From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Alex Williamson <alex.williamson@redhat.com>,
Eric Auger <eric.auger@redhat.com>
Subject: [PATCH 4.4 51/83] vfio: Fix group release deadlock
Date: Tue, 25 Jul 2017 12:19:15 -0700 [thread overview]
Message-ID: <20170725191716.398654761@linuxfoundation.org> (raw)
In-Reply-To: <20170725191708.449126292@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream.
If vfio_iommu_group_notifier() acquires a group reference and that
reference becomes the last reference to the group, then vfio_group_put
introduces a deadlock code path where we're trying to unregister from
the iommu notifier chain from within a callout of that chain. Use a
work_struct to release this reference asynchronously.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -296,6 +296,34 @@ static void vfio_group_put(struct vfio_g
kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
}
+struct vfio_group_put_work {
+ struct work_struct work;
+ struct vfio_group *group;
+};
+
+static void vfio_group_put_bg(struct work_struct *work)
+{
+ struct vfio_group_put_work *do_work;
+
+ do_work = container_of(work, struct vfio_group_put_work, work);
+
+ vfio_group_put(do_work->group);
+ kfree(do_work);
+}
+
+static void vfio_group_schedule_put(struct vfio_group *group)
+{
+ struct vfio_group_put_work *do_work;
+
+ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL);
+ if (WARN_ON(!do_work))
+ return;
+
+ INIT_WORK(&do_work->work, vfio_group_put_bg);
+ do_work->group = group;
+ schedule_work(&do_work->work);
+}
+
/* Assume group_lock or group reference is held */
static void vfio_group_get(struct vfio_group *group)
{
@@ -620,7 +648,14 @@ static int vfio_iommu_group_notifier(str
break;
}
- vfio_group_put(group);
+ /*
+ * If we're the last reference to the group, the group will be
+ * released, which includes unregistering the iommu group notifier.
+ * We hold a read-lock on that notifier list, unregistering needs
+ * a write-lock... deadlock. Release our reference asynchronously
+ * to avoid that situation.
+ */
+ vfio_group_schedule_put(group);
return NOTIFY_OK;
}
next prev parent reply other threads:[~2017-07-25 19:19 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-25 19:18 [PATCH 4.4 00/83] 4.4.79-stable review Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 01/83] disable new gcc-7.1.1 warnings for now Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 02/83] [media] ir-core: fix gcc-7 warning on bool arithmetic Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 03/83] [media] s5p-jpeg: dont return a random width/height Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 04/83] thermal: cpu_cooling: Avoid accessing potentially freed structures Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 05/83] ath9k: fix tx99 use after free Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 06/83] ath9k: fix tx99 bus error Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 07/83] NFC: fix broken device allocation Greg Kroah-Hartman
2017-08-01 18:15 ` Ben Hutchings
2017-08-01 19:16 ` Johan Hovold
2017-07-25 19:18 ` [PATCH 4.4 08/83] NFC: nfcmrvl_uart: add missing tty-device sanity check Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 09/83] NFC: nfcmrvl: do not use device-managed resources Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 10/83] NFC: nfcmrvl: use nfc-device for firmware download Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 11/83] NFC: nfcmrvl: fix firmware-management initialisation Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 12/83] nfc: Ensure presence of required attributes in the activate_target handler Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 13/83] nfc: Fix the sockaddr length sanitization in llcp_sock_connect Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 14/83] NFC: Add sockaddr length checks before accessing sa_family in bind handlers Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 15/83] perf intel-pt: Move decoder error setting into one condition Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 16/83] perf intel-pt: Improve sample timestamp Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 17/83] perf intel-pt: Fix missing stack clear Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 18/83] perf intel-pt: Ensure IP is zero when state is INTEL_PT_STATE_NO_IP Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 19/83] perf intel-pt: Clear FUP flag on error Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 20/83] Bluetooth: use constant time memory comparison for secret values Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 21/83] wlcore: fix 64K page support Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 22/83] ASoC: compress: Derive substream from stream based on direction Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 23/83] PM / Domains: Fix unsafe iteration over modified list of device links Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 24/83] PM / Domains: Fix unsafe iteration over modified list of domain providers Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 25/83] scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 26/83] iscsi-target: Add login_keys_workaround attribute for non RFC initiators Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 27/83] powerpc/64: Fix atomic64_inc_not_zero() to return an int Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 28/83] powerpc: Fix emulation of mcrf in emulate_step() Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 29/83] powerpc: Fix emulation of mfocrf " Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 30/83] powerpc/asm: Mark cr0 as clobbered in mftb() Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 31/83] af_key: Fix sadb_x_ipsecrequest parsing Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 32/83] PCI/PM: Restore the status of PCI devices across hibernation Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 33/83] ipvs: SNAT packet replies only for NATed connections Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 34/83] xhci: fix 20000ms port resume timeout Greg Kroah-Hartman
