From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>,
Itay Avraham <itayavr@nvidia.com>,
Jakub Kicinski <kuba@kernel.org>,
Leon Romanovsky <leon@kernel.org>, <linux-doc@vger.kernel.org>,
<linux-rdma@vger.kernel.org>, <netdev@vger.kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Saeed Mahameed <saeedm@nvidia.com>,
Tariq Toukan <tariqt@nvidia.com>,
Andy Gospodarek <andrew.gospodarek@broadcom.com>,
Aron Silverton <aron.silverton@oracle.com>,
Dan Williams <dan.j.williams@intel.com>,
"David Ahern" <dsahern@kernel.org>,
Christoph Hellwig <hch@infradead.org>,
"Jiri Pirko" <jiri@nvidia.com>, Leonid Bloch <lbloch@nvidia.com>,
"Leon Romanovsky" <leonro@nvidia.com>,
<linux-cxl@vger.kernel.org>, <patches@lists.linux.dev>
Subject: Re: [PATCH v2 7/8] fwctl/mlx5: Support for communicating with mlx5 fw
Date: Wed, 31 Jul 2024 12:52:32 +0100 [thread overview]
Message-ID: <20240731125232.00005aad@Huawei.com> (raw)
In-Reply-To: <20240729162217.GB3625856@nvidia.com>
> > > +static void mlx5ctl_remove(struct auxiliary_device *adev)
> > > +{
> > > + struct mlx5ctl_dev *mcdev __free(mlx5ctl) = auxiliary_get_drvdata(adev);
> >
> > So this is calling fwctl_put(&mcdev->fwctl) on scope exit.
> >
> > Why do you need to drop a reference beyond the one fwctl_unregister() is dropping
> > in cdev_device_del()? Where am I missing a reference get?
>
> fwctl_register() / fwctl_unregister() are pairs. Internally they pair
> cdev_device_add() / cdev_device_del() which decrease some internal
> cdev refcounts.
>
> _alloc_device() / __free(mlx5ctl) above are the other pair.
> device_initialize() holds a reference from probe to remove.
>
> It has to work this way because if cdev_device_del() would put back
> all the references we would immediately UAF, eg:
>
> cdev_device_del(&fwctl->cdev, &fwctl->dev);
>
> /* Disable and free the driver's resources for any still open FDs. */
> guard(rwsem_write)(&fwctl->registration_lock);
> guard(mutex)(&fwctl->uctx_list_lock);
> ^^^^^^^
> Must still be allocated
>
> And more broadly, though mlx5 does not use this, it would be safe for
> a driver to do:
>
> fwctl_unregister();
> kfree(mcdev->mymemory);
> ^^^^^^ Must still be allocated!
> fwctl_put(&mcdev->fwctl);
>
> So we have the two steps where unregister makes it safe for the driver
> to begin teardown but keeps memory around, and the final put which
> releases the memory after driver teardown is done.
>
> This is also captured in the cleanup.h notation:
>
> struct mlx5ctl_dev *mcdev __free(mlx5ctl) = fwctl_alloc_device(
> &mdev->pdev->dev, &mlx5ctl_ops, struct mlx5ctl_dev,
> fwctl);
> ^^^^^^^^^^^^
> Here we indicate we have a ref on the stack from
> fwctl_alloc_device
>
> auxiliary_set_drvdata(adev, no_free_ptr(mcdev));
> ^^^^^^^^^^^^^^^^^ Move the ref
> into drvdata
>
> struct mlx5ctl_dev *mcdev __free(mlx5ctl) = auxiliary_get_drvdata(adev);
> ^^^^^^^^^^^ Move the ref out of
> drvdata onto the stack
>
Thanks for the explanation. I clearly needed more coffee that day :)
Personally I find this to be a confusing use of scoped cleanup
as we aren't associating a constructor / destructor with scope, but
rather sort of 'adopting ownership / destructor'.
Assuming my caffeine level is better today, maybe device managed is
more appropriate?
devm_add_action_or_reset to associate the destructor by placing
it immediately after the setup path for both the allocate and unregister.
Should run in very nearly same order for teardown as what you have here.
Alternatively this is just a new pattern I should get used to.
Jonathan
next prev parent reply other threads:[~2024-07-31 11:52 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 22:47 [PATCH v2 0/8] Introduce fwctl subystem Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 1/8] fwctl: Add basic structure for a class subsystem with a cdev Jason Gunthorpe
2024-06-25 4:47 ` Bagas Sanjaya
2024-07-22 16:04 ` Jason Gunthorpe
2024-07-26 14:30 ` Jonathan Cameron
2024-07-29 17:30 ` Jason Gunthorpe
2024-07-30 17:15 ` Jonathan Cameron
2024-06-24 22:47 ` [PATCH v2 2/8] fwctl: Basic ioctl dispatch for the character device Jason Gunthorpe
2024-07-26 15:01 ` Jonathan Cameron
2024-07-29 17:05 ` Jason Gunthorpe
2024-07-30 17:28 ` Jonathan Cameron
2024-08-01 13:05 ` Jason Gunthorpe
2024-08-06 7:36 ` Daniel Vetter
2024-08-08 12:34 ` Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 3/8] fwctl: FWCTL_INFO to return basic information about the device Jason Gunthorpe
2024-07-26 15:15 ` Jonathan Cameron
2024-07-29 16:35 ` Jason Gunthorpe
2024-07-30 17:34 ` Jonathan Cameron
2024-08-01 13:11 ` Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 4/8] taint: Add TAINT_FWCTL Jason Gunthorpe
2024-06-25 19:03 ` Randy Dunlap
2024-07-10 16:04 ` Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 5/8] fwctl: FWCTL_RPC to execute a Remote Procedure Call to device firmware Jason Gunthorpe
2024-07-26 15:30 ` Jonathan Cameron
2024-07-29 16:28 ` Jason Gunthorpe
2024-07-30 8:00 ` Leon Romanovsky
2024-08-01 12:58 ` Jason Gunthorpe
2024-08-01 17:26 ` Leon Romanovsky
2024-08-02 13:59 ` Jonathan Cameron
2024-08-02 15:57 ` Leon Romanovsky
2024-08-07 7:44 ` Oded Gabbay
2024-08-08 11:46 ` Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 6/8] fwctl: Add documentation Jason Gunthorpe
2024-06-25 22:04 ` Randy Dunlap
2024-07-22 16:18 ` Jason Gunthorpe
2024-07-22 20:40 ` Randy Dunlap
2024-07-26 15:50 ` Jonathan Cameron
2024-07-29 16:11 ` Jason Gunthorpe
2024-08-06 8:03 ` Daniel Vetter
2024-08-08 12:24 ` Jason Gunthorpe
2024-08-09 9:21 ` Daniel Vetter
2024-06-24 22:47 ` [PATCH v2 7/8] fwctl/mlx5: Support for communicating with mlx5 fw Jason Gunthorpe
2024-07-26 16:10 ` Jonathan Cameron
2024-07-29 16:22 ` Jason Gunthorpe
2024-07-31 11:52 ` Jonathan Cameron [this message]
2024-08-01 13:25 ` Jason Gunthorpe
2024-06-24 22:47 ` [PATCH v2 8/8] mlx5: Create an auxiliary device for fwctl_mlx5 Jason Gunthorpe
2024-06-24 23:18 ` [PATCH v2 0/8] Introduce fwctl subystem Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240731125232.00005aad@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=andrew.gospodarek@broadcom.com \
--cc=aron.silverton@oracle.com \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dsahern@kernel.org \
--cc=hch@infradead.org \
--cc=itayavr@nvidia.com \
--cc=jgg@nvidia.com \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=lbloch@nvidia.com \
--cc=leon@kernel.org \
--cc=leonro@nvidia.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).