From: Keith Busch <keith.busch@intel.com>
To: Linux PCI <linux-pci@vger.kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>
Cc: Alex_Gagniuc@Dellteam.com, Scott Bauer <scott.bauer@intel.com>,
Keith Busch <keith.busch@intel.com>
Subject: [PATCH 3/4] PCI/AER: Reference count aer structures
Date: Mon, 9 Apr 2018 16:04:43 -0600 [thread overview]
Message-ID: <20180409220444.6632-4-keith.busch@intel.com> (raw)
In-Reply-To: <20180409220444.6632-1-keith.busch@intel.com>
The AER driver's removal was flushing its scheduled work to ensure it
was safe to free the aer structure. This patch removes that flushing and
prevents use-after-free instead by reference counting the aer root port
structure and its pci_dev.
The purpose of this patch is to allow the bottom half worker to take
locks that may be held while the aer driver's removal is called.
Signed-off-by: Keith Busch <keith.busch@intel.com>
---
drivers/pci/pcie/aer/aerdrv.c | 23 +++++++++++++++++++----
drivers/pci/pcie/aer/aerdrv.h | 2 ++
drivers/pci/pcie/aer/aerdrv_core.c | 2 ++
3 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/pcie/aer/aerdrv.c b/drivers/pci/pcie/aer/aerdrv.c
index 9ce8a824afbc..0b2eb88c422b 100644
--- a/drivers/pci/pcie/aer/aerdrv.c
+++ b/drivers/pci/pcie/aer/aerdrv.c
@@ -209,7 +209,9 @@ irqreturn_t aer_irq(int irq, void *context)
spin_unlock_irqrestore(&rpc->e_lock, flags);
/* Invoke DPC handler */
- schedule_work(&rpc->dpc_handler);
+ kref_get(&rpc->ref);
+ if (!schedule_work(&rpc->dpc_handler))
+ aer_release(rpc);
return IRQ_HANDLED;
}
@@ -232,7 +234,8 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device *dev)
/* Initialize Root lock access, e_lock, to Root Error Status Reg */
spin_lock_init(&rpc->e_lock);
- rpc->rpd = dev->port;
+ rpc->rpd = pci_dev_get(dev->port);
+ kref_init(&rpc->ref);
INIT_WORK(&rpc->dpc_handler, aer_isr);
mutex_init(&rpc->rpc_mutex);
@@ -242,6 +245,19 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device *dev)
return rpc;
}
+static void aer_free(struct kref *ref)
+{
+ struct aer_rpc *rpc = container_of(ref, struct aer_rpc, ref);
+
+ pci_dev_put(rpc->rpd);
+ kfree(rpc);
+}
+
+void aer_release(struct aer_rpc *rpc)
+{
+ kref_put(&rpc->ref, aer_free);
+}
+
/**
* aer_remove - clean up resources
* @dev: pointer to the pcie_dev data structure
@@ -257,10 +273,9 @@ static void aer_remove(struct pcie_device *dev)
if (rpc->isr)
free_irq(dev->irq, dev);
- flush_work(&rpc->dpc_handler);
aer_disable_rootport(rpc);
- kfree(rpc);
set_service_data(dev, NULL);
+ aer_release(rpc);
}
}
diff --git a/drivers/pci/pcie/aer/aerdrv.h b/drivers/pci/pcie/aer/aerdrv.h
index f34174feab55..f886521e2c7b 100644
--- a/drivers/pci/pcie/aer/aerdrv.h
+++ b/drivers/pci/pcie/aer/aerdrv.h
@@ -60,6 +60,7 @@ struct aer_err_source {
struct aer_rpc {
struct pci_dev *rpd; /* Root Port device */
struct work_struct dpc_handler;
+ struct kref ref;
struct aer_err_source e_sources[AER_ERROR_SOURCES_MAX];
struct aer_err_info e_info;
unsigned short prod_idx; /* Error Producer Index */
@@ -110,6 +111,7 @@ extern struct bus_type pcie_port_bus_type;
void aer_isr(struct work_struct *work);
void aer_print_error(struct pci_dev *dev, struct aer_err_info *info);
void aer_print_port_info(struct pci_dev *dev, struct aer_err_info *info);
+void aer_release(struct aer_rpc *rpc);
irqreturn_t aer_irq(int irq, void *context);
#ifdef CONFIG_ACPI_APEI
diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c
index 672374cfb16d..e4059d7fa7fa 100644
--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -800,4 +800,6 @@ void aer_isr(struct work_struct *work)
while (get_e_source(rpc, &e_src))
aer_isr_one_error(rpc, &e_src);
mutex_unlock(&rpc->rpc_mutex);
+
+ aer_release(rpc);
}
--
2.14.3
next prev parent reply other threads:[~2018-04-09 22:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-09 22:04 [PATCH 0/4] PCI/AER: Use-after-free fix Keith Busch
2018-04-09 22:04 ` [PATCH 1/4] PCI/AER: Remove unused parameters Keith Busch
2018-04-09 22:04 ` [PATCH 2/4] PCI/AER: Replace struct pcie_device with pci_dev Keith Busch
2018-04-09 22:04 ` Keith Busch [this message]
2018-04-09 22:04 ` [PATCH 4/4] PCI/AER: Lock pci topology when scanning errors Keith Busch
2018-06-05 22:09 ` Bjorn Helgaas
2018-06-05 22:18 ` Keith Busch
2018-06-06 13:52 ` Bjorn Helgaas
2018-04-10 13:15 ` [PATCH 0/4] PCI/AER: Use-after-free fix Dongdong Liu
2018-04-12 17:06 ` Alex_Gagniuc
2018-04-12 16:47 ` Scott Bauer
2018-04-13 14:49 ` Alex_Gagniuc
2018-04-16 19:49 ` Alex_Gagniuc
2018-04-12 17:10 ` Keith Busch
2018-06-05 22:11 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180409220444.6632-4-keith.busch@intel.com \
--to=keith.busch@intel.com \
--cc=Alex_Gagniuc@Dellteam.com \
--cc=bhelgaas@google.com \
--cc=linux-pci@vger.kernel.org \
--cc=scott.bauer@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).