1. Patchew
  2. linux
  3. View series

[PATCH] nfp: nfp_alloc_bar: Fix double unlock

WangYuli posted 1 patch 3 months, 2 weeks ago 
drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] nfp: nfp_alloc_bar: Fix double unlock
Posted by WangYuli 3 months, 2 weeks ago 
The lock management in the nfp_alloc_bar function is problematic:

 *1. The function acquires the lock at the beginning:
spin_lock_irqsave(&nfp->bar_lock, irqflags).

  2. When barnum < 0 and in non-blocking mode, the code jumps to
the err_nobar label. However, in this non-blocking path, if
barnum < 0, the code releases the lock and calls nfp_wait_for_bar.

  3. Inside nfp_wait_for_bar, find_unused_bar_and_lock is called,
which holds the lock upon success (indicated by the __release
annotation). Consequently, when nfp_wait_for_bar returns
successfully, the lock is still held.

  4. But at the err_nobar label, the code always executes
spin_unlock_irqrestore(&nfp->bar_lock, irqflags).

  5. The problem arises when nfp_wait_for_bar successfully finds a
BAR: the lock is still held, but if a subsequent reconfigure_bar
fails, the code will attempt to unlock it again at err_nobar,
leading to a double unlock.

Reported-by: Jun Zhan <zhanjun@uniontech.com>
Co-developed-by: Chen Linxuan <chenlinxuan@uniontech.com>
Signed-off-by: Chen Linxuan <chenlinxuan@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
---
 drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
index 7c2200b49ce4..a7057de87301 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
@@ -489,6 +489,7 @@ nfp_alloc_bar(struct nfp6000_pcie *nfp,
 		if (retval)
 			return retval;
 		__acquire(&nfp->bar_lock);
+		spin_lock_irqsave(&nfp->bar_lock, irqflags);
 	}
 
 	nfp_bar_get(nfp, &nfp->bar[barnum]);
-- 
2.50.0
Re: [PATCH] nfp: nfp_alloc_bar: Fix double unlock
Posted by Jakub Kicinski 3 months, 2 weeks ago 
On Mon, 23 Jun 2025 12:11:04 +0800 WangYuli wrote:
> The lock management in the nfp_alloc_bar function is problematic:
> 
>  *1. The function acquires the lock at the beginning:
> spin_lock_irqsave(&nfp->bar_lock, irqflags).
> 
>   2. When barnum < 0 and in non-blocking mode, the code jumps to
> the err_nobar label. However, in this non-blocking path, if
> barnum < 0, the code releases the lock and calls nfp_wait_for_bar.
> 
>   3. Inside nfp_wait_for_bar, find_unused_bar_and_lock is called,
> which holds the lock upon success (indicated by the __release
> annotation). Consequently, when nfp_wait_for_bar returns
> successfully, the lock is still held.
> 
>   4. But at the err_nobar label, the code always executes
> spin_unlock_irqrestore(&nfp->bar_lock, irqflags).
> 
>   5. The problem arises when nfp_wait_for_bar successfully finds a
> BAR: the lock is still held, but if a subsequent reconfigure_bar
> fails, the code will attempt to unlock it again at err_nobar,
> leading to a double unlock.

I don't understand what you're trying to say.
If you think your analysis is correct please provide a more exact
execution path with a code listing.
-- 
pw-bot: cr
Re: [PATCH] nfp: nfp_alloc_bar: Fix double unlock
Posted by Chen Linxuan 3 months, 1 week ago 
On Tue, Jun 24, 2025 at 4:12 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Mon, 23 Jun 2025 12:11:04 +0800 WangYuli wrote:
> > The lock management in the nfp_alloc_bar function is problematic:
> >
> >  *1. The function acquires the lock at the beginning:
> > spin_lock_irqsave(&nfp->bar_lock, irqflags).
> >
> >   2. When barnum < 0 and in non-blocking mode, the code jumps to
> > the err_nobar label. However, in this non-blocking path, if
> > barnum < 0, the code releases the lock and calls nfp_wait_for_bar.
> >
> >   3. Inside nfp_wait_for_bar, find_unused_bar_and_lock is called,
> > which holds the lock upon success (indicated by the __release
> > annotation). Consequently, when nfp_wait_for_bar returns
> > successfully, the lock is still held.
> >
> >   4. But at the err_nobar label, the code always executes
> > spin_unlock_irqrestore(&nfp->bar_lock, irqflags).
> >
> >   5. The problem arises when nfp_wait_for_bar successfully finds a
> > BAR: the lock is still held, but if a subsequent reconfigure_bar
> > fails, the code will attempt to unlock it again at err_nobar,
> > leading to a double unlock.
>
> I don't understand what you're trying to say.
> If you think your analysis is correct please provide a more exact
> execution path with a code listing.

In nfp_alloc_bar(), if

- find_matching_bar() fails to find a bar
- find_unused_bar_noblock also fails to find a bar
- nonblocking == false
- nfp_wait_for_bar returns 0

In this situation, when executing nfp_bar_get(nfp, &nfp->bar[barnum]),
the code does not hold &nfp->bar_lock.
We referred to similar logic in other drivers:
https://elixir.bootlin.com/linux/v6.13/source/sound/usb/line6/driver.c#L565
It seems that a lock should be acquired here again.

> --
> pw-bot: cr
>
>
Re: [PATCH] nfp: nfp_alloc_bar: Fix double unlock
Posted by Chen Linxuan 3 months, 1 week ago 
On Tue, Jul 1, 2025 at 3:45 PM Chen Linxuan <chenlinxuan@uniontech.com> wrote:
>
> On Tue, Jun 24, 2025 at 4:12 AM Jakub Kicinski <kuba@kernel.org> wrote:
> >
> > On Mon, 23 Jun 2025 12:11:04 +0800 WangYuli wrote:
> > > The lock management in the nfp_alloc_bar function is problematic:
> > >
> > >  *1. The function acquires the lock at the beginning:
> > > spin_lock_irqsave(&nfp->bar_lock, irqflags).
> > >
> > >   2. When barnum < 0 and in non-blocking mode, the code jumps to
> > > the err_nobar label. However, in this non-blocking path, if
> > > barnum < 0, the code releases the lock and calls nfp_wait_for_bar.
> > >
> > >   3. Inside nfp_wait_for_bar, find_unused_bar_and_lock is called,
> > > which holds the lock upon success (indicated by the __release
> > > annotation). Consequently, when nfp_wait_for_bar returns
> > > successfully, the lock is still held.
> > >
> > >   4. But at the err_nobar label, the code always executes
> > > spin_unlock_irqrestore(&nfp->bar_lock, irqflags).
> > >
> > >   5. The problem arises when nfp_wait_for_bar successfully finds a
> > > BAR: the lock is still held, but if a subsequent reconfigure_bar
> > > fails, the code will attempt to unlock it again at err_nobar,
> > > leading to a double unlock.
> >
> > I don't understand what you're trying to say.
> > If you think your analysis is correct please provide a more exact
> > execution path with a code listing.
>
> In nfp_alloc_bar(), if
>
> - find_matching_bar() fails to find a bar
> - find_unused_bar_noblock also fails to find a bar
> - nonblocking == false
> - nfp_wait_for_bar returns 0
>
> In this situation, when executing nfp_bar_get(nfp, &nfp->bar[barnum]),
> the code does not hold &nfp->bar_lock.
> We referred to similar logic in other drivers:
> https://elixir.bootlin.com/linux/v6.13/source/sound/usb/line6/driver.c#L565
> It seems that a lock should be acquired here again.

Sorry, I found that find_unused_bar_and_lock already re-locks it. I
didn't notice it before. Please ignore the entire thread.

>
> > --
> > pw-bot: cr
> >
> >

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.