2017-07-25 19:18 ` [PATCH 4.4 35/83] xhci: Fix NULL pointer dereference when cleaning up streams for removed host Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 36/83] usb: storage: return on error to avoid a null pointer dereference Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 37/83] USB: cdc-acm: add device-id for quirky printer Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 38/83] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 39/83] usb: renesas_usbhs: gadget: disable all eps when the driver stops Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 40/83] md: dont use flush_signals in userspace processes Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 42/83] [media] cx88: Fix regression in initial video standard setting Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 43/83] Raid5 should update rdev->sectors after reshape Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 44/83] s390/syscalls: Fix out of bounds arguments access Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 48/83] ipmi: use rcu lock around call to intf->handlers->sender() Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 49/83] ipmi:ssif: Add missing unlock in error branch Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 50/83] f2fs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-07-25 19:19 ` Greg Kroah-Hartman [this message]
2017-07-25 19:19 ` [PATCH 4.4 52/83] vfio: New external user group/file match Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 53/83] ftrace: Fix uninitialized variable in match_records() Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 54/83] MIPS: Fix mips_atomic_set() retry condition Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 55/83] MIPS: Fix mips_atomic_set() with EVA Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 56/83] MIPS: Negate error syscall return in trace Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 57/83] x86/acpi: Prevent out of bound access caused by broken ACPI tables Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 58/83] x86/ioapic: Pass the correct data to unmask_ioapic_irq() Greg Kroah-Hartman
2017-08-03 20:24 ` Ben Hutchings
2017-07-25 19:19 ` [PATCH 4.4 59/83] MIPS: Fix MIPS I ISA /proc/cpuinfo reporting Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 60/83] MIPS: Save static registers before sysmips Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 61/83] MIPS: Actually decode JALX in `__compute_return_epc_for_insn Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 62/83] MIPS: Fix unaligned PC interpretation in `compute_return_epc Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 63/83] MIPS: math-emu: Prevent wrong ISA mode instruction emulation Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 64/83] MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 65/83] MIPS: Rename `sigill_r6 to `sigill_r2r6 " Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 66/83] MIPS: Send SIGILL for linked branches " Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 67/83] MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 68/83] Input: i8042 - fix crash at boot time Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 69/83] NFS: only invalidate dentrys that are clearly invalid Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 70/83] udf: Fix deadlock between writeback and udf_setsize() Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 71/83] target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 73/83] Revert "perf/core: Drop kernel samples even though :u is specified" Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 74/83] staging: rtl8188eu: add TL-WN722N v2 support Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 75/83] ceph: fix race in concurrent readdir Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 76/83] RDMA/core: Initialize port_num in qp_attr Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 77/83] drm/mst: Fix error handling during MST sideband message reception Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 78/83] drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 79/83] drm/mst: Avoid processing partially received up/down message transactions Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 80/83] of: device: Export of_device_{get_modalias, uvent_modalias} to modules Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 81/83] spmi: Include OF based modalias in device uevent Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 82/83] tracing: Fix kmemleak in instance_rmdir Greg Kroah-Hartman
2017-07-25 19:19 ` [PATCH 4.4 83/83] alarmtimer: dont rate limit one-shot timers Greg Kroah-Hartman
2017-07-26 2:54 ` [PATCH 4.4 00/83] 4.4.79-stable review Guenter Roeck
2017-07-26 14:24 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170725191716.398654761@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alex.williamson@redhat.com \
--cc=eric.auger@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).