Re: [PATCH v11 2/2] PCI: Fix AB-BA deadlock between device_lock and pci_rescan_remove_lock in remove_store

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Niklas Schnelle <schnelle@linux.ibm.com>
To: "Ionut Nechita (Wind River)" <ionut.nechita@windriver.com>,
	linux-pci@vger.kernel.org, bhelgaas@google.com
Cc: helgaas@kernel.org, sebott@linux.ibm.com, bblock@linux.ibm.com,
	linux@roeck-us.net, lukas@wunner.de, stable@vger.kernel.org,
	linux-kernel@vger.kernel.org, intel-xe@lists.freedesktop.org,
	matthew.brost@intel.com, michal.wajdeczko@intel.com,
	piotr.piorkowski@intel.com, dtatulea@nvidia.com, mani@kernel.org,
	kbusch@kernel.org, lkml@mageta.org, alifm@linux.ibm.com,
	julianr@linux.ibm.com, ionut_n2001@yahoo.com,
	sunlightlinux@gmail.com
Subject: Re: [PATCH v11 2/2] PCI: Fix AB-BA deadlock between device_lock and pci_rescan_remove_lock in remove_store
Date: Wed, 15 Apr 2026 21:48:51 +0200	[thread overview]
Message-ID: <9a9a257de499ae3e1cfd170c1ce1d05428186167.camel@linux.ibm.com> (raw)
In-Reply-To: <20260326083534.23602-3-ionut.nechita@windriver.com>

On Thu, 2026-03-26 at 10:35 +0200, Ionut Nechita (Wind River) wrote:
> remove_store() calls pci_stop_and_remove_bus_device_locked() which
> takes pci_rescan_remove_lock first, then device_lock during driver
> release.  Meanwhile, unbind_store() takes device_lock first (via
> device_driver_detach), and the driver's .remove() callback may call
> pci_disable_sriov() -> sriov_del_vfs() -> pci_lock_rescan_remove().
> 
> This creates an AB-BA deadlock:
> 
>   CPU0 (remove_store)               CPU1 (unbind_store)
>   --------------------              --------------------
>   pci_lock_rescan_remove()
>                                     device_lock()
>                                     driver .remove()
>                                       sriov_del_vfs()
>                                         pci_lock_rescan_remove()  <-- WAITS
>   pci_stop_bus_device()
>     device_release_driver()
>       device_lock()                                               <-- WAITS
> 
> Fix this by first marking the device as dead using kill_device() to
> prevent any new driver from binding, then calling device_release_driver()
> before pci_stop_and_remove_bus_device_locked().
> 
> Marking the device dead closes the race window between unbinding and
> removal where a new driver could theoretically bind: once the dead flag
> is set, the device core will refuse any new driver probe.
> 
> After device_release_driver() returns, the driver is already unbound,
> so the subsequent device_release_driver() call inside
> pci_stop_and_remove_bus_device_locked() becomes a no-op.
> 
> Fixes: a5338e365c45 ("PCI/IOV: Fix race between SR-IOV enable/disable and hotplug")
> Reported-by: Guenter Roeck <linux@roeck-us.net>
> Closes: https://lore.kernel.org/linux-pci/0ca9e675-478c-411d-be32-e2d81439288f@roeck-us.net/
> Reported-by: Benjamin Block <bblock@linux.ibm.com>
> Closes: https://lore.kernel.org/linux-pci/20260317090149.GA3835708@chlorum.ategam.org/
> Suggested-by: Benjamin Block <bblock@linux.ibm.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Ionut Nechita <ionut.nechita@windriver.com>
> ---
>  drivers/pci/pci-sysfs.c | 30 +++++++++++++++++++++++++++++-
>  1 file changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index a2f8a5d6190fd..e87aa96c02bde 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -518,8 +518,36 @@ static ssize_t remove_store(struct device *dev, struct device_attribute *attr,
>  	if (kstrtoul(buf, 0, &val) < 0)
>  		return -EINVAL;
>  
> -	if (val && device_remove_file_self(dev, attr))
> +	if (val && device_remove_file_self(dev, attr)) {
> +		/*
> +		 * Mark the device as dead so that no new driver can bind
> +		 * between the unbind and the removal below.  Once the
> +		 * dead flag is set, the device core will refuse any new
> +		 * driver probe.
> +		 */
> +		device_lock(dev);
> +		kill_device(dev);
> +		device_unlock(dev);
> +
> +		/*
> +		 * Unbind the driver before removing the device to avoid
> +		 * an AB-BA deadlock between device_lock and
> +		 * pci_rescan_remove_lock.  Without this, remove_store
> +		 * takes pci_rescan_remove_lock first (via
> +		 * pci_stop_and_remove_bus_device_locked) and then
> +		 * device_lock during driver release, while a concurrent
> +		 * unbind_store (or sriov_numvfs_store) takes device_lock
> +		 * first and then pci_rescan_remove_lock (via
> +		 * sriov_del_vfs), creating a circular dependency.
> +		 *
> +		 * By unbinding first, the driver's .remove() callback
> +		 * (including any SR-IOV VF cleanup) completes before
> +		 * pci_rescan_remove_lock is acquired, ensuring both
> +		 * paths take locks in the same order.
> +		 */
> +		device_release_driver(dev);
>  		pci_stop_and_remove_bus_device_locked(to_pci_dev(dev));
> +	}
>  	return count;
>  }
>  static DEVICE_ATTR_IGNORE_LOCKDEP(remove, 0220, NULL,

This looks good to me and this use of kill_device() seems to match
pretty well with the comment in kill_device() as setting it on tearing
things down. Thank you for working on this rats nest of PCI
rescan/remove lock issues!

Feel free to add my

Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>

     prev parent reply	other threads:[~2026-04-15 19:50 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-26  8:35 [PATCH v11 0/2] PCI/IOV: Fix SR-IOV locking races and AB-BA deadlock Ionut Nechita (Wind River)
2026-03-26  8:35 ` [PATCH v11 1/2] PCI/IOV: Make pci_lock_rescan_remove() reentrant and protect sriov_add_vfs/sriov_del_vfs Ionut Nechita (Wind River)
2026-03-26  8:35 ` [PATCH v11 2/2] PCI: Fix AB-BA deadlock between device_lock and pci_rescan_remove_lock in remove_store Ionut Nechita (Wind River)
2026-04-15 19:48   ` Niklas Schnelle [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9a9a257de499ae3e1cfd170c1ce1d05428186167.camel@linux.ibm.com \
    --to=schnelle@linux.ibm.com \
    --cc=alifm@linux.ibm.com \
    --cc=bblock@linux.ibm.com \
    --cc=bhelgaas@google.com \
    --cc=dtatulea@nvidia.com \
    --cc=helgaas@kernel.org \
    --cc=intel-xe@lists.freedesktop.org \
    --cc=ionut.nechita@windriver.com \
    --cc=ionut_n2001@yahoo.com \
    --cc=julianr@linux.ibm.com \
    --cc=kbusch@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=lkml@mageta.org \
    --cc=lukas@wunner.de \
    --cc=mani@kernel.org \
    --cc=matthew.brost@intel.com \
    --cc=michal.wajdeczko@intel.com \
    --cc=piotr.piorkowski@intel.com \
    --cc=sebott@linux.ibm.com \
    --cc=stable@vger.kernel.org \
    --cc=sunlightlinux@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox