From 934ad4c235f87dcb9206abdfa22922358999afab Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 17 Aug 2012 19:49:09 -0400 Subject: vfio: don't dereference after kfree... Acked-by: Alex Williamson Signed-off-by: Al Viro --- drivers/vfio/vfio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 9591e2b509d..0b025d58de8 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -416,8 +416,9 @@ static void vfio_device_release(struct kref *kref) /* Device reference always implies a group reference */ static void vfio_device_put(struct vfio_device *device) { + struct vfio_group *group = device->group; kref_put(&device->kref, vfio_device_release); - vfio_group_put(device->group); + vfio_group_put(group); } static void vfio_device_get(struct vfio_device *device) -- cgit v1.2.3-18-g5258 From 6d2cd3ce815b302e885b44ca1bdbe3c7db321c7a Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 17 Aug 2012 21:27:32 -0400 Subject: vfio: get rid of open-coding kref_put_mutex Acked-by: Alex Williamson Signed-off-by: Al Viro --- drivers/vfio/vfio.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 0b025d58de8..92b85676e6b 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -264,6 +264,7 @@ static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group) return group; } +/* called with vfio.group_lock held */ static void vfio_group_release(struct kref *kref) { struct vfio_group *group = container_of(kref, struct vfio_group, kref); @@ -287,13 +288,7 @@ static void vfio_group_release(struct kref *kref) static void vfio_group_put(struct vfio_group *group) { - mutex_lock(&vfio.group_lock); - /* - * Release needs to unlock to unregister the notifier, so only - * unlock if not released. - */ - if (!kref_put(&group->kref, vfio_group_release)) - mutex_unlock(&vfio.group_lock); + kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock); } /* Assume group_lock or group reference is held */ -- cgit v1.2.3-18-g5258 From 90b1253e4139776e8257914ae9e2292d0de2fecc Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 17 Aug 2012 21:29:06 -0400 Subject: vfio: get rid of vfio_device_put()/vfio_group_get_device* races we really need to make sure that dropping the last reference happens under the group->device_lock; otherwise a loop (under device_lock) might find vfio_device instance that is being freed right now, has already dropped the last reference and waits on device_lock to exclude the sucker from the list. Acked-by: Alex Williamson Signed-off-by: Al Viro --- drivers/vfio/vfio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 92b85676e6b..887ae43276b 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -396,7 +396,6 @@ static void vfio_device_release(struct kref *kref) struct vfio_device, kref); struct vfio_group *group = device->group; - mutex_lock(&group->device_lock); list_del(&device->group_next); mutex_unlock(&group->device_lock); @@ -412,7 +411,7 @@ static void vfio_device_release(struct kref *kref) static void vfio_device_put(struct vfio_device *device) { struct vfio_group *group = device->group; - kref_put(&device->kref, vfio_device_release); + kref_put_mutex(&device->kref, vfio_device_release, &group->device_lock); vfio_group_put(group); } -- cgit v1.2.3-18-g5258 From 31605debdf5459cc8aacabf192a911a803a81c26 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 17 Aug 2012 21:32:56 -0400 Subject: vfio: grab vfio_device reference *before* exposing the sucker via fd_install() It's not critical (anymore) since another thread closing the file will block on ->device_lock before it gets to dropping the final reference, but it's definitely cleaner that way... Acked-by: Alex Williamson Signed-off-by: Al Viro --- drivers/vfio/vfio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 887ae43276b..17830c9c7cc 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1111,10 +1111,10 @@ static int vfio_group_get_device_fd(struct vfio_group *group, char *buf) */ filep->f_mode |= (FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE); - fd_install(ret, filep); - vfio_device_get(device); atomic_inc(&group->container_users); + + fd_install(ret, filep); break; } mutex_unlock(&group->device_lock); -- cgit v1.2.3-18-g5258