summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2012-08-18 03:29:06 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2012-08-22 16:26:13 +0200
commit90b1253e4139776e8257914ae9e2292d0de2fecc (patch)
tree47ed9f35d8f58d42f6e3c8614d355b1edc86f51b
parentvfio: get rid of open-coding kref_put_mutex (diff)
downloadlinux-90b1253e4139776e8257914ae9e2292d0de2fecc.tar.xz
linux-90b1253e4139776e8257914ae9e2292d0de2fecc.zip
vfio: get rid of vfio_device_put()/vfio_group_get_device* races
we really need to make sure that dropping the last reference happens under the group->device_lock; otherwise a loop (under device_lock) might find vfio_device instance that is being freed right now, has already dropped the last reference and waits on device_lock to exclude the sucker from the list. Acked-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--drivers/vfio/vfio.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 92b85676e6be..887ae43276bb 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -396,7 +396,6 @@ static void vfio_device_release(struct kref *kref)
struct vfio_device, kref);
struct vfio_group *group = device->group;
- mutex_lock(&group->device_lock);
list_del(&device->group_next);
mutex_unlock(&group->device_lock);
@@ -412,7 +411,7 @@ static void vfio_device_release(struct kref *kref)
static void vfio_device_put(struct vfio_device *device)
{
struct vfio_group *group = device->group;
- kref_put(&device->kref, vfio_device_release);
+ kref_put_mutex(&device->kref, vfio_device_release, &group->device_lock);
vfio_group_put(group);
}