From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-sn1nam01on0132.outbound.protection.outlook.com ([104.47.32.132]:41805
        "EHLO NAM01-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S932553AbeDIAkP (ORCPT <rfc822;stable@vger.kernel.org>);
        Sun, 8 Apr 2018 20:40:15 -0400
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
CC: Christoph Hellwig <hch@lst.de>,
        Bjorn Helgaas <bhelgaas@google.com>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 3.18 031/101] PCI: Protect
 pci_error_handlers->reset_notify() usage with device_lock()
Date: Mon, 9 Apr 2018 00:35:40 +0000
Message-ID: <20180409003505.164715-31-alexander.levin@microsoft.com>
References: <20180409003505.164715-1-alexander.levin@microsoft.com>
In-Reply-To: <20180409003505.164715-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Christoph Hellwig <hch@lst.de>

[ Upstream commit b014e96d1abbd67404bbe2018937b46466299e9e ]

Every method in struct device_driver or structures derived from it like
struct pci_driver MUST provide exclusion vs the driver's ->remove() method,
usually by using device_lock().

Protect use of pci_error_handlers->reset_notify() by holding the device
lock while calling it.

Note:

  - pci_dev_lock() calls device_lock() in addition to blocking user-space
    config accesses.

  - pci_err_handlers->reset_notify() is used inside
    pci_dev_save_and_disable() and pci_dev_restore().  We could hold the
    device lock directly in pci_reset_notify(), but we expand the region
    since we have several calls following each other.

Without this, ->reset_notify() may race with ->remove() calls, which can be
easily triggered in NVMe.

[bhelgaas: changelog, add pci_reset_notify() comment]
[bhelgaas: fold in fix from Dan Carpenter <dan.carpenter@oracle.com>:
http://lkml.kernel.org/r/20170701135323.x5vaj4e2wcs2mcro@mwanda]
Link: http://lkml.kernel.org/r/20170601111039.8913-2-hch@lst.de
Reported-by: Rakesh Pandit <rakesh@tuxera.com>
Tested-by: Rakesh Pandit <rakesh@tuxera.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/pci/pci.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 1563cfadeaef..3f8d4c0c997c 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3402,6 +3402,12 @@ static void pci_reset_notify(struct pci_dev *dev, bo=
ol prepare)
 {
 	const struct pci_error_handlers *err_handler =3D
 			dev->driver ? dev->driver->err_handler : NULL;
+
+	/*
+	 * dev->driver->err_handler->reset_notify() is protected against
+	 * races with ->remove() by the device lock, which must be held by
+	 * the caller.
+	 */
 	if (err_handler && err_handler->reset_notify)
 		err_handler->reset_notify(dev, prepare);
 }
@@ -3537,11 +3543,13 @@ int pci_reset_function(struct pci_dev *dev)
 	if (rc)
 		return rc;
=20
+	pci_dev_lock(dev);
 	pci_dev_save_and_disable(dev);
=20
-	rc =3D pci_dev_reset(dev, 0);
+	rc =3D __pci_dev_reset(dev, 0);
=20
 	pci_dev_restore(dev);
+	pci_dev_unlock(dev);
=20
 	return rc;
 }
@@ -3561,16 +3569,14 @@ int pci_try_reset_function(struct pci_dev *dev)
 	if (rc)
 		return rc;
=20
-	pci_dev_save_and_disable(dev);
+	if (!pci_dev_trylock(dev))
+		return -EAGAIN;
=20
-	if (pci_dev_trylock(dev)) {
-		rc =3D __pci_dev_reset(dev, 0);
-		pci_dev_unlock(dev);
-	} else
-		rc =3D -EAGAIN;
+	pci_dev_save_and_disable(dev);
+	rc =3D __pci_dev_reset(dev, 0);
+	pci_dev_unlock(dev);
=20
 	pci_dev_restore(dev);
-
 	return rc;
 }
 EXPORT_SYMBOL_GPL(pci_try_reset_function);
@@ -3724,7 +3730,9 @@ static void pci_bus_save_and_disable(struct pci_bus *=
bus)
 	struct pci_dev *dev;
=20
 	list_for_each_entry(dev, &bus->devices, bus_list) {
+		pci_dev_lock(dev);
 		pci_dev_save_and_disable(dev);
+		pci_dev_unlock(dev);
 		if (dev->subordinate)
 			pci_bus_save_and_disable(dev->subordinate);
 	}
@@ -3739,7 +3747,9 @@ static void pci_bus_restore(struct pci_bus *bus)
 	struct pci_dev *dev;
=20
 	list_for_each_entry(dev, &bus->devices, bus_list) {
+		pci_dev_lock(dev);
 		pci_dev_restore(dev);
+		pci_dev_unlock(dev);
 		if (dev->subordinate)
 			pci_bus_restore(dev->subordinate);
 	}
--=20
2.15.1