On Mon, Oct 25, 2021 at 11:00:26AM +0200, Niklas Schnelle wrote:
> commit a46044a92add6a400f4dada7b943b30221f7cc80 upstream.
>
> Since commit 2a671f77ee49 ("s390/pci: fix use after free of zpci_dev")
> the reference count of a zpci_dev is incremented between
> pcibios_add_device() and pcibios_release_device() which was supposed to
> prevent the zpci_dev from being freed while the common PCI code has
> access to it. It was missed however that the handling of zPCI
> availability events assumed that once zpci_zdev_put() was called no
> later availability event would still see the device. With the previously
> mentioned commit however this assumption no longer holds and we must
> make sure that we only drop the initial long-lived reference the zPCI
> subsystem holds exactly once.
>
> Do so by introducing a zpci_device_reserved() function that handles when
> a device is reserved. Here we make sure the zpci_dev will not be
> considered for further events by removing it from the zpci_list.
>
> This also means that the device actually stays in the
> ZPCI_FN_STATE_RESERVED state between the time we know it has been
> reserved and the final reference going away. We thus need to consider it
> a real state instead of just a conceptual state after the removal. The
> final cleanup of PCI resources, removal from zbus, and destruction of
> the IOMMU stays in zpci_release_device() to make sure holders of the
> reference do see valid data until the release.
>
> Fixes: 2a671f77ee49 ("s390/pci: fix use after free of zpci_dev")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Niklas Schnelle <schnelle@xxxxxxxxxxxxx>
> Signed-off-by: Vasily Gorbik <gor@xxxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20211012093425.2247924-1-schnelle@xxxxxxxxxxxxx
> ---
> arch/s390/include/asm/pci.h | 3 ++
> arch/s390/pci/pci.c | 45 ++++++++++++++++++++++++++----
> arch/s390/pci/pci_event.c | 4 +--
> drivers/pci/hotplug/s390_pci_hpc.c | 9 +-----
> 4 files changed, 46 insertions(+), 15 deletions(-)
Does not apply:
Applying patch s390-pci-fix-zpci_zdev_put-on-reserve.patch
patching file arch/s390/include/asm/pci.h
patching file arch/s390/pci/pci.c
Hunk #3 FAILED at 835.
Hunk #4 succeeded at 843 (offset 1 line).
1 out of 4 hunks FAILED -- rejects in file arch/s390/pci/pci.c
patching file arch/s390/pci/pci_event.c
patching file drivers/pci/hotplug/s390_pci_hpc.c
What did you make this against?
Ah, that's due to another patch we have in the queue right now. I'll go
fix this up by hand, thanks!
greg k-h
