[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAD-N9QUEdMMfAC46Wb7DJJRs792_3ukK0ykyh1_U1MAekM1L5g@mail.gmail.com>
Date: Wed, 21 Jul 2021 12:44:09 +0800
From: Dongliang Mu <mudongliangabcd@...il.com>
To: lyl2019@...l.ustc.edu.cn
Cc: siglesias@...lia.com, jens.taprogge@...rogge.org,
Greg KH <gregkh@...uxfoundation.org>,
industrypack-devel@...ts.sourceforge.net,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe"
On Tue, Jul 20, 2021 at 10:38 PM <lyl2019@...l.ustc.edu.cn> wrote:
>
>
> Hello Dongliang Mu,
>
> > Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
> > not be freed.
> >
> > #ifdef CONFIG_PCI
> > /* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
> > struct pci_dev;
> > extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
> > #elif defined(CONFIG_GENERIC_IOMAP)
> > struct pci_dev;
> > static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
> > { }
> > #endif
>
> I think only `CONFIG_PCI=n` and `CONFIG_GENERIC_IOMAP=y` cause pci_iounmap an empty
> implementation. Actually, `CONFIG_PCI` is a default option when run `make defconfig`,
> pci_iounmap() usually is acted as an extern function.
I see. From the discussion with other developers, the usage of this
driver needs to enable CONFIG_PCI. So we may not worry about this
point any more.
>
>
> > Even if CONFIG_PCI is undefined, it is possible that
> > tpci200->info->cfg_regs is not freed at all. Therefore, this patch
> > would cause memory leak. Take a look at the following code:
> >
> > void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
> > {
> > IO_COND(addr, /* nothing */, iounmap(addr));
> > }
>
> Here i am not sure this is the final implementation of pci_iounmap(),
> because pci_iounmap() is re-implementated in many architectures.
> Even so, i observed there still many call-sites of pci_iounmap() have reset
> `the addr = NULL` after calling.
> Can you have some ways to determine the actual implementation of
> pci_iounmap in our cases?
Yeah, that's the problem. I am not highly certain about the
implementation of this function. So if the free is not done, your
previous patch would cause a memory leak.
>
>
> > #define IO_COND(addr, is_pio, is_mmio) do { \
> > unsigned long port = (unsigned long __force)addr; \
> > if (port >= PIO_RESERVED) { \
> > is_mmio; \
> > } else if (port > PIO_OFFSET) { \
> > port &= PIO_MASK; \
> > is_pio; \
> > } else \
> > bad_io_access(port, #is_pio ); \
> > } while (0)
> >
>
> Although the above codes is actually called, the addr might be freed
> if `port >= PIO_RESERVED` is true. The double free still existed.
Of course. There exists a path in which the double free occurs.
However, if you directly add this NULL assignment, it will cause a
memory leak in other paths.
I am not suspecting the validation of this patch in defending the
double free. Instead, I agree with this patch, but it may introduce
some other issues, like memory leak.
>
>
>
> If I make any mistakes, please tell me.
> Thanks your report.
> ---
> Lv Yunlong
>
>
>
>
Powered by blists - more mailing lists