From: Bharata B Rao <bharata@linux.vnet.ibm.com>
To: linuxppc-dev@ozlabs.org
Cc: nfont@linux.vnet.ibm.com, sachinp@linux.vnet.ibm.com,
Bharata B Rao <bharata@linux.vnet.ibm.com>
Subject: [FIX PATCH v1] powerpc/pseries: Fix reference count leak during CPU unplug
Date: Thu, 9 Mar 2017 10:07:48 +0530 [thread overview]
Message-ID: <1489034268-24888-1-git-send-email-bharata@linux.vnet.ibm.com> (raw)
The following warning is seen when a CPU is hot unplugged on a PowerKVM
guest:
refcount_t: underflow; use-after-free.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 53 at lib/refcount.c:128 refcount_sub_and_test+0xd8/0xf0
Modules linked in:
CPU: 0 PID: 53 Comm: kworker/u510:1 Not tainted 4.11.0-rc1 #3
Workqueue: pseries hotplug workque pseries_hp_work_fn
task: c0000000fb475000 task.stack: c0000000fb81c000
NIP: c0000000006f0808 LR: c0000000006f0804 CTR: c0000000007b98c0
REGS: c0000000fb81f710 TRAP: 0700 Not tainted (4.11.0-rc1)
MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>
CR: 48002222 XER: 20000000
CFAR: c000000000c438e0 SOFTE: 1
GPR00: c0000000006f0804 c0000000fb81f990 c000000001573b00 0000000000000026
GPR04: 0000000000000000 000000000000016c 667265652e0d0a73 652d61667465722d
GPR08: 0000000000000007 0000000000000007 0000000000000001 0000000000000006
GPR12: 0000000000002200 c00000000ff40000 c00000000010c578 c0000001f11b9f40
GPR16: c0000001fe0312a8 c0000001fe031078 c0000001fe031020 0000000000000001
GPR20: 0000000000000000 0000000000000000 c000000001454808 fffffffffffffef7
GPR24: 0000000000000000 c0000001f1677648 0000000000000000 0000000000000000
GPR28: 0000000010000008 c000000000e4d3d8 0000000000000000 c0000001eaae07d8
NIP [c0000000006f0808] refcount_sub_and_test+0xd8/0xf0
LR [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0
Call Trace:
[c0000000fb81f990] [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0 (unreliable)
[c0000000fb81f9f0] [c0000000006d04b4] kobject_put+0x44/0x2a0
[c0000000fb81fa70] [c0000000009d5284] of_node_put+0x34/0x50
[c0000000fb81faa0] [c0000000000aceb8] dlpar_cpu_remove_by_index+0x108/0x130
[c0000000fb81fb30] [c0000000000ae128] dlpar_cpu+0x78/0x550
[c0000000fb81fbe0] [c0000000000a7b40] handle_dlpar_errorlog+0xc0/0x160
[c0000000fb81fc50] [c0000000000a7c74] pseries_hp_work_fn+0x94/0xa0
[c0000000fb81fc80] [c000000000102cec] process_one_work+0x23c/0x540
[c0000000fb81fd20] [c00000000010309c] worker_thread+0xac/0x620
[c0000000fb81fdc0] [c00000000010c6c4] kthread+0x154/0x1a0
[c0000000fb81fe30] [c00000000000bbe0] ret_from_kernel_thread+0x5c/0x7c
Fix this by ensuring that of_node_put() is called only from the
error path in dlpar_cpu_remove_by_index(). In the normal path,
of_node_put() happens as part of dlpar_detach_node().
Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
---
Changes in v1:
- Fixed the refcount problem in the userspace driven unplug path
in addition to in-kernel unplug path. (Sachin Sant)
v0: https://patchwork.ozlabs.org/patch/736547/
arch/powerpc/platforms/pseries/hotplug-cpu.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
index 7bc0e91..c5ed510 100644
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -619,7 +619,8 @@ static int dlpar_cpu_remove_by_index(u32 drc_index)
}
rc = dlpar_cpu_remove(dn, drc_index);
- of_node_put(dn);
+ if (rc)
+ of_node_put(dn);
return rc;
}
@@ -856,9 +857,12 @@ static ssize_t dlpar_cpu_release(const char *buf, size_t count)
}
rc = dlpar_cpu_remove(dn, drc_index);
- of_node_put(dn);
-
- return rc ? rc : count;
+ if (rc) {
+ of_node_put(dn);
+ return rc;
+ } else {
+ return count;
+ }
}
#endif /* CONFIG_ARCH_CPU_PROBE_RELEASE */
--
2.7.4
next reply other threads:[~2017-03-09 4:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 4:37 Bharata B Rao [this message]
2017-03-09 6:18 ` [FIX PATCH v1] powerpc/pseries: Fix reference count leak during CPU unplug Sachin Sant
2017-03-09 10:52 ` Michael Ellerman
2017-03-09 21:34 ` Tyrel Datwyler
2017-03-13 10:29 ` Bharata B Rao
2017-03-14 20:42 ` Tyrel Datwyler
2017-03-15 10:48 ` Sachin Sant
2017-03-22 16:17 ` Michael Bringmann
2022-03-11 17:14 ` Christophe Leroy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1489034268-24888-1-git-send-email-bharata@linux.vnet.ibm.com \
--to=bharata@linux.vnet.ibm.com \
--cc=linuxppc-dev@ozlabs.org \
--cc=nfont@linux.vnet.ibm.com \
--cc=sachinp@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).