From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Frederic Barrat <fbarrat@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org, andrew.donnellan@au1.ibm.com,
clombard@linux.ibm.com, groug@kaod.org, alastair@au1.ibm.com
Subject: Re: [PATCH] ocxl: Fix concurrent AFU open and device removal
Date: Sat, 14 Dec 2019 08:19:38 +1100 (AEDT) [thread overview]
Message-ID: <47ZNpf6p2kz9sPJ@ozlabs.org> (raw)
In-Reply-To: <20190624144148.32022-1-fbarrat@linux.ibm.com>
On Mon, 2019-06-24 at 14:41:48 UTC, Frederic Barrat wrote:
> If an ocxl device is unbound through sysfs at the same time its AFU is
> being opened by a user process, the open code may dereference freed
> stuctures, which can lead to kernel oops messages. You'd have to hit a
> tiny time window, but it's possible. It's fairly easy to test by
> making the time window bigger artificially.
>
> Fix it with a combination of 2 changes:
> - when an AFU device is found in the IDR by looking for the device
> minor number, we should hold a reference on the device until after the
> context is allocated. A reference on the AFU structure is kept when
> the context is allocated, so we can release the reference on the
> device after the context allocation.
> - with the fix above, there's still another even tinier window,
> between the time the AFU device is found in the IDR and the reference
> on the device is taken. We can fix this one by removing the IDR entry
> earlier, when the device setup is removed, instead of waiting for the
> 'release' device callback. With proper locking around the IDR.
>
> Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend")
> Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Applied to powerpc fixes, thanks.
https://git.kernel.org/powerpc/c/a58d37bce0d21cf7fbd589384c619e465ef2f927
cheers
prev parent reply other threads:[~2019-12-13 21:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 14:41 [PATCH] ocxl: Fix concurrent AFU open and device removal Frederic Barrat
2019-06-24 15:24 ` Greg Kurz
2019-06-24 15:39 ` Frederic Barrat
2019-06-24 15:50 ` Greg Kurz
2019-06-25 8:22 ` Frederic Barrat
2019-12-13 21:19 ` Michael Ellerman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47ZNpf6p2kz9sPJ@ozlabs.org \
--to=patch-notifications@ellerman.id.au \
--cc=alastair@au1.ibm.com \
--cc=andrew.donnellan@au1.ibm.com \
--cc=clombard@linux.ibm.com \
--cc=fbarrat@linux.ibm.com \
--cc=groug@kaod.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.