lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260209161443.GA190606@bhelgaas>
Date: Mon, 9 Feb 2026 10:14:43 -0600
From: Bjorn Helgaas <helgaas@...nel.org>
To: "Ionut Nechita (Wind River)" <ionut.nechita@...driver.com>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>, linux-pci@...r.kernel.org,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
	Clark Williams <clrkwllms@...nel.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	linux-rt-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
	Ionut Nechita <ionut_n2001@...oo.com>
Subject: Re: [PATCH] PCI/IOV: Fix recursive locking deadlock on
 pci_rescan_remove_lock

On Mon, Feb 09, 2026 at 09:57:07AM +0200, Ionut Nechita (Wind River) wrote:
> From: Ionut Nechita <ionut.nechita@...driver.com>
> 
> When a PCI device is hot-removed via sysfs (e.g., echo 1 > /sys/.../remove),
> pci_stop_and_remove_bus_device_locked() acquires pci_rescan_remove_lock and
> then recursively walks the bus hierarchy calling driver .remove() callbacks.
> 
> If the removed device is a PF with SR-IOV enabled (e.g., i40e, ice), the
> driver's .remove() calls pci_disable_sriov() -> sriov_disable() ->
> sriov_del_vfs() which also tries to acquire pci_rescan_remove_lock.
> Since this is a non-recursive mutex and the same thread already holds it,
> this results in a deadlock.
> 
> On PREEMPT_RT kernels, where mutexes are backed by rtmutex with deadlock
> detection, this immediately triggers:
> 
>   WARNING: CPU: 15 PID: 11730 at kernel/locking/rtmutex.c:1663
>   Call Trace:
>    mutex_lock+0x47/0x60
>    sriov_disable+0x2a/0x100
>    i40e_free_vfs+0x415/0x470 [i40e]
>    i40e_remove+0x38d/0x3e0 [i40e]
>    pci_device_remove+0x3b/0xb0
>    device_release_driver_internal+0x193/0x200
>    pci_stop_bus_device+0x81/0xb0
>    pci_stop_and_remove_bus_device_locked+0x16/0x30
>    remove_store+0x79/0x90
> 
> On non-RT kernels the same recursive acquisition silently hangs the calling
> process, eventually causing netdev watchdog TX timeout splats.
> 
> This affects all drivers that call pci_disable_sriov() from their .remove()
> callback (i40e, ice, and others).
> 
> Fix this by tracking the owner of pci_rescan_remove_lock and skipping the
> redundant acquisition in sriov_del_vfs() when the current thread already
> holds it.  The VF removal is still serialized correctly because the caller
> already holds the lock.

Ionut, can you confirm whether Niklas's patches resolve this deadlock?
The following patches are queued for v7.0:

  2fa119c0e5e5 ("Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"")
  a5338e365c45 ("PCI/IOV: Fix race between SR-IOV enable/disable and hotplug")

They are included in next-20260205.  They're probably in earlier
linux-next kernels, too, but I guess linux-next doesn't keep older
tags anymore, so I don't know how to figure out exactly when they were
included.  I put them in my tree on Feb 1.

Bjorn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