From: Lukas Wunner <lukas@wunner.de>
To: "Deucher, Alexander" <Alexander.Deucher@amd.com>
Cc: Takashi Iwai <tiwai@suse.de>, Jaroslav Kysela <perex@perex.cz>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Bjorn Helgaas <helgaas@kernel.org>,
Nicholas Johnson <nicholas.johnson-opensource@outlook.com.au>,
"alsa-devel@alsa-project.org" <alsa-devel@alsa-project.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>
Subject: Re: [PATCH] ALSA: hda/hdmi - Fix duplicate unref of pci_dev
Date: Tue, 10 Dec 2019 17:13:45 +0100
Message-ID: <20191210161345.apz4aixgszcd6vco@wunner.de> (raw)
In-Reply-To: <MWHPR12MB1358449C677259C848AAB11EF75B0@MWHPR12MB1358.namprd12.prod.outlook.com>
On Tue, Dec 10, 2019 at 03:53:20PM +0000, Deucher, Alexander wrote:
> > On Tue, Dec 10, 2019 at 03:34:27PM +0000, Deucher, Alexander wrote:
> > > > Nicholas Johnson reports a null pointer deref as well as a refcount
> > > > underflow upon hot-removal of a Thunderbolt-attached AMD eGPU.
> > > > He's bisected the issue down to commit 586bc4aab878 ("ALSA: hda/hdmi
> > > > - fix vgaswitcheroo detection for AMD").
> > > >
> > > > The commit iterates over PCI devices using pci_get_class() and
> > > > unreferences each device found, even though pci_get_class()
> > > > subsequently unreferences the device as well. Fix it.
> > >
> > > The pci_dev_put() a few lines above should probably be dropped as well.
> >
> > That one looks fine to me. The refcount is already increased in the caller
> > get_bound_vga() via pci_get_domain_bus_and_slot() and it's increased
> > again in atpx_present() via pci_get_class(). It needs to be decremented in
> > atpx_present() to avoid leaking a ref.
>
> I'm not following. This is part of the same loop as the one you removed.
> All we are doing is checking whether the ATPX method exists or not om the
> platform. The pdev may not be the same one as the one in
> pci_get_domain_bus_and_slot(). The APTX method in the APU's ACPI namespace,
> not the dGPUs.
Okay. Still, atpx_present() doesn't pass the found pci_dev back to the
caller, so it would be leaked if the ref isn't returned.
The situation is different for the pci_dev_put() I removed: The ref is
returned by pci_get_class() on the next loop iteration.
Thanks,
Lukas
> > > > diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
> > > > index 35b4526f0d28..b856b89378ac 100644
> > > > --- a/sound/pci/hda/hda_intel.c
> > > > +++ b/sound/pci/hda/hda_intel.c
> > > > @@ -1419,7 +1419,6 @@ static bool atpx_present(void)
> > > > return true;
> > > > }
> > > > }
> > > > - pci_dev_put(pdev);
> > > > }
> > > > return false;
> > > > }
> > > > --
> > > > 2.24.0
prev parent reply index
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-09 12:34 Linux v5.5 serious PCI bug Nicholas Johnson
2019-12-09 12:37 ` Pavel Machek
2019-12-09 13:07 ` Nicholas Johnson
2019-12-09 13:12 ` mika.westerberg
2019-12-09 13:29 ` Nicholas Johnson
2019-12-09 13:33 ` Nicholas Johnson
2019-12-10 7:28 ` mika.westerberg
2019-12-10 12:00 ` Nicholas Johnson
2019-12-10 12:29 ` Lukas Wunner
2019-12-10 12:46 ` Takashi Iwai
2019-12-11 7:33 ` Jiasen Lin
2019-12-10 12:52 ` Nicholas Johnson
2019-12-10 12:34 ` mika.westerberg
2019-12-10 13:39 ` [PATCH] ALSA: hda/hdmi - Fix duplicate unref of pci_dev Lukas Wunner
2019-12-10 13:41 ` Takashi Iwai
2019-12-10 13:47 ` Nicholas Johnson
2019-12-10 13:50 ` Takashi Iwai
2019-12-10 15:34 ` Deucher, Alexander
2019-12-10 15:46 ` Lukas Wunner
2019-12-10 15:53 ` Deucher, Alexander
2019-12-10 16:10 ` Takashi Iwai
2019-12-10 16:51 ` Deucher, Alexander
2019-12-10 16:13 ` Lukas Wunner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191210161345.apz4aixgszcd6vco@wunner.de \
--to=lukas@wunner.de \
--cc=Alexander.Deucher@amd.com \
--cc=alsa-devel@alsa-project.org \
--cc=helgaas@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=nicholas.johnson-opensource@outlook.com.au \
--cc=perex@perex.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
LKML Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
linux-kernel@vger.kernel.org
public-inbox-index lkml
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git