linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] vfio: fix noiommu vfio_iommu_group_get reference count
@ 2017-08-08 20:44 Eric Auger
  2017-08-10 19:47 ` Alex Williamson
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Auger @ 2017-08-08 20:44 UTC (permalink / raw)
  To: eric.auger.pro, eric.auger, linux-kernel, alex.williamson

In vfio_iommu_group_get() we want to increase the reference
count of the iommu group.

In noiommu case, the group does not exist and is allocated.
iommu_group_add_device() increases the group ref count. However we
then call iommu_group_put() which decrements it.

This leads to a "refcount_t: underflow WARN_ON".

Signed-off-by: Eric Auger <eric.auger@redhat.com>
---
 drivers/vfio/vfio.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 330d505..fd8d691 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -138,7 +138,6 @@ struct iommu_group *vfio_iommu_group_get(struct device *dev)
 	iommu_group_set_name(group, "vfio-noiommu");
 	iommu_group_set_iommudata(group, &noiommu, NULL);
 	ret = iommu_group_add_device(group, dev);
-	iommu_group_put(group);
 	if (ret)
 		return NULL;
 
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] vfio: fix noiommu vfio_iommu_group_get reference count
  2017-08-08 20:44 [PATCH] vfio: fix noiommu vfio_iommu_group_get reference count Eric Auger
@ 2017-08-10 19:47 ` Alex Williamson
  0 siblings, 0 replies; 2+ messages in thread
From: Alex Williamson @ 2017-08-10 19:47 UTC (permalink / raw)
  To: Eric Auger; +Cc: eric.auger.pro, linux-kernel

On Tue,  8 Aug 2017 22:44:28 +0200
Eric Auger <eric.auger@redhat.com> wrote:

> In vfio_iommu_group_get() we want to increase the reference
> count of the iommu group.
> 
> In noiommu case, the group does not exist and is allocated.
> iommu_group_add_device() increases the group ref count. However we
> then call iommu_group_put() which decrements it.
> 
> This leads to a "refcount_t: underflow WARN_ON".

Yep, the group is created with an initial reference count of 1, we then
add the device, which increments the reference count.  Normally the
instantiator of the group would then release the reference, so that
only the device reference holds the group.  However here we want a
reference in addition to the device reference, so we should never have
released the initial reference.  Seems right, except...

> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> ---
>  drivers/vfio/vfio.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 330d505..fd8d691 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -138,7 +138,6 @@ struct iommu_group *vfio_iommu_group_get(struct device *dev)
>  	iommu_group_set_name(group, "vfio-noiommu");
>  	iommu_group_set_iommudata(group, &noiommu, NULL);
>  	ret = iommu_group_add_device(group, dev);
> -	iommu_group_put(group);
>  	if (ret)
>  		return NULL;

We leak the group in the error case here.  Perhaps the 'put' is
correct, it was just typo'd outside of the error case.  Thanks,

Alex

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-10 19:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-08 20:44 [PATCH] vfio: fix noiommu vfio_iommu_group_get reference count Eric Auger
2017-08-10 19:47 ` Alex Williamson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).