| Message ID | 1488810076-3754-18-git-send-email-elena.reshetova@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Bjorn Helgaas |
| Headers | show |
[+cc Hyper-V folks, -cc others] On Mon, Mar 06, 2017 at 04:21:04PM +0200, Elena Reshetova wrote: > refcount_t type and corresponding API should be > used instead of atomic_t when the variable is used as > a reference counter. This allows to avoid accidental > refcounter overflows that might lead to use-after-free > situations. > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> > Signed-off-by: Kees Cook <keescook@chromium.org> > Signed-off-by: David Windsor <dwindsor@gmail.com> > --- > drivers/pci/host/pci-hyperv.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c > index cd114c6..870deed 100644 > --- a/drivers/pci/host/pci-hyperv.c > +++ b/drivers/pci/host/pci-hyperv.c > @@ -56,6 +56,7 @@ > #include <asm/apic.h> > #include <linux/msi.h> > #include <linux/hyperv.h> > +#include <linux/refcount.h> > #include <asm/mshyperv.h> > > /* > @@ -421,7 +422,7 @@ enum hv_pcidev_ref_reason { > struct hv_pci_dev { > /* List protected by pci_rescan_remove_lock */ > struct list_head list_entry; > - atomic_t refs; > + refcount_t refs; > enum hv_pcichild_state state; > struct pci_function_description desc; > bool reported_missing; > @@ -1254,13 +1255,13 @@ static void q_resource_requirements(void *context, struct pci_response *resp, > static void get_pcichild(struct hv_pci_dev *hpdev, > enum hv_pcidev_ref_reason reason) > { > - atomic_inc(&hpdev->refs); > + refcount_inc(&hpdev->refs); > } > > static void put_pcichild(struct hv_pci_dev *hpdev, > enum hv_pcidev_ref_reason reason) > { > - if (atomic_dec_and_test(&hpdev->refs)) > + if (refcount_dec_and_test(&hpdev->refs)) > kfree(hpdev); > } > > @@ -1314,7 +1315,7 @@ static struct hv_pci_dev *new_pcichild_device(struct hv_pcibus_device *hbus, > wait_for_completion(&comp_pkt.host_event); > > hpdev->desc = *desc; > - get_pcichild(hpdev, hv_pcidev_ref_initial); > + refcount_set(&hpdev->refs, 1); > get_pcichild(hpdev, hv_pcidev_ref_childlist); > spin_lock_irqsave(&hbus->device_list_lock, flags); > list_add_tail(&hpdev->list_entry, &hbus->children); > -- > 2.7.4 >
On Mon, 6 Mar 2017 15:38:29 -0600 Bjorn Helgaas <helgaas@kernel.org> wrote: > [+cc Hyper-V folks, -cc others] > > On Mon, Mar 06, 2017 at 04:21:04PM +0200, Elena Reshetova wrote: > > refcount_t type and corresponding API should be > > used instead of atomic_t when the variable is used as > > a reference counter. This allows to avoid accidental > > refcounter overflows that might lead to use-after-free > > situations. > > > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> > > Signed-off-by: Kees Cook <keescook@chromium.org> > > Signed-off-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com>
> On Mon, 6 Mar 2017 15:38:29 -0600 > Bjorn Helgaas <helgaas@kernel.org> wrote: > > > [+cc Hyper-V folks, -cc others] > > > > On Mon, Mar 06, 2017 at 04:21:04PM +0200, Elena Reshetova wrote: > > > refcount_t type and corresponding API should be > > > used instead of atomic_t when the variable is used as > > > a reference counter. This allows to avoid accidental > > > refcounter overflows that might lead to use-after-free > > > situations. > > > > > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > > Signed-off-by: David Windsor <dwindsor@gmail.com> > > > Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com> Getting back on this: could you take the patch via your tree or should I resubmit to some dedicated place with a new review-by added? Best Regards, Elena
