From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Damien Le Moal <dlemoal@kernel.org>,
Lorenzo Pieralisi <lpieralisi@kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>,
Manivannan Sadhasivam <mani@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 18/64] PCI: endpoint: Automatically create a function specific attributes group
Date: Tue, 17 Feb 2026 21:31:14 +0100 [thread overview]
Message-ID: <20260217200008.198444159@linuxfoundation.org> (raw)
In-Reply-To: <20260217200007.505931165@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 70b3740f2c1941e2006d61539131b70d20cba9a6 ]
A PCI endpoint function driver can define function specific attributes
under its function configfs directory using the add_cfs() endpoint driver
operation. This is done by tying up the mkdir operation for the function
configfs directory to a call to the add_cfs() operation. However, there
are no checks preventing the user from repeatedly creating function
specific attribute directories with different names, resulting in the same
endpoint specific attributes group being added multiple times, which also
result in an invalid reference counting for the attribute groups. E.g.,
using the pci-epf-ntb function driver as an example, the user creates the
function as follows:
$ modprobe pci-epf-ntb
$ cd /sys/kernel/config/pci_ep/functions/pci_epf_ntb
$ mkdir func0
$ tree func0
func0/
|-- baseclass_code
|-- cache_line_size
|-- ...
`-- vendorid
$ mkdir func0/attrs
$ tree func0
func0/
|-- attrs
| |-- db_count
| |-- mw1
| |-- mw2
| |-- mw3
| |-- mw4
| |-- num_mws
| `-- spad_count
|-- baseclass_code
|-- cache_line_size
|-- ...
`-- vendorid
At this point, the function can be started by linking the EP controller.
However, if the user mistakenly creates again a directory:
$ mkdir func0/attrs2
$ tree func0
func0/
|-- attrs
| |-- db_count
| |-- mw1
| |-- mw2
| |-- mw3
| |-- mw4
| |-- num_mws
| `-- spad_count
|-- attrs2
| |-- db_count
| |-- mw1
| |-- mw2
| |-- mw3
| |-- mw4
| |-- num_mws
| `-- spad_count
|-- baseclass_code
|-- cache_line_size
|-- ...
`-- vendorid
The endpoint function specific attributes are duplicated and cause a crash
when the endpoint function device is torn down:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 2 PID: 834 at lib/refcount.c:25 refcount_warn_saturate+0xc8/0x144
CPU: 2 PID: 834 Comm: rmdir Not tainted 6.3.0-rc1 #1
Hardware name: Pine64 RockPro64 v2.1 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
...
Call trace:
refcount_warn_saturate+0xc8/0x144
config_item_get+0x7c/0x80
configfs_rmdir+0x17c/0x30c
vfs_rmdir+0x8c/0x204
do_rmdir+0x158/0x184
__arm64_sys_unlinkat+0x64/0x80
invoke_syscall+0x48/0x114
...
Fix this by modifying pci_epf_cfs_work() to execute the new function
pci_ep_cfs_add_type_group() which itself calls pci_epf_type_add_cfs() to
obtain the function specific attribute group and the group name (directory
name) from the endpoint function driver. If the function driver defines an
attribute group, pci_ep_cfs_add_type_group() then proceeds to register this
group using configfs_register_group(), thus automatically exposing the
function type specific configfs attributes to the user. E.g.:
$ modprobe pci-epf-ntb
$ cd /sys/kernel/config/pci_ep/functions/pci_epf_ntb
$ mkdir func0
$ tree func0
func0/
|-- baseclass_code
|-- cache_line_size
|-- ...
|-- pci_epf_ntb.0
| |-- db_count
| |-- mw1
| |-- mw2
| |-- mw3
| |-- mw4
| |-- num_mws
| `-- spad_count
|-- primary
|-- ...
`-- vendorid
With this change, there is no need for the user to create or delete
directories in the endpoint function attributes directory. The
pci_epf_type_group_ops group operations are thus removed.
