[PATCH v2 01/10] iommu: Remove useless group refcounting
Tian, Kevin
kevin.tian at intel.com
Tue Aug 1 18:33:38 PDT 2023
> From: Jason Gunthorpe <jgg at nvidia.com>
> Sent: Tuesday, August 1, 2023 1:50 AM
>
> Several functions obtain the group reference and then release it before
> returning. This gives the impression that the refcount is protecting
> something for the duration of the function.
>
> In truth all of these functions are called in places that know a device
> driver is probed to the device and our locking rules already require
> that dev->iommu_group cannot change while a driver is attached to the
> struct device.
>
> If this was not the case then this code is already at risk of triggering
> UAF as it is racy if the dev->iommu_group is concurrently going to
> NULL/free. refcount debugging will throw a WARN if kobject_get() is
> called on a 0 refcount object to highlight the bug.
>
> Remove the confusing refcounting and leave behind a comment about the
> restriction.
>
> Reviewed-by: Lu Baolu <baolu.lu at linux.intel.com>
> Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian at intel.com>
More information about the linux-arm-kernel
mailing list