| Message ID | 155387325926.2443841.6674640070856872301.stgit@dwillia2-desk3.amr.corp.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Bjorn Helgaas |
| Headers | show |
| Series | mm/devm_memremap_pages: Fix page release race | expand |
On Fri, Mar 29, 2019 at 08:27:39AM -0700, Dan Williams wrote: > The pci_p2pdma_add_resource() implementation immediately frees the pgmap > if gen_pool_add_virt() fails. However, that means that when @dev > triggers a devres release devm_memremap_pages_release() will crash > trying to access the freed @pgmap. > > Use the new devm_memunmap_pages() to manually free the mapping in the > error path. > > Fixes: 52916982af48 ("PCI/P2PDMA: Support peer-to-peer memory") > Cc: Logan Gunthorpe <logang@deltatee.com> > Cc: Ira Weiny <ira.weiny@intel.com> > Cc: Bjorn Helgaas <bhelgaas@google.com> > Cc: Christoph Hellwig <hch@lst.de> > Signed-off-by: Dan Williams <dan.j.williams@intel.com> Especially if you run "git log --oneline drivers/pci/p2pdma.c" and make yours match :), Acked-by: Bjorn Helgaas <bhelgaas@google.com> > --- > drivers/pci/p2pdma.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c > index c52298d76e64..595a534bd749 100644 > --- a/drivers/pci/p2pdma.c > +++ b/drivers/pci/p2pdma.c > @@ -208,13 +208,15 @@ int pci_p2pdma_add_resource(struct pci_dev *pdev, int bar, size_t size, > pci_bus_address(pdev, bar) + offset, > resource_size(&pgmap->res), dev_to_node(&pdev->dev)); > if (error) > - goto pgmap_free; > + goto pages_free; > > pci_info(pdev, "added peer-to-peer DMA memory %pR\n", > &pgmap->res); > > return 0; > > +pages_free: > + devm_memunmap_pages(&pdev->dev, pgmap); > pgmap_free: > devm_kfree(&pdev->dev, pgmap); > return error; >
diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c index c52298d76e64..595a534bd749 100644 --- a/drivers/pci/p2pdma.c +++ b/drivers/pci/p2pdma.c @@ -208,13 +208,15 @@ int pci_p2pdma_add_resource(struct pci_dev *pdev, int bar, size_t size, pci_bus_address(pdev, bar) + offset, resource_size(&pgmap->res), dev_to_node(&pdev->dev)); if (error) - goto pgmap_free; + goto pages_free; pci_info(pdev, "added peer-to-peer DMA memory %pR\n", &pgmap->res); return 0; +pages_free: + devm_memunmap_pages(&pdev->dev, pgmap); pgmap_free: devm_kfree(&pdev->dev, pgmap); return error;
The pci_p2pdma_add_resource() implementation immediately frees the pgmap if gen_pool_add_virt() fails. However, that means that when @dev triggers a devres release devm_memremap_pages_release() will crash trying to access the freed @pgmap. Use the new devm_memunmap_pages() to manually free the mapping in the error path. Fixes: 52916982af48 ("PCI/P2PDMA: Support peer-to-peer memory") Cc: Logan Gunthorpe <logang@deltatee.com> Cc: Ira Weiny <ira.weiny@intel.com> Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Dan Williams <dan.j.williams@intel.com> --- drivers/pci/p2pdma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)