From: Bjorn Helgaas <helgaas@kernel.org>
To: Sinan Kaya <okaya@codeaurora.org>
Cc: mayurkumar.patel@intel.com, David Daney <david.daney@cavium.com>,
linux-pci@vger.kernel.org, timur@codeaurora.org,
linux-kernel@vger.kernel.org, Julia Lawall <Julia.Lawall@lip6.fr>,
linux-arm-msm@vger.kernel.org,
Bjorn Helgaas <bhelgaas@google.com>,
Rajat Jain <rajatja@google.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH V8 3/5] PCI/ASPM: add init hook to device_add
Date: Thu, 13 Apr 2017 16:02:18 -0500 [thread overview]
Message-ID: <20170413210218.GA24910@bhelgaas-glaptop.roam.corp.google.com> (raw)
In-Reply-To: <20170413204800.GB28316@bhelgaas-glaptop.roam.corp.google.com>
On Thu, Apr 13, 2017 at 03:48:00PM -0500, Bjorn Helgaas wrote:
> Hi Sinan,
>
> On Sat, Apr 08, 2017 at 12:55:49AM -0400, Sinan Kaya wrote:
> > For bridges, have pcie_aspm_init_link_state() allocate a link_state,
> > regardless of whether it currently has any children.
> >
> > pcie_aspm_init_link_state(): Called for bridges (upstream end of
> > link) after all children have been enumerated. No longer needs to
> > check aspm_support_enabled or pdev->has_secondary_link or the VIA
> > quirk: pci_aspm_init() already checked that stuff, so we only need
> > to check pdev->link_state here.
> >
> > Now that we are calling alloc_pcie_link_state() from pci_aspm_init()
> > , get rid of pci_function_0 function and detect downstream link in
> > pci_aspm_init_upstream() instead when the function number is 0.
> >
> > Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=194895
> > Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
> > ---
> > drivers/pci/pcie/aspm.c | 72 ++++++++++++++++++++++++-------------------------
> > 1 file changed, 36 insertions(+), 36 deletions(-)
> >
> > diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
> > index a80d64b..e33f84b 100644
> > --- a/drivers/pci/pcie/aspm.c
> > +++ b/drivers/pci/pcie/aspm.c
> > @@ -422,20 +422,6 @@ static void pcie_aspm_check_latency(struct pci_dev *endpoint)
> > }
> > }
> >
> > -/*
> > - * The L1 PM substate capability is only implemented in function 0 in a
> > - * multi function device.
> > - */
> > -static struct pci_dev *pci_function_0(struct pci_bus *linkbus)
> > -{
> > - struct pci_dev *child;
> > -
> > - list_for_each_entry(child, &linkbus->devices, bus_list)
> > - if (PCI_FUNC(child->devfn) == 0)
> > - return child;
> > - return NULL;
> > -}
> > -
> > /* Calculate L1.2 PM substate timing parameters */
> > static void aspm_calc_l1ss_info(struct pcie_link_state *link,
> > struct aspm_register_info *upreg,
> > @@ -798,7 +784,6 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> > INIT_LIST_HEAD(&link->children);
> > INIT_LIST_HEAD(&link->link);
> > link->pdev = pdev;
> > - link->downstream = pci_function_0(pdev->subordinate);
> >
> > /*
> > * Root Ports and PCI/PCI-X to PCIe Bridges are roots of PCIe
> > @@ -828,11 +813,33 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> >
> > static int pci_aspm_init_downstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > + struct pci_dev *parent;
> > +
> > + /*
> > + * The L1 PM substate capability is only implemented in function 0 in a
> > + * multi function device.
> > + */
> > + if (PCI_FUNC(pdev->devfn) != 0)
> > + return -EINVAL;
> > +
> > + parent = pdev->bus->self;
> > + if (!parent)
> > + return -EINVAL;
> > +
> > + link = parent->link_state;
> > + link->downstream = pdev;
> > return 0;
> > }
> >
> > static int pci_aspm_init_upstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > +
> > + link = alloc_pcie_link_state(pdev);
> > + if (!link)
> > + return -ENOMEM;
>
> This allocates the link_state when we enumerate a Downstream Port
> instead of when we enumerate a child device. We want the link_state
> lifetime to match that of the Downstream Port, so this seems good.
