lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080821204057.GA31543@suse.de>
Date:	Thu, 21 Aug 2008 13:40:57 -0700
From:	Greg KH <gregkh@...e.de>
To:	Alex Chiang <achiang@...com>, linux-pci@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: refcount leak in pci_get_device()?

On Thu, Aug 21, 2008 at 02:19:18PM -0600, Alex Chiang wrote:
> Hi Greg,
> 
> While playing around with my slot symlink stuff, I noticed that
> the following sequence is problematic:
> 
> 	1. clean boot
> 	2. modprobe acpiphp
> 	3. echo 0 > /sys/bus/pci/slots/N/power
> 	4. ???
> 
> After step 3, we *should* be seeing pci_release_dev() getting
> called, but we never do because the refcount on the device is
> still quite high (5 or 6, on my ia64 system).
> 
> I'm still trying to track this down, but I did notice, via code
> inspection, at least one suspicious area:
> 
> #define for_each_pci_dev(d) while ((d = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, d)) != NULL)
> 
> That eventually calls pci_get_dev_by_id(), which increases the
> refcount on the device, but never decrements it.
> 
> Looks like that change in behavior happened here:
> 
> 	PCI: clean up search.c a lot
> 	95247b57ed844511a212265b45cf9a919753aea1
> 
> pci_get_device() used to decrement the refcount, but no longer
> does.

No, pci_get_device() never decremented the refcount, and that didn't
change in the above git commit.

The description of pci_get_device() says that a reference is grabbed:
	Iterates through the list of known PCI devices.  If a PCI device
	is found with a matching @vendor and @device, the reference
	count to the device is incremented and a pointer to its device
	structure is returned.  Otherwise, %NULL is returned.  A new
	search is initiated by passing %NULL as the @from argument.
	Otherwise if @from is not %NULL, searches continue from next
	device on the global list.  The reference count for @from is
	always decremented if it is not %NULL.


All of the pci_find* functions should not have grabbed a reference to
the device, as that was the "old" behavior.  All of the pci_get*
functions do grab a reference.

Did I somehow mess up and one of the pci_find* functions now improperly
increment a reference?  Hopefully we shouldn't be using those functions
anymore as they aren't hotplug safe...

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