On Tue, Apr 18, 2017 at 5:40 AM, Reshetova, Elena <elena.reshetova@intel.com> wrote: > > >> On Mon, 6 Mar 2017 15:38:29 -0600 >> Bjorn Helgaas <helgaas@kernel.org> wrote: >> >> > [+cc Hyper-V folks, -cc others] >> > >> > On Mon, Mar 06, 2017 at 04:21:04PM +0200, Elena Reshetova wrote: >> > > refcount_t type and corresponding API should be >> > > used instead of atomic_t when the variable is used as >> > > a reference counter. This allows to avoid accidental >> > > refcounter overflows that might lead to use-after-free >> > > situations. >> > > >> > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> >> > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> >> > > Signed-off-by: Kees Cook <keescook@chromium.org> >> > > Signed-off-by: David Windsor <dwindsor@gmail.com> >> >> >> Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com> > > Getting back on this: could you take the patch via your tree or should I resubmit to some dedicated place with a new review-by added? Sorry, for some reason I had assumed this would all go as part of the larger series. I applied it to my pci/host-hv branch with Stephen's reviewed-by for v4.12. Thanks for the ping! Bjorn
> On Tue, Apr 18, 2017 at 5:40 AM, Reshetova, Elena > <elena.reshetova@intel.com> wrote: > > > > > >> On Mon, 6 Mar 2017 15:38:29 -0600 > >> Bjorn Helgaas <helgaas@kernel.org> wrote: > >> > >> > [+cc Hyper-V folks, -cc others] > >> > > >> > On Mon, Mar 06, 2017 at 04:21:04PM +0200, Elena Reshetova wrote: > >> > > refcount_t type and corresponding API should be > >> > > used instead of atomic_t when the variable is used as > >> > > a reference counter. This allows to avoid accidental > >> > > refcounter overflows that might lead to use-after-free > >> > > situations. > >> > > > >> > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > >> > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> > >> > > Signed-off-by: Kees Cook <keescook@chromium.org> > >> > > Signed-off-by: David Windsor <dwindsor@gmail.com> > >> > >> > >> Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com> > > > > Getting back on this: could you take the patch via your tree or should I resubmit > to some dedicated place with a new review-by added? > > Sorry, for some reason I had assumed this would all go as part of the > larger series. I applied it to my pci/host-hv branch with Stephen's > reviewed-by for v4.12. Thank you very much! I think I confused everyone in the beginning, but later on we decided that it is better off in small chunks and separate tress. Best Regards, Elena. > > Thanks for the ping! > > Bjorn
diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c index cd114c6..870deed 100644 --- a/drivers/pci/host/pci-hyperv.c +++ b/drivers/pci/host/pci-hyperv.c @@ -56,6 +56,7 @@ #include <asm/apic.h> #include <linux/msi.h> #include <linux/hyperv.h> +#include <linux/refcount.h> #include <asm/mshyperv.h> /* @@ -421,7 +422,7 @@ enum hv_pcidev_ref_reason { struct hv_pci_dev { /* List protected by pci_rescan_remove_lock */ struct list_head list_entry; - atomic_t refs; + refcount_t refs; enum hv_pcichild_state state; struct pci_function_description desc; bool reported_missing; @@ -1254,13 +1255,13 @@ static void q_resource_requirements(void *context, struct pci_response *resp, static void get_pcichild(struct hv_pci_dev *hpdev, enum hv_pcidev_ref_reason reason) { - atomic_inc(&hpdev->refs); + refcount_inc(&hpdev->refs); } static void put_pcichild(struct hv_pci_dev *hpdev, enum hv_pcidev_ref_reason reason) { - if (atomic_dec_and_test(&hpdev->refs)) + if (refcount_dec_and_test(&hpdev->refs)) kfree(hpdev); } @@ -1314,7 +1315,7 @@ static struct hv_pci_dev *new_pcichild_device(struct hv_pcibus_device *hbus, wait_for_completion(&comp_pkt.host_event); hpdev->desc = *desc; - get_pcichild(hpdev, hv_pcidev_ref_initial); + refcount_set(&hpdev->refs, 1); get_pcichild(hpdev, hv_pcidev_ref_childlist); spin_lock_irqsave(&hbus->device_list_lock, flags); list_add_tail(&hpdev->list_entry, &hbus->children);