>
> But we shouldn't at the same time change the link_state deallocation
> so it happens when the Downstream Port is removed, not when the child
> device is removed?
I do see that you change the deallocation in patch [5/5], but I think
the deallocation change should be in the same patch as the allocation
change. Otherwise I think we have a use-after-free problem in this
sequence:
# initial enumeration
pci_device_add(downstream_port)
pci_aspm_init(downstream_port)
alloc_pcie_link_state
pci_device_add(endpoint)
pci_aspm_init(endpoint)
# hot-remove endpoint
pci_stop_dev(endpoint)
pcie_aspm_exit_link_state(endpoint)
link = parent->link_state
free_link_state(link)
# hot-add endpoint
pci_aspm_init(endpoint)
link = parent->link_state <--- use after free
WARNING: multiple messages have this Message-ID (diff)
From: Bjorn Helgaas <helgaas@kernel.org>
To: Sinan Kaya <okaya@codeaurora.org>
Cc: mayurkumar.patel@intel.com, David Daney <david.daney@cavium.com>,
linux-pci@vger.kernel.org, timur@codeaurora.org,
linux-kernel@vger.kernel.org, Julia Lawall <Julia.Lawall@lip6.fr>,
linux-arm-msm@vger.kernel.org,
Bjorn Helgaas <bhelgaas@google.com>,
Rajat Jain <rajatja@google.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH V8 3/5] PCI/ASPM: add init hook to device_add
Date: Thu, 13 Apr 2017 16:02:18 -0500 [thread overview]
Message-ID: <20170413210218.GA24910@bhelgaas-glaptop.roam.corp.google.com> (raw)
In-Reply-To: <20170413204800.GB28316@bhelgaas-glaptop.roam.corp.google.com>
On Thu, Apr 13, 2017 at 03:48:00PM -0500, Bjorn Helgaas wrote:
> Hi Sinan,
>
> On Sat, Apr 08, 2017 at 12:55:49AM -0400, Sinan Kaya wrote:
> > For bridges, have pcie_aspm_init_link_state() allocate a link_state,
> > regardless of whether it currently has any children.
> >
> > pcie_aspm_init_link_state(): Called for bridges (upstream end of
> > link) after all children have been enumerated. No longer needs to
> > check aspm_support_enabled or pdev->has_secondary_link or the VIA
> > quirk: pci_aspm_init() already checked that stuff, so we only need
> > to check pdev->link_state here.
> >
> > Now that we are calling alloc_pcie_link_state() from pci_aspm_init()
> > , get rid of pci_function_0 function and detect downstream link in
> > pci_aspm_init_upstream() instead when the function number is 0.
> >
> > Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=194895
> > Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
> > ---
> > drivers/pci/pcie/aspm.c | 72 ++++++++++++++++++++++++-------------------------
> > 1 file changed, 36 insertions(+), 36 deletions(-)
> >
> > diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
> > index a80d64b..e33f84b 100644
> > --- a/drivers/pci/pcie/aspm.c
> > +++ b/drivers/pci/pcie/aspm.c
> > @@ -422,20 +422,6 @@ static void pcie_aspm_check_latency(struct pci_dev *endpoint)
> > }
> > }
> >
> > -/*
> > - * The L1 PM substate capability is only implemented in function 0 in a
> > - * multi function device.
> > - */
> > -static struct pci_dev *pci_function_0(struct pci_bus *linkbus)
> > -{
> > - struct pci_dev *child;
> > -
> > - list_for_each_entry(child, &linkbus->devices, bus_list)
> > - if (PCI_FUNC(child->devfn) == 0)
> > - return child;
> > - return NULL;
> > -}
> > -
> > /* Calculate L1.2 PM substate timing parameters */
> > static void aspm_calc_l1ss_info(struct pcie_link_state *link,
> > struct aspm_register_info *upreg,
> > @@ -798,7 +784,6 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> > INIT_LIST_HEAD(&link->children);
> > INIT_LIST_HEAD(&link->link);
> > link->pdev = pdev;
> > - link->downstream = pci_function_0(pdev->subordinate);
> >
> > /*
> > * Root Ports and PCI/PCI-X to PCIe Bridges are roots of PCIe
> > @@ -828,11 +813,33 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> >
> > static int pci_aspm_init_downstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > + struct pci_dev *parent;
> > +
> > + /*
> > + * The L1 PM substate capability is only implemented in function 0 in a
> > + * multi function device.
