[PATCH v3] cxl/hdm: fix a warning in devm_remove_action()

[Sungwoo Kim]

In the following race scenario, devm_remove_action() can be called
before devm_add_action(), triggering a warning because there is no
action to remove.

To fix this, __cxl_dpa_reserve() performs devm_add_action(). This
extends the critical section that embraces cxled->dpa_res = res and
devm_add_action(), so cxl_dpa_free() cannot observe dpa_res without
the devres action.

Also, renamed __cxl_dpa_reserve() to __devm_cxl_dpa_reserve().

task 1:
cxl_dpa_alloc()
  __cxl_dpa_alloc()
    guard(&cxl_rwsem.dpa)
    cxled->dpa_res = res;  ...(1)
  devm_add_action()        ...(4)

task 2:
cxl_dpa_free()
  guard(&cxl_rwsem.dpa)
  if (!cxled->dpa_res)     ...(2) pass, due to (1)
    return 0;
  devm_cxl_dpa_release()
    devm_remove_action()   ...(3) warning, no action is added yet

Splat:

WARNING: ./include/linux/device/devres.h:160 at devm_remove_action include/linux/device/devres.h:160 [inline], CPU#0: syz.1.6464/25993
WARNING: ./include/linux/device/devres.h:160 at devm_cxl_dpa_release drivers/cxl/core/hdm.c:290 [inline], CPU#0: syz.1.6464/25993
WARNING: ./include/linux/device/devres.h:160 at cxl_dpa_free+0x2a4/0x320 drivers/cxl/core/hdm.c:572, CPU#0: syz.1.6464/25993

Fixes: cf880423b6a0 ("cxl/hdm: Add support for allocating DPA to an endpoint decoder")
Fixes: 9c57cde0dcbd ("cxl/hdm: Enumerate allocated DPA")
Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
---
V2: https://lore.kernel.org/linux-cxl/CAJNyHpL-fyDnEJv2bxKNjBAzxHZ9HmKTu72MzcVhWiFrDRKzpw@xxxxxxxxxxxxxx/
V2->V3:
- Fixed a potential deadlock in V2.
- Renamed __cxl_dpa_reserve() to __devm_cxl_dpa_reserve().

 drivers/cxl/core/hdm.c | 43 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
index 0c80b76a5f9b..0492a878a065 100644
--- a/drivers/cxl/core/hdm.c
+++ b/drivers/cxl/core/hdm.c
@@ -336,7 +336,7 @@ static int request_skip(struct cxl_dev_state *cxlds,
 	return -EBUSY;
 }
 
-static int __cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
+static int __devm_cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
 			     resource_size_t base, resource_size_t len,
 			     resource_size_t skipped)
 {
@@ -408,7 +408,19 @@ static int __cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
 
 	port->hdm_end++;
 	get_device(&cxled->cxld.dev);
-	return 0;
+
+	/*
+	 * Perform devres registration while holding cxl_rwsem.dpa so
+	 * cxl_dpa_free() cannot observe dpa_res without a matching devres
+	 * action.
+	 * Also, invoke the release action with the unlocked __cxl_dpa_release()
+	 * since cxl_dpa_release() acquires the the cxl_rwsem.dpa.
+	 */
+	rc = devm_add_action(&port->dev, cxl_dpa_release, cxled);
+	if (rc) {
+		__cxl_dpa_release(cxled);
+	}
+	return rc;
 }
 
 static int add_dpa_res(struct device *dev, struct resource *parent,
@@ -499,16 +511,8 @@ int devm_cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
 				resource_size_t base, resource_size_t len,
 				resource_size_t skipped)
 {
-	struct cxl_port *port = cxled_to_port(cxled);
-	int rc;
-
-	scoped_guard(rwsem_write, &cxl_rwsem.dpa)
-		rc = __cxl_dpa_reserve(cxled, base, len, skipped);
-
-	if (rc)
-		return rc;
-
-	return devm_add_action_or_reset(&port->dev, cxl_dpa_release, cxled);
+	guard(rwsem_write)(&cxl_rwsem.dpa);
+	return __devm_cxl_dpa_reserve(cxled, base, len, skipped);
 }
 EXPORT_SYMBOL_NS_GPL(devm_cxl_dpa_reserve, "CXL");
 
@@ -606,7 +610,8 @@ static int __cxl_dpa_alloc(struct cxl_endpoint_decoder *cxled, u64 size)
 	struct resource *p, *last;
 	int part;
 
-	guard(rwsem_write)(&cxl_rwsem.dpa);
+	lockdep_assert_held_write(&cxl_rwsem.dpa);
+
 	if (cxled->cxld.region) {
 		dev_dbg(dev, "decoder attached to %s\n",
 			dev_name(&cxled->cxld.region->dev));
@@ -664,19 +669,13 @@ static int __cxl_dpa_alloc(struct cxl_endpoint_decoder *cxled, u64 size)
 		return -ENOSPC;
 	}
 
-	return __cxl_dpa_reserve(cxled, start, size, skip);
+	return __devm_cxl_dpa_reserve(cxled, start, size, skip);
 }
 
 int cxl_dpa_alloc(struct cxl_endpoint_decoder *cxled, u64 size)
 {
-	struct cxl_port *port = cxled_to_port(cxled);
-	int rc;
-
-	rc = __cxl_dpa_alloc(cxled, size);
-	if (rc)
-		return rc;
-
-	return devm_add_action_or_reset(&port->dev, cxl_dpa_release, cxled);
+	guard(rwsem_write)(&cxl_rwsem.dpa);
+	return __cxl_dpa_alloc(cxled, size);
 }
 
 static void cxld_set_interleave(struct cxl_decoder *cxld, u32 *ctrl)
-- 
2.47.3