| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220110180946.GA771134@p14s>
Date: Mon, 10 Jan 2022 11:09:46 -0700
From: Mathieu Poirier <mathieu.poirier@...aro.org>
To: Matthias Kaehlcke <mka@...omium.org>
Cc: Andy Gross <agross@...nel.org>, Ohad Ben-Cohen <ohad@...ery.com>,
linux-kernel@...r.kernel.org, Sibi Sankar <sibis@...eaurora.org>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
Sujit Kautkar <sujitka@...omium.org>,
Stephen Boyd <swboyd@...omium.org>,
linux-remoteproc@...r.kernel.org
Subject: Re: [PATCH v5 2/2] rpmsg: char: Fix race between the release of
rpmsg_eptdev and cdev
On Mon, Jan 10, 2022 at 09:12:32AM -0800, Matthias Kaehlcke wrote:
> struct rpmsg_eptdev contains a struct cdev. The current code frees
> the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is
> a managed object, therefore its release is not predictable and the
> rpmsg_eptdev could be freed before the cdev is entirely released.
>
> The cdev_device_add/del() API was created to address this issue
> (see commit 233ed09d7fda), use it instead of cdev add/del().
>
> Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
> Signed-off-by: Matthias Kaehlcke <mka@...omium.org>
> ---
>
> Changes in v5:
> - patch added to the series
>
> drivers/rpmsg/rpmsg_char.c | 10 ++--------
> 1 file changed, 2 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
> index ba85f5d11960..5bc1e6017587 100644
> --- a/drivers/rpmsg/rpmsg_char.c
> +++ b/drivers/rpmsg/rpmsg_char.c
> @@ -92,7 +92,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data)
> /* wake up any blocked readers */
> wake_up_interruptible(&eptdev->readq);
>
> - device_del(&eptdev->dev);
> + cdev_device_del(&eptdev->cdev, &eptdev->dev);
> put_device(&eptdev->dev);
>
> return 0;
> @@ -380,19 +380,13 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev,
> dev->id = ret;
> dev_set_name(dev, "rpmsg%d", ret);
>
> - ret = cdev_add(&eptdev->cdev, dev->devt, 1);
> + ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
> if (ret)
> goto free_ept_ida;
>
> /* We can now rely on the release function for cleanup */
> dev->release = rpmsg_eptdev_release_device;
>
> - ret = device_add(dev);
> - if (ret) {
> - dev_err(dev, "device_add failed: %d\n", ret);
> - put_device(dev);
> - }
> -
> return ret;
>
Reviewed-by: Mathieu Poirier <mathieu.poirier@...aro.org>
> free_ept_ida:
> --
> 2.34.1.575.g55b058a8bb-goog
>
Powered by blists - more mailing lists