From: Niklas Schnelle <schnelle@linux.ibm.com>
To: Farhan Ali <alifm@linux.ibm.com>,
Julian Ruess <julianr@linux.ibm.com>,
wintera@linux.ibm.com, ts@linux.ibm.com, oberpar@linux.ibm.com,
gbayer@linux.ibm.com, Alex Williamson <alex@shazbot.org>,
Jason Gunthorpe <jgg@ziepe.ca>,
Yishai Hadas <yishaih@nvidia.com>,
Shameer Kolothum <skolothumtho@nvidia.com>,
Kevin Tian <kevin.tian@intel.com>
Cc: mjrosato@linux.ibm.com, raspl@linux.ibm.com, hca@linux.ibm.com,
agordeev@linux.ibm.com, gor@linux.ibm.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
linux-pci@vger.kernel.org
Subject: Re: [PATCH v5 2/3] vfio/ism: Implement vfio_pci driver for ISM devices
Date: Tue, 17 Mar 2026 22:16:28 +0100 [thread overview]
Message-ID: <ef044e7fa28e33cf865882e374957c0cd10124d1.camel@linux.ibm.com> (raw)
In-Reply-To: <de08911a-8bcc-4983-9ad2-b20467ebbb7f@linux.ibm.com>
On Tue, 2026-03-17 at 11:43 -0700, Farhan Ali wrote:
> <..snip..>
>
> On 3/17/2026 5:58 AM, Julian Ruess wrote:
> > static int ism_vfio_pci_probe(struct pci_dev *pdev,
> > + const struct pci_device_id *id)
> > +{
> > + struct ism_vfio_pci_core_device *ivpcd;
> > + struct zpci_dev *zdev = to_zpci(pdev);
> > + char cache_name[20];
> > + int ret;
> > +
> > + ivpcd = vfio_alloc_device(ism_vfio_pci_core_device, core_device.vdev,
> > + &pdev->dev, &ism_pci_ops);
> > + if (IS_ERR(ivpcd))
> > + return PTR_ERR(ivpcd);
> > +
> > + snprintf(cache_name, sizeof(cache_name), "ism_sb_fid_%08x", zdev->fid);
> > + ivpcd->store_block_cache =
> > + kmem_cache_create(cache_name, zdev->maxstbl, 0, 0, NULL);
> > + if (!ivpcd->store_block_cache) {
> > + vfio_put_device(&ivpcd->core_device.vdev);
> > + return -ENOMEM;
> > + }
> > +
> > + dev_set_drvdata(&pdev->dev, &ivpcd->core_device);
> > + ret = vfio_pci_core_register_device(&ivpcd->core_device);
> > + if (ret) {
> > + kmem_cache_destroy(ivpcd->store_block_cache);
> > + vfio_put_device(&ivpcd->core_device.vdev);
> > + }
> > +
> > + return ret;
> > +}
> > +
> > +static void ism_vfio_pci_remove(struct pci_dev *pdev)
> > +{
> > + struct vfio_pci_core_device *core_device;
> > + struct ism_vfio_pci_core_device *ivpcd;
> > +
> > + core_device = dev_get_drvdata(&pdev->dev);
> > + ivpcd = container_of(core_device, struct ism_vfio_pci_core_device,
> > + core_device);
> > +
> > + vfio_pci_core_unregister_device(&ivpcd->core_device);
> > + vfio_put_device(&ivpcd->core_device.vdev);
> > +
> > + kmem_cache_destroy(ivpcd->store_block_cache);
>
> I think the kmem_cache_destroy() should be done before we do
> vfio_put_device() (or maybe even before
> vfio_pci_core_unregister_device()) to avoid use after free similar to
> ism_vfio_pci_probe(). Sorry I missed this earlier.
>
> Thanks
>
> Farhan
>
Good find! Wouldn't it be even cleaner to provide vfio/ism specific
.init and .release functions in ism_pci_ops that do the
kmem_cache_create() / kmem_cache_destroy() as part of init / release?
It seems this is done for e.g. Xe with xe_vfio_pci_init_dev()
and xe_vfio_pci_release_dev(). In fact wouldn't that be even necessary
to correctly handle the case where the above vfio_put_device() isn't
the last reference?
Thanks,
Niklas
next prev parent reply other threads:[~2026-03-17 21:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 12:58 [PATCH v5 0/3] vfio/pci: Introduce vfio_pci driver for ISM devices Julian Ruess
2026-03-17 12:58 ` [PATCH v5 1/3] vfio/pci: Rename vfio_config_do_rw() to vfio_pci_config_rw_single() and export it Julian Ruess
2026-03-17 12:58 ` [PATCH v5 2/3] vfio/ism: Implement vfio_pci driver for ISM devices Julian Ruess
2026-03-17 18:43 ` Farhan Ali
2026-03-17 21:16 ` Niklas Schnelle [this message]
2026-03-18 6:16 ` Julian Ruess
2026-03-18 14:52 ` Niklas Schnelle
2026-03-17 12:58 ` [PATCH v5 3/3] MAINTAINERS: add VFIO ISM PCI DRIVER section Julian Ruess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ef044e7fa28e33cf865882e374957c0cd10124d1.camel@linux.ibm.com \
--to=schnelle@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=alex@shazbot.org \
--cc=alifm@linux.ibm.com \
--cc=gbayer@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=jgg@ziepe.ca \
--cc=julianr@linux.ibm.com \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjrosato@linux.ibm.com \
--cc=oberpar@linux.ibm.com \
--cc=raspl@linux.ibm.com \
--cc=skolothumtho@nvidia.com \
--cc=ts@linux.ibm.com \
--cc=wintera@linux.ibm.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox