vfio: get rid of vfio_device_put()/vfio_group_get_device* races

we really need to make sure that dropping the last reference happens
under the group->device_lock; otherwise a loop (under device_lock)
might find vfio_device instance that is being freed right now, has
already dropped the last reference and waits on device_lock to exclude
the sucker from the list.

Acked-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 1 insertions, 2 deletions

diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 92b85676e6be..887ae43276bb 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -396,7 +396,6 @@ static void vfio_device_release(struct kref *kref)
                                                   struct vfio_device, kref);
         struct vfio_group *group = device->group;
 
-        mutex_lock(&group->device_lock);
         list_del(&device->group_next);
         mutex_unlock(&group->device_lock);
 
@@ -412,7 +411,7 @@ static void vfio_device_release(struct kref *kref)
 static void vfio_device_put(struct vfio_device *device)
 {
         struct vfio_group *group = device->group;
-        kref_put(&device->kref, vfio_device_release);
+        kref_put_mutex(&device->kref, vfio_device_release, &group->device_lock);
         vfio_group_put(group);
 }