From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Frederic Barrat <fbarrat@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org, andrew.donnellan@au1.ibm.com,
clombard@linux.ibm.com, groug@kaod.org, alastair@au1.ibm.com
Subject: Re: [PATCH] ocxl: Fix concurrent AFU open and device removal
Date: Sat, 14 Dec 2019 08:19:38 +1100 (AEDT) [thread overview]
Message-ID: <47ZNpf6p2kz9sPJ@ozlabs.org> (raw)
In-Reply-To: <20190624144148.32022-1-fbarrat@linux.ibm.com>
On Mon, 2019-06-24 at 14:41:48 UTC, Frederic Barrat wrote:
> If an ocxl device is unbound through sysfs at the same time its AFU is
> being opened by a user process, the open code may dereference freed
> stuctures, which can lead to kernel oops messages. You'd have to hit a
> tiny time window, but it's possible. It's fairly easy to test by
> making the time window bigger artificially.
>
> Fix it with a combination of 2 changes:
> - when an AFU device is found in the IDR by looking for the device
> minor number, we should hold a reference on the device until after the
> context is allocated. A reference on the AFU structure is kept when
> the context is allocated, so we can release the reference on the
> device after the context allocation.
> - with the fix above, there's still another even tinier window,
> between the time the AFU device is found in the IDR and the reference
> on the device is taken. We can fix this one by removing the IDR entry
> earlier, when the device setup is removed, instead of waiting for the
> 'release' device callback. With proper locking around the IDR.
>
> Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend")
> Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Applied to powerpc fixes, thanks.
https://git.kernel.org/powerpc/c/a58d37bce0d21cf7fbd589384c619e465ef2f927
cheers
prev parent reply other threads:[~2019-12-13 21:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 14:41 [PATCH] ocxl: Fix concurrent AFU open and device removal Frederic Barrat
2019-06-24 15:24 ` Greg Kurz
2019-06-24 15:39 ` Frederic Barrat
2019-06-24 15:50 ` Greg Kurz
2019-06-25 8:22 ` Frederic Barrat
2019-12-13 21:19 ` Michael Ellerman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47ZNpf6p2kz9sPJ@ozlabs.org \
--to=patch-notifications@ellerman.id.au \
--cc=alastair@au1.ibm.com \
--cc=andrew.donnellan@au1.ibm.com \
--cc=clombard@linux.ibm.com \
--cc=fbarrat@linux.ibm.com \
--cc=groug@kaod.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).