lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4e60cac3-d680-93ea-922e-bd4f22cf3f0a@codeaurora.org>
Date:   Fri, 18 Sep 2020 11:14:08 -0700
From:   Hemant Kumar <hemantk@...eaurora.org>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     manivannan.sadhasivam@...aro.org, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org, jhugo@...eaurora.org,
        bbhatt@...eaurora.org
Subject: Re: [PATCH v6 4/4] bus: mhi: Add userspace client interface driver

Hi Greg,

On 9/17/20 9:44 AM, Greg KH wrote:
> On Wed, Sep 16, 2020 at 12:56:07PM -0700, Hemant Kumar wrote:
...
...
>> +
>> +static int mhi_uci_open(struct inode *inode, struct file *filp)
>> +{
>> +	struct uci_dev *udev = NULL;
>> +	unsigned int minor = iminor(inode);
>> +	int ret = -EIO;
>> +	struct uci_buf *buf_itr, *tmp;
>> +	struct uci_chan *dl_chan;
>> +	struct mhi_device *mhi_dev;
>> +	struct device *dev;
>> +
>> +	mutex_lock(&uci_idr_mutex);
>> +	udev = idr_find(&uci_idr, minor);
>> +	mutex_unlock(&uci_idr_mutex);
>> +	if (!udev) {
>> +		pr_err("uci dev: minor %d not found\n", minor);
> 
> Don't spam the kernel log for things that users can do :(
i will change it to a pr_debug, as it helps to debug why open() is failing.
> 
>> +		ret = -ENODEV;
>> +		goto error_no_dev;
>> +	}
>> +
>> +	kref_get(&udev->ref_count);
> 
> Why grab a reference?  What does that help with?
In case open() and driver remove() are racing, it helps to prevent use 
after free of udev in open().
> 
>> +
>> +	mhi_dev = udev->mhi_dev;
>> +	dev = &mhi_dev->dev;
>> +
>> +	mutex_lock(&udev->lock);
>> +	if (kref_read(&udev->ref_count) > 2) {
>> +		dev_dbg(dev, "Node already opened\n");
> 
> Nope, this is NOT doing what you think it is doing.
> 
> I told you before, do not try to keep a device node from being opened
> multiple times, as it will always fail (think about passing file handles
> around between programs...)
> 
> If userspace wants to do this, it will do it.  If your driver can't
> handle that, that's fine, userspace will learn not to do that.  But the
> kernel can not prevent this from happening.
This check is not returning error, instead just setting 
filp->private_data = udev; and return 0; It is skipping channel prepare
and queuing of inbound buffers which was done by first open().
> 
> Also note that reading a kref value is a HUGE sign that the code is
> incorrect, you should never care about the value of a reference.  Maybe
> if it is 0, but that's a special case...
In previous patch this was done using separate open reference count and
after removing that i was relying on udev ref count. MHI channel prepare
and buffer allocation for a give channel suppose to happen at open() and
only for first open() call.
> 
> Anyway, given that you ignored my previous review comments here, I'm
> loath to keep reviewing this patch series.  Please get others to review
> it first before sending it back as I don't like being the only one doing
> this type of work...
Thanks for reviewing my patch series Greg and help making it a better 
driver!
> 
> thanks,
> 
> greg k-h
> 

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