Re: [PATCH 0/4] PCI/AER: Use-after-free fix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




在 2018/4/10 6:04, Keith Busch 写道:
AER error handling walks the PCI topology below a root port, saving
pointers of the pci_dev structs affected by the error along the way.

At the same time, the pcie hotplug driver could be freeing those very
same structures, causing the AER driver to reference freed memory.

I also have met such issue.  The details see the below link.
https://www.spinics.net/lists/linux-pci/msg70614.html
It seems do reset_link() will trigger hotplug driver to remove/rescan device
when met AER fatal error.
do_recovery()
   --- reset_link()
	--- pci_reset_secondary_bus() //then trigger link down/up.
So if the root port support hotplug, it will remove/rescan device.
I still have a question, since AER driver have already done recovery,
it seems no need to trigger hotplug to remove and rescan the device.

Thanks,
Dongdong


This series fixes this by synchroniziing the aer driver with the pci
hotplug driver during. The final patch is the one that ultimately provides
the locking by having AER lock the same pci lock rescan/remove mutex as
the pciehp driver. The first three patches are prepping to make it safe
for the aer bottom half handler to hold that lock.

Keith Busch (4):
  PCI/AER: Remove unused parameters
  PCI/AER: Replace struct pcie_device with pci_dev
  PCI/AER: Reference count aer structures
  PCI/AER: Lock pci topology when scanning errors

 drivers/pci/pcie/aer/aerdrv.c      | 28 +++++++++++++++++++++-------
 drivers/pci/pcie/aer/aerdrv.h      |  9 +++------
 drivers/pci/pcie/aer/aerdrv_core.c | 38 +++++++++++++++++---------------------
 3 files changed, 41 insertions(+), 34 deletions(-)





[Index of Archives]     [DMA Engine]     [Linux Coverity]     [Linux USB]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Greybus]

  Powered by Linux