mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
4b1815a52d
The architecture assumes that PCI functions can be removed synchronously as PCI events are processed. This however clashes with the reference counting of struct pci_dev which allows device drivers to hold on to a struct pci_dev reference even as the underlying device is removed. To bridge this gap commit2a671f77ee("s390/pci: fix use after free of zpci_dev") keeps the struct zpci_dev in ZPCI_FN_STATE_RESERVED state until common code releases the struct pci_dev. Only when all references are dropped, the struct zpci_dev can be removed and freed. Later commita46044a92a("s390/pci: fix zpci_zdev_put() on reserve") moved the deletion of the struct zpci_dev from the zpci_list in zpci_release_device() to the point where the device is reserved. This was done to prevent handling events for a device that is already being removed, e.g. when the platform generates both PCI event codes 0x304 and 0x308. In retrospect, deletion from the zpci_list in the release function without holding the zpci_list_lock was also racy. A side effect of this handling is that if the underlying device re-appears while the struct zpci_dev is in the ZPCI_FN_STATE_RESERVED state, the new and old instances of the struct zpci_dev and/or struct pci_dev may clash. For example when trying to create the IOMMU sysfs files for the new instance. In this case, re-adding the new instance is aborted. The old instance is removed, and the device will remain absent until the platform issues another event. Fix this by allowing the struct zpci_dev to be brought back up right until it is finally removed. To this end also keep the struct zpci_dev in the zpci_list until it is finally released when all references have been dropped. Deletion from the zpci_list from within the release function is made safe by using kref_put_lock() with the zpci_list_lock. This ensures that the releasing code holds the last reference. Cc: stable@vger.kernel.org Fixes:a46044a92a("s390/pci: fix zpci_zdev_put() on reserve") Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com> Tested-by: Gerd Bayer <gbayer@linux.ibm.com> Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
44 lines
1.1 KiB
C
44 lines
1.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright IBM Corp. 2020
|
|
*
|
|
* Author(s):
|
|
* Pierre Morel <pmorel@linux.ibm.com>
|
|
*
|
|
*/
|
|
#ifndef __S390_PCI_BUS_H
|
|
#define __S390_PCI_BUS_H
|
|
|
|
#include <linux/pci.h>
|
|
|
|
int zpci_bus_device_register(struct zpci_dev *zdev, struct pci_ops *ops);
|
|
void zpci_bus_device_unregister(struct zpci_dev *zdev);
|
|
|
|
int zpci_bus_scan_bus(struct zpci_bus *zbus);
|
|
void zpci_bus_scan_busses(void);
|
|
|
|
int zpci_bus_scan_device(struct zpci_dev *zdev);
|
|
void zpci_bus_remove_device(struct zpci_dev *zdev, bool set_error);
|
|
|
|
void zpci_release_device(struct kref *kref);
|
|
|
|
void zpci_zdev_put(struct zpci_dev *zdev);
|
|
|
|
static inline void zpci_zdev_get(struct zpci_dev *zdev)
|
|
{
|
|
kref_get(&zdev->kref);
|
|
}
|
|
|
|
int zpci_alloc_domain(int domain);
|
|
void zpci_free_domain(int domain);
|
|
int zpci_setup_bus_resources(struct zpci_dev *zdev);
|
|
|
|
static inline struct zpci_dev *zdev_from_bus(struct pci_bus *bus,
|
|
unsigned int devfn)
|
|
{
|
|
struct zpci_bus *zbus = bus->sysdata;
|
|
|
|
return (devfn >= ZPCI_FUNCTIONS_PER_BUS) ? NULL : zbus->function[devfn];
|
|
}
|
|
|
|
#endif /* __S390_PCI_BUS_H */
|