Re: [PATCH v7 1/1] PCI/IOV: Make pci_lock_rescan_remove() reentrant and protect sriov_add_vfs/sriov_del_vfs

[Niklas Schnelle <schnelle@linux.ibm.com>]

On Sun, 2026-03-08 at 15:53 +0200, Ionut Nechita (Wind River) wrote:
> After reverting commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove
> locking when enabling/disabling SR-IOV") and moving the lock to
> sriov_numvfs_store(), the path through driver .remove() (e.g. rmmod,
> or manual unbind) that calls pci_disable_sriov() directly remains
> unprotected against concurrent hotplug events. This affects any SR-IOV
> capable driver that calls pci_disable_sriov() from its .remove()
> callback (i40e, ice, mlx5, bnxt, etc.).
> 
> On s390, platform-generated hot-unplug events for VFs can race with
> sriov_del_vfs() when a PF driver is being unloaded. The platform event
> handler takes pci_rescan_remove_lock, but sriov_del_vfs() does not,
> leading to double removal and list corruption.
> 
> We cannot use a plain mutex_lock() here because sriov_del_vfs() may also
> be called from paths that already hold pci_rescan_remove_lock (e.g.
> remove_store -> pci_stop_and_remove_bus_device_locked, or
> sriov_numvfs_store with the lock taken by the previous patch). Using
> mutex_lock() in those cases would deadlock.
> 
> Make pci_lock_rescan_remove() itself reentrant using mutex_get_owner()
> and a reentrant depth counter, as suggested by Lukas Wunner and
> Benjamin Block, since these recursive locking scenarios exist elsewhere
> in the PCI subsystem:
>  - If the lock is already held by the current task (checked via
>    mutex_get_owner()): increments the reentrant counter and returns
>    without re-acquiring, avoiding deadlock.
>  - If the lock is held by another task: blocks until the lock is
>    released, providing complete serialization.
>  - If the lock is not held: acquires the mutex normally.
> 
> pci_unlock_rescan_remove() decrements the reentrant counter if it is
> non-zero, otherwise releases the mutex.
> 
> This approach keeps the API unchanged: callers simply pair lock/unlock
> calls without needing to track any return value or use separate
> reentrant variants.
> 
> Add pci_lock_rescan_remove()/pci_unlock_rescan_remove() calls to
> sriov_add_vfs() and sriov_del_vfs() to protect VF addition and
> removal against concurrent hotplug events.
> 
> Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()")

I think this should have an additional fixes tag for commit 
05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when
enabling/disabling SR-IOV") and commit a5338e365c45 ("PCI/IOV: Fix race
between SR-IOV enable/disable and hotplug") especially if you
incorporate my suggestion below but even without it.

> Cc: stable@vger.kernel.org
> Suggested-by: Lukas Wunner <lukas@wunner.de>
> Suggested-by: Benjamin Block <bblock@linux.ibm.com>
> Signed-off-by: Ionut Nechita <ionut_n2001@yahoo.com>
> Signed-off-by: Ionut Nechita <ionut.nechita@windriver.com>
> ---
>  drivers/pci/iov.c   |  5 +++++
>  drivers/pci/probe.c | 11 +++++++++--
>  2 files changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
> index 91ac4e37ecb9c..aba2fb90759cd 100644
> --- a/drivers/pci/iov.c
> +++ b/drivers/pci/iov.c
> @@ -633,15 +633,18 @@ static int sriov_add_vfs(struct pci_dev *dev, u16 num_vfs)
>  	if (dev->no_vf_scan)
>  		return 0;
>  
> +	pci_lock_rescan_remove();
>  	for (i = 0; i < num_vfs; i++) {
>  		rc = pci_iov_add_virtfn(dev, i);
>  		if (rc)
>  			goto failed;
>  	}
> +	pci_unlock_rescan_remove();
>  	return 0;
>  failed:
>  	while (i--)
>  		pci_iov_remove_virtfn(dev, i);
> +	pci_unlock_rescan_remove();
>  
>  	return rc;
>  }
> @@ -766,8 +769,10 @@ static void sriov_del_vfs(struct pci_dev *dev)
>  	struct pci_sriov *iov = dev->sriov;
>  	int i;
>  
> +	pci_lock_rescan_remove();
>  	for (i = 0; i < iov->num_VFs; i++)
>  		pci_iov_remove_virtfn(dev, i);
> +	pci_unlock_rescan_remove();
>  }

So basically after making the rescan/remove lock reentrant we can now
use it in the same spot as I did in commit 05703271c3cd ("PCI/IOV: Add
PCI rescan-remove locking when enabling/disabling SR-IOV") only now it
doesn't deadlock via self-lock during device removal.

With that I think you could actually remove the rescan/remove locking
in sriov_numvfs_store() introduced by commit a5338e365c45 ("PCI/IOV:
Fix race between SR-IOV enable/disable and hotplug") as part of this
patch. That way for the price of making the lock reentrant we are able
to reduce its scope. It does otherwise seem a bit weird, though
harmless with the reentrant behavior, to take it in both
sriov_numvfs_store() and then again in sriov_add_vfs()/sriov_del_vfs().

>  
>  static void sriov_disable(struct pci_dev *dev)
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index bccc7a4bdd794..ce4d351b5aa21 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -3509,16 +3509,23 @@ EXPORT_SYMBOL_GPL(pci_rescan_bus);
>   * routines should always be executed under this mutex.
>   */
>  DEFINE_MUTEX(pci_rescan_remove_lock);
> +static size_t pci_rescan_remove_reentrant_count;
>  
>  void pci_lock_rescan_remove(void)
>  {
> -	mutex_lock(&pci_rescan_remove_lock);
> +	if (mutex_get_owner(&pci_rescan_remove_lock) == (unsigned long)current)
> +		pci_rescan_remove_reentrant_count++;
> +	else
> +		mutex_lock(&pci_rescan_remove_lock);
>  }
>  EXPORT_SYMBOL_GPL(pci_lock_rescan_remove);
>  
>  void pci_unlock_rescan_remove(void)
>  {
> -	mutex_unlock(&pci_rescan_remove_lock);
> +	if (pci_rescan_remove_reentrant_count > 0)
> +		pci_rescan_remove_reentrant_count--;
> +	else
> +		mutex_unlock(&pci_rescan_remove_lock);
>  }
>  EXPORT_SYMBOL_GPL(pci_unlock_rescan_remove);


I still don't particularly love making the lock reentrant but I also
haven't been able to come up with anything cleaner for handling the
remove paths.

This is especially true for s390 where removing the last passed-through
PCI function (struct zpci_dev) on a shared virtual PCI bus also
logically removes the virtual PCI bus while also having to hold onto
the struct zpci_dev until the corresponding struct pci_dev is
released. So this is why Benjamin's series for s390 now strictly
depends on this patch to get that part safe without having to introduce
rescan/remove locking in pci_release_dev() which seemed quite wrong to
me.

Long story short. Until a major tree-wide refactoring of the
rescan/remove lock this seems like the cleanest path forward to me
and I thank you for tackling this.

Feel free to add my R-b independent of whether you remove the
rescan/remove locking from sriov_numvfs_store()

Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>

Thanks,
Niklas