2009-01-17 15:24:22

by Jiri Slaby

[permalink] [raw]
Subject: [PATCH] PCI: pciehp_core, fix lock imbalance

set_lock_status omits mutex_unlock in fail path. Add the omitted
unlock.

As a result a lockup caused by this can be triggered from userspace
by writing 1 to /sys/bus/pci/slots/.../lock often enough.

Signed-off-by: Jiri Slaby <[email protected]>
Cc: Kristen Carlson Accardi <[email protected]>
Cc: Jesse Barnes <[email protected]>
---
drivers/pci/hotplug/pciehp_core.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
index 5482d4e..c248554 100644
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -126,8 +126,10 @@ static int set_lock_status(struct hotplug_slot *hotplug_slot, u8 status)
mutex_lock(&slot->ctrl->crit_sect);

/* has it been >1 sec since our last toggle? */
- if ((get_seconds() - slot->last_emi_toggle) < 1)
+ if ((get_seconds() - slot->last_emi_toggle) < 1) {
+ mutex_unlock(&slot->ctrl->crit_sect);
return -EINVAL;
+ }

/* see what our current state is */
retval = get_lock_status(hotplug_slot, &value);
--
1.6.1
caught by stanse


2009-01-19 02:02:00

by Kenji Kaneshige

[permalink] [raw]
Subject: Re: [PATCH] PCI: pciehp_core, fix lock imbalance

Jiri Slaby wrote:
> set_lock_status omits mutex_unlock in fail path. Add the omitted
> unlock.
>
> As a result a lockup caused by this can be triggered from userspace
> by writing 1 to /sys/bus/pci/slots/.../lock often enough.
>
> Signed-off-by: Jiri Slaby <[email protected]>
> Cc: Kristen Carlson Accardi <[email protected]>
> Cc: Jesse Barnes <[email protected]>
> ---
> drivers/pci/hotplug/pciehp_core.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
> index 5482d4e..c248554 100644
> --- a/drivers/pci/hotplug/pciehp_core.c
> +++ b/drivers/pci/hotplug/pciehp_core.c
> @@ -126,8 +126,10 @@ static int set_lock_status(struct hotplug_slot *hotplug_slot, u8 status)
> mutex_lock(&slot->ctrl->crit_sect);
>
> /* has it been >1 sec since our last toggle? */
> - if ((get_seconds() - slot->last_emi_toggle) < 1)
> + if ((get_seconds() - slot->last_emi_toggle) < 1) {
> + mutex_unlock(&slot->ctrl->crit_sect);
> return -EINVAL;
> + }
>
> /* see what our current state is */
> retval = get_lock_status(hotplug_slot, &value);

Good catch!

Reviewed-by: Kenji Kaneshige <[email protected]>

Thanks,
Kenji Kaneshige

2009-01-19 18:56:52

by Jesse Barnes

[permalink] [raw]
Subject: Re: [PATCH] PCI: pciehp_core, fix lock imbalance

On Saturday, January 17, 2009 7:23 am Jiri Slaby wrote:
> set_lock_status omits mutex_unlock in fail path. Add the omitted
> unlock.
>
> As a result a lockup caused by this can be triggered from userspace
> by writing 1 to /sys/bus/pci/slots/.../lock often enough.
>
> Signed-off-by: Jiri Slaby <[email protected]>
> Cc: Kristen Carlson Accardi <[email protected]>
> Cc: Jesse Barnes <[email protected]>
> ---
> drivers/pci/hotplug/pciehp_core.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/pci/hotplug/pciehp_core.c
> b/drivers/pci/hotplug/pciehp_core.c index 5482d4e..c248554 100644
> --- a/drivers/pci/hotplug/pciehp_core.c
> +++ b/drivers/pci/hotplug/pciehp_core.c
> @@ -126,8 +126,10 @@ static int set_lock_status(struct hotplug_slot
> *hotplug_slot, u8 status) mutex_lock(&slot->ctrl->crit_sect);
>
> /* has it been >1 sec since our last toggle? */
> - if ((get_seconds() - slot->last_emi_toggle) < 1)
> + if ((get_seconds() - slot->last_emi_toggle) < 1) {
> + mutex_unlock(&slot->ctrl->crit_sect);
> return -EINVAL;
> + }
>
> /* see what our current state is */
> retval = get_lock_status(hotplug_slot, &value);

Applied to my for-linus branch (with Kenji-san's reviewed-by), thanks.

--
Jesse Barnes, Intel Open Source Technology Center