mirror of
https://github.com/torvalds/linux.git
synced 2024-12-02 00:51:44 +00:00
a58d37bce0
If an ocxl device is unbound through sysfs at the same time its AFU is
being opened by a user process, the open code may dereference freed
stuctures, which can lead to kernel oops messages. You'd have to hit a
tiny time window, but it's possible. It's fairly easy to test by
making the time window bigger artificially.
Fix it with a combination of 2 changes:
- when an AFU device is found in the IDR by looking for the device
minor number, we should hold a reference on the device until after
the context is allocated. A reference on the AFU structure is kept
when the context is allocated, so we can release the reference on
the device after the context allocation.
- with the fix above, there's still another even tinier window,
between the time the AFU device is found in the IDR and the
reference on the device is taken. We can fix this one by removing
the IDR entry earlier, when the device setup is removed, instead
of waiting for the 'release' device callback. With proper locking
around the IDR.
Fixes:
|
||
|---|---|---|
| .. | ||
| afu_irq.c | ||
| config.c | ||
| context.c | ||
| core.c | ||
| file.c | ||
| Kconfig | ||
| link.c | ||
| main.c | ||
| Makefile | ||
| mmio.c | ||
| ocxl_internal.h | ||
| pasid.c | ||
| pci.c | ||
| sysfs.c | ||
| trace.c | ||
| trace.h | ||