search for: refcount_t

https://bugs.freedesktop.org/show_bug.cgi?id=104161 Bug ID: 104161 Summary: refcount_t: increment on 0; use-after-free. Product: xorg Version: git Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Driver/nouveau Assignee: nouveau at lists....

...input9 [ 8.115813] input: HDA Intel Front Headphone as /devices/pci0000:00/0000:00:1b.0/sound/card0/input10 [ 8.208559] nouveau 0000:0f:00.0: bios: version 70.18.a6.00.00 [ 8.209028] nouveau 0000:0f:00.0: fb: 1024 MiB DDR3 [ 8.209046] ------------[ cut here ]------------ [ 8.209048] refcount_t: increment on 0; use-after-free. [ 8.209068] WARNING: CPU: 2 PID: 529 at lib/refcount.c:153 refcount_inc+0x27/0x30 [ 8.209070] Modules linked in: wmi_bmof coretemp snd_hda_codec_realtek nouveau(+) intel_powerclamp snd_hda_codec_generic mxm_wmi kvm_intel video snd_hda_intel ttm kvm snd_hda_...

...llowing warn on 4.15-rc1, on GTX 560 Ti: [ 9.430433] nouveau 0000:01:00.0: NVIDIA GF114 (0ce000a1) ... [ 9.585172] nouveau 0000:01:00.0: bios: version 70.24.2e.00.02 ... [ 9.772204] nouveau 0000:01:00.0: fb: 1024 MiB GDDR5 [ 9.777342] ------------[ cut here ]------------ [ 9.782106] refcount_t: increment on 0; use-after-free. [ 9.787522] WARNING: CPU: 0 PID: 3 at lib/refcount.c:153 refcount_inc+0x30/0x50 [ 9.795060] Modules linked in: sha256_generic cfg80211(+) rfkill snd_usb_audio snd_usbmidi_lib nouveau(+) video ttm [ 9.805756] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.15....

we can't use nouveau_bo_ref here as no ttm object was allocated and nouveau_bo_ref mainly deals with that. Simply deallocate the object. Signed-off-by: Karol Herbst <kherbst at redhat.com> --- drm/nouveau/nouveau_gem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drm/nouveau/nouveau_gem.c b/drm/nouveau/nouveau_gem.c index e11303fbc..45582a8dc 100644 ---

From: Karol Herbst <kherbst at redhat.com> [ Upstream commit 925681454d7b557d404b5d28ef4469fac1b2e105 ] we can't use nouveau_bo_ref here as no ttm object was allocated and nouveau_bo_ref mainly deals with that. Simply deallocate the object. Signed-off-by: Karol Herbst <kherbst at redhat.com> Signed-off-by: Ben Skeggs <bskeggs at redhat.com> Signed-off-by: Sasha Levin

From: Karol Herbst <kherbst at redhat.com> [ Upstream commit 925681454d7b557d404b5d28ef4469fac1b2e105 ] we can't use nouveau_bo_ref here as no ttm object was allocated and nouveau_bo_ref mainly deals with that. Simply deallocate the object. Signed-off-by: Karol Herbst <kherbst at redhat.com> Signed-off-by: Ben Skeggs <bskeggs at redhat.com> Signed-off-by: Sasha Levin

From: Karol Herbst <kherbst at redhat.com> [ Upstream commit 925681454d7b557d404b5d28ef4469fac1b2e105 ] we can't use nouveau_bo_ref here as no ttm object was allocated and nouveau_bo_ref mainly deals with that. Simply deallocate the object. Signed-off-by: Karol Herbst <kherbst at redhat.com> Signed-off-by: Ben Skeggs <bskeggs at redhat.com> Signed-off-by: Sasha Levin

...f /* __ASSEMBLY__ */ #endif /* _ASM_X86_PARAVIRT_TYPES_H */ diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index a8b5e1e..dbaed55 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -4,41 +4,6 @@ * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from * PaX/grsecurity. */ - -#ifdef __ASSEMBLY__ - -#include <asm/asm.h> -#include <asm/bug.h> - -.macro REFCOUNT_EXCEPTION counter:req - .pushsection .text..refcount -111: lea \counter, %_ASM_CX -112: ud2 - ASM_UNREACHABLE - .popsection -113: _ASM_EXTABLE_REF...

...f /* __ASSEMBLY__ */ #endif /* _ASM_X86_PARAVIRT_TYPES_H */ diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index a8b5e1e..dbaed55 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -4,41 +4,6 @@ * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from * PaX/grsecurity. */ - -#ifdef __ASSEMBLY__ - -#include <asm/asm.h> -#include <asm/bug.h> - -.macro REFCOUNT_EXCEPTION counter:req - .pushsection .text..refcount -111: lea \counter, %_ASM_CX -112: ud2 - ASM_UNREACHABLE - .popsection -113: _ASM_EXTABLE_REF...

...f /* __ASSEMBLY__ */ #endif /* _ASM_X86_PARAVIRT_TYPES_H */ diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index a8b5e1e..dbaed55 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -4,41 +4,6 @@ * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from * PaX/grsecurity. */ - -#ifdef __ASSEMBLY__ - -#include <asm/asm.h> -#include <asm/bug.h> - -.macro REFCOUNT_EXCEPTION counter:req - .pushsection .text..refcount -111: lea \counter, %_ASM_CX -112: ud2 - ASM_UNREACHABLE - .popsection -113: _ASM_EXTABLE_REF...

...l. */ @@ -44,6 +53,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -295,10 +311,55 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) return err; } +static void virtblk_get(struct virtio_blk *vblk) +{ + refcount_inc(&vblk->refs); +} + +static...

...l. */ @@ -44,6 +53,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -295,10 +311,55 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) return err; } +static void virtblk_get(struct virtio_blk *vblk) +{ + refcount_inc(&vblk->refs); +} + +static...

...blk.c @@ -44,6 +44,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -53,6 +60,9 @@ struct virtio_blk { /* num of vqs */ int num_vqs; struct virtio_blk_vq *vqs; + + /* Provides mutual exclusion with virtblk_remove(). */ + struct mutex remove_mutex; }; struct v...

...blk.c @@ -44,6 +44,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -53,6 +60,9 @@ struct virtio_blk { /* num of vqs */ int num_vqs; struct virtio_blk_vq *vqs; + + /* Provides mutual exclusion with virtblk_remove(). */ + struct mutex remove_mutex; }; struct v...

...ce updates */ > > struct work_struct config_work; > > > > + /* > > + * Tracks references from block_device_operations open/release and > > + * virtio_driver probe/remove so this object can be freed once no > > + * longer in use. > > + */ > > + refcount_t refs; > > + > > /* What host tells us, plus 2 for header & tailer. */ > > unsigned int sg_elems; > > > > @@ -53,6 +60,9 @@ struct virtio_blk { > > /* num of vqs */ > > int num_vqs; > > struct virtio_blk_vq *vqs; > > + > > +...

...> /* Process context for config space updates */ > struct work_struct config_work; > > + /* > + * Tracks references from block_device_operations open/release and > + * virtio_driver probe/remove so this object can be freed once no > + * longer in use. > + */ > + refcount_t refs; Using a struct kref might be more idiomatic. > + > /* What host tells us, plus 2 for header & tailer. */ > unsigned int sg_elems; > > @@ -295,10 +311,55 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) > return err; > } > > +static v...

Hello all, I am trying to debug an elusive memory corruption bug on my arm64 machine which appears to be in the nouveau driver. I got the following splat from the refcount debugging code: """ refcount_t: underflow; use-after-free. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3366 at lib/refcount.c:128 refcount_sub_and_test+0xe8/0x108 Modules linked in: fuse nouveau ttm drm_kms_helper drm ip_tables x_tables ipv6 CPU: 0 PID: 3366 Comm: gnome-shell Not tainted 4.11.0-rc3-00407-g97da3854...

...l. */ @@ -44,6 +54,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -295,10 +312,55 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) return err; } +static void virtblk_get(struct virtio_blk *vblk) +{ + refcount_inc(&vblk->refs); +} + +static...

...l. */ @@ -44,6 +54,13 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; + /* + * Tracks references from block_device_operations open/release and + * virtio_driver probe/remove so this object can be freed once no + * longer in use. + */ + refcount_t refs; + /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -295,10 +312,55 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) return err; } +static void virtblk_get(struct virtio_blk *vblk) +{ + refcount_inc(&vblk->refs); +} + +static...

...dex c38cc5eb7e73..582b0187f5a4 100644 > --- a/include/linux/kvm_host.h > +++ b/include/linux/kvm_host.h > @@ -455,6 +455,10 @@ struct kvm { > struct srcu_struct srcu; > struct srcu_struct irq_srcu; > pid_t userspace_pid; > + > + struct completion kvmi_completed; > + refcount_t kvmi_ref; The refcounting approach seems a bit backwards, and AFAICT is driven by implementing unhook via a message, which also seems backwards. I assume hook and unhook are relatively rare events and not performance critical, so make those the restricted/slow flows, e.g. force userspace to quies...