From: willy@linux.intel.com (Matthew Wilcox)
Subject: [PATCH] NVMe: Add a character device for each nvme device
Date: Fri, 27 Jul 2012 16:44:47 -0400 [thread overview]
Message-ID: <20120727204447.GR22985@linux.intel.com> (raw)
In-Reply-To: <1343407458-29909-1-git-send-email-keith.busch@intel.com>
On Fri, Jul 27, 2012@10:44:18AM -0600, Keith Busch wrote:
> @@ -1222,6 +1228,35 @@ static const struct block_device_operations nvme_fops = {
> .compat_ioctl = nvme_ioctl,
> };
>
> +static long nvme_char_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
> +{
> + struct nvme_dev *dev;
> + int instance = iminor(f->f_dentry->d_inode);
> +
> + spin_lock(&dev_list_lock);
> + list_for_each_entry(dev, &dev_list, node) {
> + if (dev->instance == instance)
> + break;
> + }
> + spin_unlock(&dev_list_lock);
So what happens if we get a PCI hotplug event here? nvme_remove gets
called, we unmap the BAR and kfree the dev. Now nvme_user_admin_cmd()
is going to dereference a pointer to freed memory, and even if that
happens to work, it's going to end up writing a doorbell that doesn't
exist any more.
I think we need refcounting on the dev to fix this ... urgh.
> + if (&dev->node == &dev_list)
> + return -ENOTTY;
> +
> + switch (cmd) {
> + case NVME_IOCTL_ADMIN_CMD:
> + return nvme_user_admin_cmd(dev, (void __user *)arg);
> + default:
> + return -ENOTTY;
> + }
> +}
next prev parent reply other threads:[~2012-07-27 20:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-27 16:44 [PATCH] NVMe: Add a character device for each nvme device Keith Busch
2012-07-27 18:12 ` Matthew Wilcox
2012-07-27 18:25 ` Greg KH
2012-07-27 19:08 ` Matthew Wilcox
2012-07-27 19:21 ` Greg KH
2012-07-27 20:30 ` Matthew Wilcox
2012-07-27 19:28 ` Jeff Garzik
2012-07-27 20:26 ` Matthew Wilcox
2012-07-27 20:42 ` Jeff Garzik
2012-07-27 20:44 ` Matthew Wilcox [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-08-02 19:10 Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120727204447.GR22985@linux.intel.com \
--to=willy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).