lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 10 Aug 2017 13:47:25 -0600
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Eric Auger <eric.auger@...hat.com>
Cc:     eric.auger.pro@...il.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vfio: fix noiommu vfio_iommu_group_get reference count

On Tue,  8 Aug 2017 22:44:28 +0200
Eric Auger <eric.auger@...hat.com> wrote:

> In vfio_iommu_group_get() we want to increase the reference
> count of the iommu group.
> 
> In noiommu case, the group does not exist and is allocated.
> iommu_group_add_device() increases the group ref count. However we
> then call iommu_group_put() which decrements it.
> 
> This leads to a "refcount_t: underflow WARN_ON".

Yep, the group is created with an initial reference count of 1, we then
add the device, which increments the reference count.  Normally the
instantiator of the group would then release the reference, so that
only the device reference holds the group.  However here we want a
reference in addition to the device reference, so we should never have
released the initial reference.  Seems right, except...

> Signed-off-by: Eric Auger <eric.auger@...hat.com>
> ---
>  drivers/vfio/vfio.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 330d505..fd8d691 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -138,7 +138,6 @@ struct iommu_group *vfio_iommu_group_get(struct device *dev)
>  	iommu_group_set_name(group, "vfio-noiommu");
>  	iommu_group_set_iommudata(group, &noiommu, NULL);
>  	ret = iommu_group_add_device(group, dev);
> -	iommu_group_put(group);
>  	if (ret)
>  		return NULL;

We leak the group in the error case here.  Perhaps the 'put' is
correct, it was just typo'd outside of the error case.  Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