> > + */
> > + if (PCI_FUNC(pdev->devfn) != 0)
> > + return -EINVAL;
> > +
> > + parent = pdev->bus->self;
> > + if (!parent)
> > + return -EINVAL;
> > +
> > + link = parent->link_state;
> > + link->downstream = pdev;
> > return 0;
> > }
> >
> > static int pci_aspm_init_upstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > +
> > + link = alloc_pcie_link_state(pdev);
> > + if (!link)
> > + return -ENOMEM;
>
> This allocates the link_state when we enumerate a Downstream Port
> instead of when we enumerate a child device. We want the link_state
> lifetime to match that of the Downstream Port, so this seems good.
>
> But we shouldn't at the same time change the link_state deallocation
> so it happens when the Downstream Port is removed, not when the child
> device is removed?
I do see that you change the deallocation in patch [5/5], but I think
the deallocation change should be in the same patch as the allocation
change. Otherwise I think we have a use-after-free problem in this
sequence:
# initial enumeration
pci_device_add(downstream_port)
pci_aspm_init(downstream_port)
alloc_pcie_link_state
pci_device_add(endpoint)
pci_aspm_init(endpoint)
# hot-remove endpoint
pci_stop_dev(endpoint)
pcie_aspm_exit_link_state(endpoint)
link = parent->link_state
free_link_state(link)
# hot-add endpoint
pci_aspm_init(endpoint)
link = parent->link_state <--- use after free
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: helgaas@kernel.org (Bjorn Helgaas)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH V8 3/5] PCI/ASPM: add init hook to device_add
Date: Thu, 13 Apr 2017 16:02:18 -0500 [thread overview]
Message-ID: <20170413210218.GA24910@bhelgaas-glaptop.roam.corp.google.com> (raw)
In-Reply-To: <20170413204800.GB28316@bhelgaas-glaptop.roam.corp.google.com>
On Thu, Apr 13, 2017 at 03:48:00PM -0500, Bjorn Helgaas wrote:
> Hi Sinan,
>
> On Sat, Apr 08, 2017 at 12:55:49AM -0400, Sinan Kaya wrote:
> > For bridges, have pcie_aspm_init_link_state() allocate a link_state,
> > regardless of whether it currently has any children.
> >
> > pcie_aspm_init_link_state(): Called for bridges (upstream end of
> > link) after all children have been enumerated. No longer needs to
> > check aspm_support_enabled or pdev->has_secondary_link or the VIA
> > quirk: pci_aspm_init() already checked that stuff, so we only need
> > to check pdev->link_state here.
> >
> > Now that we are calling alloc_pcie_link_state() from pci_aspm_init()
> > , get rid of pci_function_0 function and detect downstream link in
> > pci_aspm_init_upstream() instead when the function number is 0.
> >
> > Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=194895
> > Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
> > ---
> > drivers/pci/pcie/aspm.c | 72 ++++++++++++++++++++++++-------------------------
> > 1 file changed, 36 insertions(+), 36 deletions(-)
> >
> > diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
> > index a80d64b..e33f84b 100644
> > --- a/drivers/pci/pcie/aspm.c
> > +++ b/drivers/pci/pcie/aspm.c
> > @@ -422,20 +422,6 @@ static void pcie_aspm_check_latency(struct pci_dev *endpoint)
> > }
> > }
> >
> > -/*
> > - * The L1 PM substate capability is only implemented in function 0 in a
> > - * multi function device.
> > - */
> > -static struct pci_dev *pci_function_0(struct pci_bus *linkbus)
> > -{
> > - struct pci_dev *child;
> > -
> > - list_for_each_entry(child, &linkbus->devices, bus_list)
> > - if (PCI_FUNC(child->devfn) == 0)
> > - return child;
> > - return NULL;
> > -}
> > -
> > /* Calculate L1.2 PM substate timing parameters */
> > static void aspm_calc_l1ss_info(struct pcie_link_state *link,
> > struct aspm_register_info *upreg,
> > @@ -798,7 +784,6 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> > INIT_LIST_HEAD(&link->children);
> > INIT_LIST_HEAD(&link->link);
> > link->pdev = pdev;
> > - link->downstream = pci_function_0(pdev->subordinate);
> >
> > /*
> > * Root Ports and PCI/PCI-X to PCIe Bridges are roots of PCIe
> > @@ -828,11 +813,33 @@ static struct pcie_link_state *alloc_pcie_link_state(struct pci_dev *pdev)
> >
> > static int pci_aspm_init_downstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > + struct pci_dev *parent;
> > +
> > + /*
> > + * The L1 PM substate capability is only implemented in function 0 in a
> > + * multi function device.
> > + */
> > + if (PCI_FUNC(pdev->devfn) != 0)
> > + return -EINVAL;
> > +
> > + parent = pdev->bus->self;
> > + if (!parent)
> > + return -EINVAL;
> > +
> > + link = parent->link_state;
> > + link->downstream = pdev;
> > return 0;
> > }
> >
> > static int pci_aspm_init_upstream(struct pci_dev *pdev)
> > {
> > + struct pcie_link_state *link;
> > +
> > + link = alloc_pcie_link_state(pdev);
> > + if (!link)
> > + return -ENOMEM;
>
> This allocates the link_state when we enumerate a Downstream Port
> instead of when we enumerate a child device. We want the link_state
> lifetime to match that of the Downstream Port, so this seems good.
>
> But we shouldn't at the same time change the link_state deallocation
> so it happens when the Downstream Port is removed, not when the child
> device is removed?
I do see that you change the deallocation in patch [5/5], but I think
the deallocation change should be in the same patch as the allocation
change. Otherwise I think we have a use-after-free problem in this
sequence:
# initial enumeration
pci_device_add(downstream_port)
pci_aspm_init(downstream_port)
alloc_pcie_link_state
pci_device_add(endpoint)
pci_aspm_init(endpoint)
# hot-remove endpoint
pci_stop_dev(endpoint)
pcie_aspm_exit_link_state(endpoint)
link = parent->link_state
free_link_state(link)
# hot-add endpoint
pci_aspm_init(endpoint)
link = parent->link_state <--- use after free
next prev parent reply other threads:[~2017-04-13 21:02 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-08 4:55 [PATCH V8 0/5] PCI/ASPM: reconfigure ASPM following hotplug for POLICY_DEFAULT Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` [PATCH V8 1/5] PCI/ASPM: introduce pci_aspm_init() and add to pci_init_capabilities() Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-13 20:51 ` Bjorn Helgaas
2017-04-13 20:51 ` Bjorn Helgaas
2017-04-14 19:10 ` Sinan Kaya
2017-04-14 19:10 ` Sinan Kaya
2017-04-08 4:55 ` [PATCH V8 2/5] PCI/ASPM: split pci_aspm_init() into two Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-12 19:16 ` Rajat Jain
2017-04-12 19:16 ` Rajat Jain
2017-04-13 18:25 ` Bjorn Helgaas
2017-04-13 18:25 ` Bjorn Helgaas
2017-04-13 18:25 ` Bjorn Helgaas
2017-04-14 19:10 ` Sinan Kaya
2017-04-14 19:10 ` Sinan Kaya
2017-04-14 19:10 ` Sinan Kaya
2017-04-08 4:55 ` [PATCH V8 3/5] PCI/ASPM: add init hook to device_add Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-13 20:48 ` Bjorn Helgaas
2017-04-13 20:48 ` Bjorn Helgaas
2017-04-13 20:48 ` Bjorn Helgaas
2017-04-13 21:02 ` Bjorn Helgaas [this message]
2017-04-13 21:02 ` Bjorn Helgaas
2017-04-13 21:02 ` Bjorn Helgaas
2017-04-14 1:19 ` Sinan Kaya
2017-04-14 1:19 ` Sinan Kaya
2017-04-14 1:30 ` Bjorn Helgaas
2017-04-14 1:30 ` Bjorn Helgaas
2017-04-08 4:55 ` [PATCH V8 4/5] PCI/ASPM: save power on values during bridge init Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-12 19:19 ` Rajat Jain
2017-04-12 19:19 ` Rajat Jain
2017-04-12 19:19 ` Rajat Jain
2017-04-14 19:12 ` Sinan Kaya
2017-04-14 19:12 ` Sinan Kaya
2017-04-14 19:12 ` Sinan Kaya
2017-04-14 21:44 ` Bjorn Helgaas
2017-04-14 21:44 ` Bjorn Helgaas
2017-04-14 21:44 ` Bjorn Helgaas
2017-04-14 22:17 ` Sinan Kaya
2017-04-14 22:17 ` Sinan Kaya
2017-04-17 16:38 ` Bjorn Helgaas
2017-04-17 16:38 ` Bjorn Helgaas
2017-04-17 17:50 ` Sinan Kaya
2017-04-17 17:50 ` Sinan Kaya
2017-04-21 7:46 ` Patel, Mayurkumar
2017-04-21 7:46 ` Patel, Mayurkumar
2017-04-21 7:46 ` Patel, Mayurkumar
2017-04-21 7:46 ` Patel, Mayurkumar
2017-04-21 13:50 ` Sinan Kaya
2017-04-21 13:50 ` Sinan Kaya
2017-04-21 14:13 ` Patel, Mayurkumar
2017-04-21 14:13 ` Patel, Mayurkumar
2017-04-21 14:13 ` Patel, Mayurkumar
2017-04-21 14:13 ` Patel, Mayurkumar
2017-04-25 18:45 ` Bjorn Helgaas
2017-04-25 18:45 ` Bjorn Helgaas
2017-05-02 12:02 ` Patel, Mayurkumar
2017-05-02 12:02 ` Patel, Mayurkumar
2017-05-02 12:02 ` Patel, Mayurkumar
2017-05-03 21:10 ` Bjorn Helgaas
2017-05-03 21:10 ` Bjorn Helgaas
2017-05-03 21:10 ` Bjorn Helgaas
2017-05-15 9:10 ` Patel, Mayurkumar
2017-05-15 9:10 ` Patel, Mayurkumar
2017-05-15 9:10 ` Patel, Mayurkumar
2017-05-15 9:10 ` Patel, Mayurkumar
2017-04-08 4:55 ` [PATCH V8 5/5] PCI/ASPM: move link_state cleanup to bridge remove Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-08 4:55 ` Sinan Kaya
2017-04-10 11:37 ` [PATCH V8 0/5] PCI/ASPM: reconfigure ASPM following hotplug for POLICY_DEFAULT Patel, Mayurkumar
2017-04-10 11:37 ` Patel, Mayurkumar
2017-04-10 11:37 ` Patel, Mayurkumar
2017-04-10 13:07 ` Sinan Kaya
2017-04-10 13:07 ` Sinan Kaya
2017-04-10 13:07 ` Sinan Kaya
2017-04-10 13:11 ` Patel, Mayurkumar
2017-04-10 13:11 ` Patel, Mayurkumar
2017-04-10 13:11 ` Patel, Mayurkumar
2017-04-11 21:19 ` Bjorn Helgaas
2017-04-11 21:19 ` Bjorn Helgaas
2017-04-11 21:19 ` Bjorn Helgaas
2017-04-11 21:27 ` Sinan Kaya
2017-04-11 21:27 ` Sinan Kaya
2017-04-11 22:41 ` Bjorn Helgaas
2017-04-11 22:41 ` Bjorn Helgaas
2017-04-11 22:41 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170413210218.GA24910@bhelgaas-glaptop.roam.corp.google.com \
--to=helgaas@kernel.org \
--cc=Julia.Lawall@lip6.fr \
--cc=bhelgaas@google.com \
--cc=david.daney@cavium.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mayurkumar.patel@intel.com \
--cc=okaya@codeaurora.org \
--cc=rajatja@google.com \
--cc=timur@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.