Also update the documentation for the pci-epf-ntb and pci-epf-vntb function
drivers to reflect this change, removing the explanations showing the need
to manually create the sub-directory for the function specific attributes.
Link: https://lore.kernel.org/r/20230415023542.77601-2-dlemoal@kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/PCI/endpoint/pci-ntb-howto.rst | 11 ++----
Documentation/PCI/endpoint/pci-vntb-howto.rst | 13 +++-----
drivers/pci/endpoint/pci-ep-cfs.c | 42 ++++++++++++--------------
3 files changed, 29 insertions(+), 37 deletions(-)
--- a/Documentation/PCI/endpoint/pci-ntb-howto.rst
+++ b/Documentation/PCI/endpoint/pci-ntb-howto.rst
@@ -88,13 +88,10 @@ commands can be used::
# echo 0x104c > functions/pci_epf_ntb/func1/vendorid
# echo 0xb00d > functions/pci_epf_ntb/func1/deviceid
-In order to configure NTB specific attributes, a new sub-directory to func1
-should be created::
-
- # mkdir functions/pci_epf_ntb/func1/pci_epf_ntb.0/
-
-The NTB function driver will populate this directory with various attributes
-that can be configured by the user::
+The PCI endpoint framework also automatically creates a sub-directory in the
+function attribute directory. This sub-directory has the same name as the name
+of the function device and is populated with the following NTB specific
+attributes that can be configured by the user::
# ls functions/pci_epf_ntb/func1/pci_epf_ntb.0/
db_count mw1 mw2 mw3 mw4 num_mws
--- a/Documentation/PCI/endpoint/pci-vntb-howto.rst
+++ b/Documentation/PCI/endpoint/pci-vntb-howto.rst
@@ -84,13 +84,10 @@ commands can be used::
# echo 0x1957 > functions/pci_epf_vntb/func1/vendorid
# echo 0x0809 > functions/pci_epf_vntb/func1/deviceid
-In order to configure NTB specific attributes, a new sub-directory to func1
-should be created::
-
- # mkdir functions/pci_epf_vntb/func1/pci_epf_vntb.0/
-
-The NTB function driver will populate this directory with various attributes
-that can be configured by the user::
+The PCI endpoint framework also automatically creates a sub-directory in the
+function attribute directory. This sub-directory has the same name as the name
+of the function device and is populated with the following NTB specific
+attributes that can be configured by the user::
# ls functions/pci_epf_vntb/func1/pci_epf_vntb.0/
db_count mw1 mw2 mw3 mw4 num_mws
@@ -103,7 +100,7 @@ A sample configuration for NTB function
# echo 1 > functions/pci_epf_vntb/func1/pci_epf_vntb.0/num_mws
# echo 0x100000 > functions/pci_epf_vntb/func1/pci_epf_vntb.0/mw1
-A sample configuration for virtual NTB driver for virutal PCI bus::
+A sample configuration for virtual NTB driver for virtual PCI bus::
# echo 0x1957 > functions/pci_epf_vntb/func1/pci_epf_vntb.0/vntb_vid
# echo 0x080A > functions/pci_epf_vntb/func1/pci_epf_vntb.0/vntb_pid
--- a/drivers/pci/endpoint/pci-ep-cfs.c
+++ b/drivers/pci/endpoint/pci-ep-cfs.c
@@ -23,6 +23,7 @@ struct pci_epf_group {
struct config_group group;
struct config_group primary_epc_group;
struct config_group secondary_epc_group;
+ struct config_group *type_group;
struct delayed_work cfs_work;
struct pci_epf *epf;
int index;
@@ -502,34 +503,29 @@ static struct configfs_item_operations p
.release = pci_epf_release,
};
-static struct config_group *pci_epf_type_make(struct config_group *group,
- const char *name)
-{
- struct pci_epf_group *epf_group = to_pci_epf_group(&group->cg_item);
- struct config_group *epf_type_group;
-
- epf_type_group = pci_epf_type_add_cfs(epf_group->epf, group);
- return epf_type_group;
-}
-
-static void pci_epf_type_drop(struct config_group *group,
- struct config_item *item)
-{
- config_item_put(item);
-}
-
-static struct configfs_group_operations pci_epf_type_group_ops = {
- .make_group = &pci_epf_type_make,
- .drop_item = &pci_epf_type_drop,
-};
-
static const struct config_item_type pci_epf_type = {
- .ct_group_ops = &pci_epf_type_group_ops,
.ct_item_ops = &pci_epf_ops,
.ct_attrs = pci_epf_attrs,
.ct_owner = THIS_MODULE,
};
+static void pci_ep_cfs_add_type_group(struct pci_epf_group *epf_group)
+{
+ struct config_group *group;
+
+ group = pci_epf_type_add_cfs(epf_group->epf, &epf_group->group);
+ if (!group)
+ return;
+
+ if (IS_ERR(group)) {
+ dev_err(&epf_group->epf->dev,
+ "failed to create epf type specific attributes\n");
+ return;
+ }
+
+ configfs_register_group(&epf_group->group, group);
+}
+
static void pci_epf_cfs_work(struct work_struct *work)
{
struct pci_epf_group *epf_group;
@@ -547,6 +543,8 @@ static void pci_epf_cfs_work(struct work
pr_err("failed to create 'secondary' EPC interface\n");
return;
}
+
+ pci_ep_cfs_add_type_group(epf_group);
}
static struct config_group *pci_epf_make(struct config_group *group,
next prev parent reply other threads:[~2026-02-17 20:45 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:30 [PATCH 6.1 00/64] 6.1.164-rc1 review Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 01/64] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 02/64] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 03/64] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 04/64] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 05/64] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 06/64] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 07/64] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 08/64] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 09/64] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 10/64] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 11/64] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 12/64] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 13/64] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 14/64] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 15/64] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 16/64] smb: client: set correct id, uid and cruid for multiuser automounts Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 17/64] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 6.1 19/64] PCI: endpoint: Remove unused field in struct pci_epf_group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 20/64] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 21/64] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 22/64] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 23/64] scsi: qla2xxx: Remove dead code (GNN ID) Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 24/64] scsi: qla2xxx: Reduce fabric scan duplicate code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 25/64] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 26/64] cacheinfo: Decrement refcount in cache_setup_of_node() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 27/64] cacheinfo: Remove of_node_put() for fw_token Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 28/64] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 29/64] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 30/64] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 31/64] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 32/64] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 33/64] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 34/64] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 35/64] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 36/64] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 37/64] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 38/64] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 39/64] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 40/64] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 41/64] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 42/64] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 43/64] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 44/64] selftests: mptcp: check no dup close events after error Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 45/64] selftests: mptcp: check subflow errors in close events Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 46/64] selftests: mptcp: join: fix local endp not being tracked Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 47/64] xsk: Fix race condition in AF_XDP generic RX path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 48/64] devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 49/64] clk: mediatek: fix of_iomap memory leak Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 50/64] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 51/64] ksmbd: set ATTR_CTIME flags when setting mtime Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 52/64] ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 53/64] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 54/64] net: dsa: free routing table on probe failure Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 55/64] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 56/64] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 57/64] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 58/64] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 59/64] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 60/64] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 61/64] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 62/64] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 63/64] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.1 64/64] net: tunnel: make skb_vlan_inet_prepare() return drop reasons Greg Kroah-Hartman
2026-02-17 22:31 ` [PATCH 6.1 00/64] 6.1.164-rc1 review Florian Fainelli
2026-02-18 5:27 ` Peter Schneider
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 9:12 ` Pavel Machek
2026-02-18 12:00 ` Mark Brown
2026-02-18 12:44 ` Francesco Dolcini
2026-02-19 6:44 ` Ron Economos
2026-02-19 12:25 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200008.198444159@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bhelgaas@google.com \
--cc=dlemoal@kernel.org \
--cc=lpieralisi@kernel.org \
--cc=mani@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox