| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Sep 2012 04:57:38 -0700 From: Guenter Roeck <linux@...ck-us.net> To: Uwe Kleine-König <u.kleine-koenig@...gutronix.de> Cc: spi-devel-general@...ts.sourceforge.net, linux-kernel@...r.kernel.org, Grant Likely <grant.likely@...retlab.ca>, Mark Brown <broonie@...nsource.wolfsonmicro.com>, kernel@...gutronix.de Subject: Re: [PATCH] Revert "spi/doc: spi_master_put must be followed up by kfree" On Tue, Sep 04, 2012 at 09:25:23AM +0200, Uwe Kleine-König wrote: > On Mon, Sep 03, 2012 at 01:26:26PM -0700, Guenter Roeck wrote: > > Actually, spi_master_put() after spi_alloc_master() must _not_ be followed > > by kfree(). The memory is already freed with the call to spi_master_put() > > through spi_master_class, which registers a release function. Calling both > > spi_master_put() and kfree() results in often nasty (and delayed) crashes > > elsewhere in the kernel, often in the networking stack. > > > > This reverts commit eb4af0f5349235df2e4a5057a72fc8962d00308a. > > > > Cc: Uwe Kleine-Koenig <u.kleine-koenig@...gutronix.de> > > Signed-off-by: Guenter Roeck <linux@...ck-us.net> > I didn't check the callback, but I introduced > eb4af0f5349235df2e4a5057a72fc8962d00308a because I saw the kfree in > drivers/spi/spi-imx.c. So I guess this needs fixing, too?! > This is a bitbang driver, which is one of the tricky ones which I have not touched yet. That driver calls spi_alloc_master spi_master_get .. error: spi_master_put kfree which works out fine, since there are two references to master (one from spi_alloc_master and one from spi_master_put). Calling spi_master_put twice would be cleaner, of course, but one can not have everything and at least nothing bad will happen. Other bitbang drivers are problematic, though. For example, looking at spi-altera.c: hw->bitbang.master = spi_master_get(master); if (!hw->bitbang.master) return err; That error case should never happen, but if it does the return would leave master unreleased. In practice it is not necessary to check the return code here since it will only be NULL if master is NULL. exit: spi_master_put(master); return err; So this driver calls spi_alloc_master and spi_master_get, but only calls spi_master_put once in the error path, meaning one reference is left and master will not be freed. Given the context, it should really be spi_master_put(hw->bitbang.master); spi_master_put(master); return err; This is just an example. spi-ath79.c and spi-au1550.c are wrong as well, and many others. The issue really is that one must keep track of the number of references to master, and many drivers don't get that right. Bitbang drivers usually call spi_master_get() to get an additional reference to master, and thus must call spi_master_put twice (or spi_master_put/kfree) in the error path. Non-bitbang drivers don't call spi_master_get() and thus don't need the additional call to spi_master_put (or kfree). Guenter -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists