mirror of
https://github.com/torvalds/linux.git
synced 2025-01-01 07:42:07 +00:00
fe2640bd7a
In remove_phb_dynamic() we use &phb->io_resource, after we've called
device_unregister(&host_bridge->dev). But the unregister may have freed
phb, because pcibios_free_controller_deferred() is the release function
for the host_bridge.
If there are no outstanding references when we call device_unregister()
then phb will be freed out from under us.
This has gone mainly unnoticed, but with slub_debug and page_poison
enabled it can lead to a crash:
PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr"
#0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc
#1 [c0000000e4f075d0] oops_end at c000000000029608
#2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4
#3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8
#4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30
Data SLB Access [380] exception frame:
R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100
R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9
R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff
R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000
R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000
R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003
R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005
R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0
R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8
R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800
R30: c00000004d1d2400 R31: c00000004d1d2540
NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474
CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003
CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3
DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2
[NIP : release_resource+56]
[LR : release_resource+48]
#5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable)
#6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648
#7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]
#8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]
#9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c
#10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504
#11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868
#12 [c0000000e4f07c70] new_sync_write at c00000000054339c
#13 [c0000000e4f07d10] vfs_write at c000000000546624
#14 [c0000000e4f07d60] ksys_write at c0000000005469f4
#15 [c0000000e4f07db0] system_call_exception at c000000000030840
#16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168
To avoid it, we can take a reference to the host_bridge->dev until we're
done using phb. Then when we drop the reference the phb will be freed.
Fixes: 2dd9c11b9d
("powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)")
Reported-by: David Dai <zdai@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
Link: https://lore.kernel.org/r/20220318034219.1188008-1-mpe@ellerman.id.au
112 lines
2.7 KiB
C
112 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* PCI Dynamic LPAR, PCI Hot Plug and PCI EEH recovery code
|
|
* for RPA-compliant PPC64 platform.
|
|
* Copyright (C) 2003 Linda Xie <lxie@us.ibm.com>
|
|
* Copyright (C) 2005 International Business Machines
|
|
*
|
|
* Updates, 2005, John Rose <johnrose@austin.ibm.com>
|
|
* Updates, 2005, Linas Vepstas <linas@austin.ibm.com>
|
|
*/
|
|
|
|
#include <linux/pci.h>
|
|
#include <linux/export.h>
|
|
#include <asm/pci-bridge.h>
|
|
#include <asm/ppc-pci.h>
|
|
#include <asm/firmware.h>
|
|
#include <asm/eeh.h>
|
|
|
|
#include "pseries.h"
|
|
|
|
struct pci_controller *init_phb_dynamic(struct device_node *dn)
|
|
{
|
|
struct pci_controller *phb;
|
|
|
|
pr_debug("PCI: Initializing new hotplug PHB %pOF\n", dn);
|
|
|
|
phb = pcibios_alloc_controller(dn);
|
|
if (!phb)
|
|
return NULL;
|
|
rtas_setup_phb(phb);
|
|
pci_process_bridge_OF_ranges(phb, dn, 0);
|
|
phb->controller_ops = pseries_pci_controller_ops;
|
|
|
|
pci_devs_phb_init_dynamic(phb);
|
|
|
|
pseries_msi_allocate_domains(phb);
|
|
|
|
/* Create EEH devices for the PHB */
|
|
eeh_phb_pe_create(phb);
|
|
|
|
if (dn->child)
|
|
pseries_eeh_init_edev_recursive(PCI_DN(dn));
|
|
|
|
pcibios_scan_phb(phb);
|
|
pcibios_finish_adding_to_bus(phb->bus);
|
|
|
|
return phb;
|
|
}
|
|
EXPORT_SYMBOL_GPL(init_phb_dynamic);
|
|
|
|
/* RPA-specific bits for removing PHBs */
|
|
int remove_phb_dynamic(struct pci_controller *phb)
|
|
{
|
|
struct pci_bus *b = phb->bus;
|
|
struct pci_host_bridge *host_bridge = to_pci_host_bridge(b->bridge);
|
|
struct resource *res;
|
|
int rc, i;
|
|
|
|
pr_debug("PCI: Removing PHB %04x:%02x...\n",
|
|
pci_domain_nr(b), b->number);
|
|
|
|
/* We cannot to remove a root bus that has children */
|
|
if (!(list_empty(&b->children) && list_empty(&b->devices)))
|
|
return -EBUSY;
|
|
|
|
/* We -know- there aren't any child devices anymore at this stage
|
|
* and thus, we can safely unmap the IO space as it's not in use
|
|
*/
|
|
res = &phb->io_resource;
|
|
if (res->flags & IORESOURCE_IO) {
|
|
rc = pcibios_unmap_io_space(b);
|
|
if (rc) {
|
|
printk(KERN_ERR "%s: failed to unmap IO on bus %s\n",
|
|
__func__, b->name);
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
pseries_msi_free_domains(phb);
|
|
|
|
/* Keep a reference so phb isn't freed yet */
|
|
get_device(&host_bridge->dev);
|
|
|
|
/* Remove the PCI bus and unregister the bridge device from sysfs */
|
|
phb->bus = NULL;
|
|
pci_remove_bus(b);
|
|
host_bridge->bus = NULL;
|
|
device_unregister(&host_bridge->dev);
|
|
|
|
/* Now release the IO resource */
|
|
if (res->flags & IORESOURCE_IO)
|
|
release_resource(res);
|
|
|
|
/* Release memory resources */
|
|
for (i = 0; i < 3; ++i) {
|
|
res = &phb->mem_resources[i];
|
|
if (!(res->flags & IORESOURCE_MEM))
|
|
continue;
|
|
release_resource(res);
|
|
}
|
|
|
|
/*
|
|
* The pci_controller data structure is freed by
|
|
* the pcibios_free_controller_deferred() callback;
|
|
* see pseries_root_bridge_prepare().
|
|
*/
|
|
put_device(&host_bridge->dev);
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(remove_phb_dynamic);
|