Re: [PATCH 5.10 STABLE] s390/pci: fix zpci_zdev_put() on reserve

From: Niklas Schnelle <schnelle@linux.ibm.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, gor@linux.ibm.com
Subject: Re: [PATCH 5.10 STABLE] s390/pci: fix zpci_zdev_put() on reserve
Date: Wed, 13 Oct 2021 12:26:34 +0200	[thread overview]
Message-ID: <31dcc776244843aa76deebd49f4ba3fbe4819990.camel@linux.ibm.com> (raw)
In-Reply-To: <YWaiON5Hw8UnWLIK@kroah.com>

On Wed, 2021-10-13 at 11:09 +0200, Greg KH wrote:
> On Tue, Oct 12, 2021 at 11:34:25AM +0200, Niklas Schnelle wrote:
> > [ Upstream commit a46044a92add6a400f4dada7b943b30221f7cc80 ]
> > 
> > Since commit 2a671f77ee49 ("s390/pci: fix use after free of zpci_dev")
> > the reference count of a zpci_dev is incremented between
> > pcibios_add_device() and pcibios_release_device() which was supposed to
> > prevent the zpci_dev from being freed while the common PCI code has
> > access to it. It was missed however that the handling of zPCI
> > availability events assumed that once zpci_zdev_put() was called no
> > later availability event would still see the device. With the previously
> > mentioned commit however this assumption no longer holds and we must
> > make sure that we only drop the initial long-lived reference the zPCI
> > subsystem holds exactly once.
> > 
> > Do so by introducing a zpci_device_reserved() function that handles when
> > a device is reserved. Here we make sure the zpci_dev will not be
> > considered for further events by removing it from the zpci_list.
> > 
> > This also means that the device actually stays in the
> > ZPCI_FN_STATE_RESERVED state between the time we know it has been
> > reserved and the final reference going away. We thus need to consider it
> > a real state instead of just a conceptual state after the removal. The
> > final cleanup of PCI resources, removal from zbus, and destruction of
> > the IOMMU stays in zpci_release_device() to make sure holders of the
> > reference do see valid data until the release.
> 
> Same for the 5.14 patch, please submit the series that resolves this,
> not changing individual patches a lot.
> 
> thanks,
> 
> greg k-h

For the 5.14 patch that makes total sense, though these were not
originally a series but just happened to touch the same area. For v5.10
we don't yet have the flag for tracking the PCI resources in the struct
zpci_dev which was introduced as part of a larger non-trivial
refactoring series which landed in mainline as part of 5.13.

This backport patch consequently does not include the change from
commit 023cc3cb1e4b ("s390/pci: cleanup resources only if necessary").
Instead it does an unconditional call to zpci_cleanup_bus_resources()
as done previously on 5.10. This is not releant for fixing the problem
targeted by this patch. Interestingly though due to a difference in
behavior of the common code while the problem exists on 5.10 from code
inspection it seems that at the point of releasing the device common
code does not hold a reference to the pci_dev and so the original crash
doesn't happen in that scenario but could possibly occur under
different circumstances.

Thanks,
Niklas