From patchwork Thu Mar 9 04:37:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bharata B Rao X-Patchwork-Id: 736822 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vdyNj31RKz9sNg for ; Thu, 9 Mar 2017 15:39:49 +1100 (AEDT) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3vdyNj25SmzDqXw for ; Thu, 9 Mar 2017 15:39:49 +1100 (AEDT) X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Received: from ozlabs.org (ozlabs.org [103.22.144.67]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3vdyMd5Bn3zDqXh for ; Thu, 9 Mar 2017 15:38:53 +1100 (AEDT) Received: from ozlabs.org (ozlabs.org [IPv6:2401:3900:2:1::2]) by bilbo.ozlabs.org (Postfix) with ESMTP id 3vdyMd4Fl7z8t7b for ; Thu, 9 Mar 2017 15:38:53 +1100 (AEDT) Received: by ozlabs.org (Postfix) id 3vdyMd448Xz9sNj; Thu, 9 Mar 2017 15:38:53 +1100 (AEDT) Delivered-To: linuxppc-dev@ozlabs.org Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vdyMd0PM3z9sNg for ; Thu, 9 Mar 2017 15:38:52 +1100 (AEDT) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v294YFZH060688 for ; Wed, 8 Mar 2017 23:38:49 -0500 Received: from e23smtp03.au.ibm.com (e23smtp03.au.ibm.com [202.81.31.145]) by mx0b-001b2d01.pphosted.com with ESMTP id 292fxpvt35-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 08 Mar 2017 23:38:48 -0500 Received: from localhost by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 9 Mar 2017 14:38:46 +1000 Received: from d23relay08.au.ibm.com (202.81.31.227) by e23smtp03.au.ibm.com (202.81.31.209) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 9 Mar 2017 14:38:43 +1000 Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay08.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v294cZQD53477386 for ; Thu, 9 Mar 2017 15:38:43 +1100 Received: from d23av02.au.ibm.com (localhost [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v294c90w007775 for ; Thu, 9 Mar 2017 15:38:09 +1100 Received: from bharata.in.ibm.com ([9.84.231.145]) by d23av02.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v294c7wZ007348; Thu, 9 Mar 2017 15:38:08 +1100 From: Bharata B Rao To: linuxppc-dev@ozlabs.org Subject: [FIX PATCH v1] powerpc/pseries: Fix reference count leak during CPU unplug Date: Thu, 9 Mar 2017 10:07:48 +0530 X-Mailer: git-send-email 2.7.4 X-TM-AS-MML: disable x-cbid: 17030904-0008-0000-0000-00000114FEAB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17030904-0009-0000-0000-00000935990A Message-Id: <1489034268-24888-1-git-send-email-bharata@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-09_03:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703090036 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sachinp@linux.vnet.ibm.com, nfont@linux.vnet.ibm.com, Bharata B Rao Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" The following warning is seen when a CPU is hot unplugged on a PowerKVM guest: refcount_t: underflow; use-after-free. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 53 at lib/refcount.c:128 refcount_sub_and_test+0xd8/0xf0 Modules linked in: CPU: 0 PID: 53 Comm: kworker/u510:1 Not tainted 4.11.0-rc1 #3 Workqueue: pseries hotplug workque pseries_hp_work_fn task: c0000000fb475000 task.stack: c0000000fb81c000 NIP: c0000000006f0808 LR: c0000000006f0804 CTR: c0000000007b98c0 REGS: c0000000fb81f710 TRAP: 0700 Not tainted (4.11.0-rc1) MSR: 800000000282b033 CR: 48002222 XER: 20000000 CFAR: c000000000c438e0 SOFTE: 1 GPR00: c0000000006f0804 c0000000fb81f990 c000000001573b00 0000000000000026 GPR04: 0000000000000000 000000000000016c 667265652e0d0a73 652d61667465722d GPR08: 0000000000000007 0000000000000007 0000000000000001 0000000000000006 GPR12: 0000000000002200 c00000000ff40000 c00000000010c578 c0000001f11b9f40 GPR16: c0000001fe0312a8 c0000001fe031078 c0000001fe031020 0000000000000001 GPR20: 0000000000000000 0000000000000000 c000000001454808 fffffffffffffef7 GPR24: 0000000000000000 c0000001f1677648 0000000000000000 0000000000000000 GPR28: 0000000010000008 c000000000e4d3d8 0000000000000000 c0000001eaae07d8 NIP [c0000000006f0808] refcount_sub_and_test+0xd8/0xf0 LR [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0 Call Trace: [c0000000fb81f990] [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0 (unreliable) [c0000000fb81f9f0] [c0000000006d04b4] kobject_put+0x44/0x2a0 [c0000000fb81fa70] [c0000000009d5284] of_node_put+0x34/0x50 [c0000000fb81faa0] [c0000000000aceb8] dlpar_cpu_remove_by_index+0x108/0x130 [c0000000fb81fb30] [c0000000000ae128] dlpar_cpu+0x78/0x550 [c0000000fb81fbe0] [c0000000000a7b40] handle_dlpar_errorlog+0xc0/0x160 [c0000000fb81fc50] [c0000000000a7c74] pseries_hp_work_fn+0x94/0xa0 [c0000000fb81fc80] [c000000000102cec] process_one_work+0x23c/0x540 [c0000000fb81fd20] [c00000000010309c] worker_thread+0xac/0x620 [c0000000fb81fdc0] [c00000000010c6c4] kthread+0x154/0x1a0 [c0000000fb81fe30] [c00000000000bbe0] ret_from_kernel_thread+0x5c/0x7c Fix this by ensuring that of_node_put() is called only from the error path in dlpar_cpu_remove_by_index(). In the normal path, of_node_put() happens as part of dlpar_detach_node(). Signed-off-by: Bharata B Rao Cc: Nathan Fontenot --- Changes in v1: - Fixed the refcount problem in the userspace driven unplug path in addition to in-kernel unplug path. (Sachin Sant) v0: https://patchwork.ozlabs.org/patch/736547/ arch/powerpc/platforms/pseries/hotplug-cpu.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c index 7bc0e91..c5ed510 100644 --- a/arch/powerpc/platforms/pseries/hotplug-cpu.c +++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c @@ -619,7 +619,8 @@ static int dlpar_cpu_remove_by_index(u32 drc_index) } rc = dlpar_cpu_remove(dn, drc_index); - of_node_put(dn); + if (rc) + of_node_put(dn); return rc; } @@ -856,9 +857,12 @@ static ssize_t dlpar_cpu_release(const char *buf, size_t count) } rc = dlpar_cpu_remove(dn, drc_index); - of_node_put(dn); - - return rc ? rc : count; + if (rc) { + of_node_put(dn); + return rc; + } else { + return count; + } } #endif /* CONFIG_ARCH_CPU_PROBE_RELEASE */