| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260108155558.GA482755@bhelgaas>
Date: Thu, 8 Jan 2026 09:55:58 -0600
From: Bjorn Helgaas <helgaas@...nel.org>
To: Alistair Popple <apopple@...dia.com>
Cc: Hou Tao <houtao@...weicloud.com>, linux-kernel@...r.kernel.org,
linux-pci@...r.kernel.org, linux-mm@...ck.org,
linux-nvme@...ts.infradead.org, Bjorn Helgaas <bhelgaas@...gle.com>,
Logan Gunthorpe <logang@...tatee.com>,
Leon Romanovsky <leonro@...dia.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Tejun Heo <tj@...nel.org>, "Rafael J . Wysocki" <rafael@...nel.org>,
Danilo Krummrich <dakr@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
David Hildenbrand <david@...nel.org>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Keith Busch <kbusch@...nel.org>, Jens Axboe <axboe@...nel.dk>,
Christoph Hellwig <hch@....de>, Sagi Grimberg <sagi@...mberg.me>,
houtao1@...wei.com
Subject: Re: [PATCH 01/13] PCI/P2PDMA: Release the per-cpu ref of pgmap when
vm_insert_page() fails
On Thu, Jan 08, 2026 at 02:23:16PM +1100, Alistair Popple wrote:
> On 2025-12-20 at 15:04 +1100, Hou Tao <houtao@...weicloud.com> wrote...
> > From: Hou Tao <houtao1@...wei.com>
> >
> > When vm_insert_page() fails in p2pmem_alloc_mmap(), p2pmem_alloc_mmap()
> > doesn't invoke percpu_ref_put() to free the per-cpu ref of pgmap
> > acquired after gen_pool_alloc_owner(), and memunmap_pages() will hang
> > forever when trying to remove the PCIe device.
> >
> > Fix it by adding the missed percpu_ref_put().
>
> This pairs with the percpu_ref_tryget_live_rcu() above right? Might
> be worth mentioning that as a comment, but overall looks good to me
> so feel free to add:
>
> Reviewed-by: Alistair Popple <apopple@...dia.com>
Added your Reviewed-by, thanks!
Would the following commit log address your suggestion?
When the vm_insert_page() in p2pmem_alloc_mmap() failed, we did not
invoke percpu_ref_put() to free the per-CPU pgmap ref acquired by
percpu_ref_tryget_live_rcu(), which meant that PCI device removal would
hang forever in memunmap_pages().
Fix it by adding the missed percpu_ref_put().
Looking at this again, I'm confused about why in the normal, non-error
case, we do the percpu_ref_tryget_live_rcu(ref), followed by another
percpu_ref_get(ref) for each page, followed by just a single
percpu_ref_put() at the exit.
So we do ref_get() "1 + number of pages" times but we only do a single
ref_put(). Is there a loop of ref_put() for each page elsewhere?
> > Fixes: 7e9c7ef83d78 ("PCI/P2PDMA: Allow userspace VMA allocations through sysfs")
> > Signed-off-by: Hou Tao <houtao1@...wei.com>
> > ---
> > drivers/pci/p2pdma.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
> > index 4a2fc7ab42c3..218c1f5252b6 100644
> > --- a/drivers/pci/p2pdma.c
> > +++ b/drivers/pci/p2pdma.c
> > @@ -152,6 +152,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
> > ret = vm_insert_page(vma, vaddr, page);
> > if (ret) {
> > gen_pool_free(p2pdma->pool, (uintptr_t)kaddr, len);
> > + percpu_ref_put(ref);
> > return ret;
> > }
> > percpu_ref_get(ref);
> > --
> > 2.29.2
> >
Powered by blists - more mailing lists