size);
@@ -72,6 +73,7 @@ int vmci_mutex_init(vmci_mutex *mutex, char *name);
void vmci_mutex_destroy(vmci_mutex *mutex);
void vmci_mutex_acquire(vmci_mutex *mutex);
void vmci_mutex_release(vmci_mutex *mutex);
+int vmci_mutex_initialized(vmci_mutex *mutex);
void *vmci_alloc_queue(uint64_t size, uint32_t flags);
void vmci_free_queue(void *q, uint64_t size);
diff --git a/sys/dev/vmware/vmci/vmci_queue_pair.c b/sys/dev/vmware/vmci/vmci_queue_pair.c
index 65ae00c8d167..ebf2824f8d04 100644
--- a/sys/dev/vmware/vmci/vmci_queue_pair.c
+++ b/sys/dev/vmware/vmci/vmci_queue_pair.c
@@ -338,6 +338,9 @@ vmci_qp_guest_endpoints_exit(void)
{
struct qp_guest_endpoint *entry;
+ if (!vmci_mutex_initialized(&qp_guest_endpoints.mutex))
+ return;
+
vmci_mutex_acquire(&qp_guest_endpoints.mutex);
while ((entry =
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 09:14:32 +0000