[SLOF] [PATCH 3/3] virtio-serial: Close device completely

Tue Mar 10 09:43:17 AEDT 2020

From: Alexey Kardashevskiy <aik at ozlabs.ru>

Linux closes stdout at the end of prom_init which triggers the FW quiesce
code which closes the virtio-serial instance. This misses stopping the
virtio queues. However this seemed working for a little longer (until the
Linux driver took over) till 300384f3dc68 which moved the VQ descriptors
around which caused use-after-free corruption.

This adds virtio_queue_term_vq(), cleanup in the forth driver and a few
checks.

Fixes: 300384f3dc68 ("virtio: Store queue descriptors in virtio_device")
Signed-off-by: Alexey Kardashevskiy <aik at ozlabs.ru>
[groug: - fix changelog
        - don't restore emit]
Signed-off-by: Greg Kurz <groug at kaod.org>
---
 board-qemu/slof/virtio-serial.fs |    3 +++
 lib/libvirtio/virtio-serial.c    |    7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/board-qemu/slof/virtio-serial.fs b/board-qemu/slof/virtio-serial.fs
index e307231ed0dc..ac55ffcc8ebb 100644
--- a/board-qemu/slof/virtio-serial.fs
+++ b/board-qemu/slof/virtio-serial.fs
@@ -21,6 +21,7 @@ virtio-setup-vd VALUE virtiodev
 : shutdown  ( -- )
     virtiodev virtio-serial-shutdown
     FALSE to initialized?
+    0 to virtiodev
 ;
 
 : virtio-serial-term-emit
@@ -58,6 +59,7 @@ virtiodev virtio-serial-init drop
 ;
 
 : write ( addr len -- actual )
+    virtiodev 0= IF nip EXIT THEN
     tuck
     0 ?DO
         dup c@ virtiodev SWAP virtio-serial-putchar
@@ -68,6 +70,7 @@ virtiodev virtio-serial-init drop
 
 : read ( addr len -- actual )
     0= IF drop 0 EXIT THEN
+    virtiodev 0= IF nip EXIT THEN
     virtiodev virtio-serial-haschar 0= IF 0 swap c! -2 EXIT THEN
     virtiodev virtio-serial-getchar swap c! 1
 ;
diff --git a/lib/libvirtio/virtio-serial.c b/lib/libvirtio/virtio-serial.c
index d1503a44f433..92afb02014b2 100644
--- a/lib/libvirtio/virtio-serial.c
+++ b/lib/libvirtio/virtio-serial.c
@@ -102,6 +102,10 @@ void virtio_serial_shutdown(struct virtio_device *dev)
 	/* Quiesce device */
 	virtio_set_status(dev, VIRTIO_STAT_FAILED);
 
+	/* Stop queues */
+	virtio_queue_term_vq(dev, &dev->vq[TX_Q], TX_Q);
+	virtio_queue_term_vq(dev, &dev->vq[RX_Q], RX_Q);
+
 	/* Reset device */
 	virtio_reset_device(dev);
 }
@@ -114,6 +118,9 @@ int virtio_serial_putchar(struct virtio_device *dev, char c)
 	uint16_t last_used_idx, avail_idx;
 	struct vqs *vq = &dev->vq[TX_Q];
 
+	if (!vq->desc)
+		return 0;
+
 	avail_idx = virtio_modern16_to_cpu(dev, vq->avail->idx);
 
 	last_used_idx = vq->used->idx;

