From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: Keith Busch <kbusch@meta.com>
Cc: <linux-pci@vger.kernel.org>, <bhelgaas@google.com>,
<lukas@wunner.de>, <mika.westerberg@linux.intel.com>,
Keith Busch <kbusch@kernel.org>
Subject: Re: [PATCH RFC 7/8] pci: reference count subordinate
Date: Thu, 15 Aug 2024 16:10:11 +0100 [thread overview]
Message-ID: <20240815161011.00001baa@Huawei.com> (raw)
In-Reply-To: <20240722151936.1452299-8-kbusch@meta.com>
On Mon, 22 Jul 2024 08:19:35 -0700
Keith Busch <kbusch@meta.com> wrote:
> From: Keith Busch <kbusch@kernel.org>
>
> The subordinate is accessed under the pci_bus_sem (or often times no
> lock at at all), but unset under the rescan_remove_lock. Access the
> subordinate buses with reference counts to guard against a concurrent
> removal and use-after-free.
>
> Signed-off-by: Keith Busch <kbusch@kernel.org>
> ---
Hi Keith,
A few comments inline.
Jonathan
> diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
> index e3a49f66982d5..0cd36b7772c8b 100644
> --- a/drivers/pci/pci.c
> +++ b/drivers/pci/pci.c
> @@ -3113,9 +3113,14 @@ void pci_bridge_d3_update(struct pci_dev *dev)
> * so we need to go through all children to find out if one of them
> * continues to block D3.
> */
> - if (d3cold_ok && !bridge->bridge_d3)
> - pci_walk_bus(bridge->subordinate, pci_dev_check_d3cold,
> - &d3cold_ok);
> + if (d3cold_ok && !bridge->bridge_d3) {
> + struct pci_bus *bus = pci_dev_get_subordinate(bridge);
> +
> + if (bus) {
> + pci_walk_bus(bus, pci_dev_check_d3cold, &d3cold_ok);
> + pci_bus_put(bus);
I'd be tempted to call pci_bus_put(bus) unconditionally but doesn't matter
a lot.
> + }
> + }
>
> if (bridge->bridge_d3 != d3cold_ok) {
> bridge->bridge_d3 = d3cold_ok;
> @@ -4824,6 +4829,7 @@ static int pci_bus_max_d3cold_delay(const struct pci_bus *bus)
> int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type)
> {
> struct pci_dev *child __free(pci_dev_put) = NULL;
I would moan about constructors and desctructors together, but unrelated
to this patch and would actually break the change I suggest below given
the lifetime of child is longer than the loop where it's gotten.
So I won't moan about it :)
> + struct pci_bus *bus;
> int delay;
>
> if (pci_dev_is_disconnected(dev))
> @@ -4840,7 +4846,17 @@ int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type)
> * board_added(). In case of ACPI hotplug the firmware is expected
> * to configure the devices before OS is notified.
> */
> - if (!dev->subordinate || list_empty(&dev->subordinate->devices)) {
> + bus = pci_dev_get_subordinate(dev);
> + if (!bus) {
> + up_read(&pci_bus_sem);
> + return 0;
> + }
> +
> + child = pci_dev_get(list_first_entry_or_null(&bus->devices,
> + struct pci_dev,
> + bus_list));
> + if (!child) {
> + pci_bus_put(bus);
> up_read(&pci_bus_sem);
> return 0;
> }
> @@ -4848,12 +4864,12 @@ int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type)
> /* Take d3cold_delay requirements into account */
> delay = pci_bus_max_d3cold_delay(dev->subordinate);
> if (!delay) {
> + pci_bus_put(bus);
> up_read(&pci_bus_sem);
> return 0;
> }
>
> - child = pci_dev_get(list_first_entry(&dev->subordinate->devices,
> - struct pci_dev, bus_list));
> + pci_bus_put(bus);
> up_read(&pci_bus_sem);
I'd like scoped_guard() {
struct pci_bus *bus __free(pci_bus_put) = pci_dev_get_sub...
here so that the manual cleanup can be avoided in the early return paths.
}
}
>
> /*
...
> diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
> index cee2365e54b8b..3c0c83d35ab86 100644
> --- a/drivers/pci/pcie/aspm.c
> +++ b/drivers/pci/pcie/aspm.c
> @@ -1212,9 +1212,11 @@ static void pcie_update_aspm_capable(struct pcie_link_state *root)
> link->aspm_capable = link->aspm_support;
> }
> list_for_each_entry(link, &link_list, sibling) {
> + struct pci_bus *linkbus;
> struct pci_dev *child;
> - struct pci_bus *linkbus = link->pdev->subordinate;
> - if (link->root != root)
> +
> + linkbus = pci_dev_get_subordinate(link->pdev);
Maybe worth a
DEFINE_FREE() for pci_bus_put to match the one for pci_dev_put?
> + if (!linkbus || link->root != root)
> continue;
> list_for_each_entry(child, &linkbus->devices, bus_list) {
> if ((pci_pcie_type(child) != PCI_EXP_TYPE_ENDPOINT) &&
> @@ -1222,6 +1224,7 @@ static void pcie_update_aspm_capable(struct pcie_link_state *root)
> continue;
> pcie_aspm_check_latency(child);
> }
> + pci_bus_put(linkbus);
> }
> }
>
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index b14b9876c0303..53522685193da 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
...
> @@ -3380,7 +3383,7 @@ int pci_hp_add_bridge(struct pci_dev *dev)
As far as I can tell the return value of this function is never used.
So could just drop the code below. Maybe clean up this function
to return void or start handling the return value.
> /* Scan bridges that need to be reconfigured */
> pci_scan_bridge_extend(parent, dev, busnr, available_buses, 1);
>
> - if (!dev->subordinate)
> + if (!READ_ONCE(dev->subordinate))
> return -1;
>
> return 0;
next prev parent reply other threads:[~2024-08-15 15:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-22 15:19 [PATCH RFC 0/8] pci: rescan/remove locking rework Keith Busch
2024-07-22 15:19 ` [PATCH RFC 1/8] pci: make pci_stop_dev concurrent safe Keith Busch
2024-08-15 14:17 ` Jonathan Cameron
2024-08-20 15:02 ` Keith Busch
2024-08-21 11:01 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 2/8] pci: make pci_destroy_dev " Keith Busch
2024-08-15 14:18 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 3/8] pci: move the walk bus lock to where its needed Keith Busch
2024-08-15 14:20 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 4/8] pci: walk bus recursively Keith Busch
2024-08-15 14:33 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 5/8] pci: unexport pci_walk_bus_locked Keith Busch
2024-08-15 14:36 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 6/8] pci: add helpers for stop and remove bus Keith Busch
2024-08-15 14:49 ` Jonathan Cameron
2024-07-22 15:19 ` [PATCH RFC 7/8] pci: reference count subordinate Keith Busch
2024-08-15 15:10 ` Jonathan Cameron [this message]
2024-07-22 15:19 ` [PATCH RFC 8/8] pci: use finer grain locking for bus protection Keith Busch
2024-08-15 15:21 ` Jonathan Cameron
2024-08-15 17:05 ` Keith Busch
2024-08-07 15:40 ` [PATCH RFC 0/8] pci: rescan/remove locking rework Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240815161011.00001baa@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=bhelgaas@google.com \
--cc=kbusch@kernel.org \
--cc=kbusch@meta.com \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mika.westerberg@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.