| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210802201620.GA344022@rowland.harvard.edu>
Date: Mon, 2 Aug 2021 16:16:20 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: Salah Triki <salah.triki@...il.com>
Cc: Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
open list <linux-kernel@...r.kernel.org>,
Oliver Neukum <oliver@...kum.org>
Subject: Re: [PATCH v2] bluetooth: bcm203x: update the reference count of udev
On Mon, Aug 02, 2021 at 08:34:11PM +0100, Salah Triki wrote:
> On Sun, Aug 01, 2021 at 08:01:06PM +0200, Marcel Holtmann wrote:
> > Hi Salah,
> >
> > > Use usb_get_dev() to increment the reference count of the usb device
> > > structure in order to avoid releasing the structure while it is still in
> > > use. And use usb_put_dev() to decrement the reference count and thus,
> > > when it will be equal to 0 the structure will be released.
> > >
> > > Signed-off-by: Salah Triki <salah.triki@...il.com>
> > > ---
> > > Change since v1:
> > > Modification of the description
> > >
> > > drivers/bluetooth/bcm203x.c | 4 +++-
> > > 1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/bluetooth/bcm203x.c b/drivers/bluetooth/bcm203x.c
> > > index e667933c3d70..547d35425d70 100644
> > > --- a/drivers/bluetooth/bcm203x.c
> > > +++ b/drivers/bluetooth/bcm203x.c
> > > @@ -166,7 +166,7 @@ static int bcm203x_probe(struct usb_interface *intf, const struct usb_device_id
> > > if (!data)
> > > return -ENOMEM;
> > >
> > > - data->udev = udev;
> > > + data->udev = usb_get_dev(udev);
> > > data->state = BCM203X_LOAD_MINIDRV;
> > >
> > > data->urb = usb_alloc_urb(0, GFP_KERNEL);
> > > @@ -244,6 +244,8 @@ static void bcm203x_disconnect(struct usb_interface *intf)
> > >
> > > usb_set_intfdata(intf, NULL);
> > >
> > > + usb_put_dev(data->udev);
> > > +
> > > usb_free_urb(data->urb);
> > > kfree(data->fw_data);
> > > kfree(data->buffer);
> >
> > I do not understand this. If this is something broken, then it is broken in
> > btusb.c as well and that driver is heavily used by all sorts of devices. So
> > we should have seen bug reports about this.
> >
> > Regards
> >
> > Marcel
> >
> Hi Marcel,
>
> The patch is based on the following documentation of usb_get_dev():
>
> [quote]
> Each live reference to a device should be refcounted.
>
> Drivers for USB interfaces should normally record such references in their
> probe() methods, when they bind to an interface, and release them by calling
> usb_put_dev(), in their disconnect() methods.
> [/quote]
That documentation is incorrect. It is not necessary for drivers to
take a reference to the devices they are bound to. Properly written
subsystems will guarantee that the driver is unbound from the device
before the device is released.
To put it another way, if failure to take such a reference leads to an
invalid memory access then there is a bug in the subsystem, not in the
driver.
Rather than changing the bcm203x driver, you should consider getting rid
of the unnecessary advice in the documentation of usb_get_dev.
Alan Stern
Powered by blists - more mailing lists