lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAE-0n50E+ERC2tvTmb2_FMas8QETgdogm8A1d_bkmhhwafsn6w@mail.gmail.com>
Date:   Mon, 12 Jun 2023 19:20:07 -0700
From:   Stephen Boyd <swboyd@...omium.org>
To:     Douglas Anderson <dianders@...omium.org>,
        dri-devel@...ts.freedesktop.org
Cc:     Andrzej Hajda <andrzej.hajda@...el.com>,
        Daniel Vetter <daniel@...ll.ch>,
        David Airlie <airlied@...il.com>,
        Jernej Skrabec <jernej.skrabec@...il.com>,
        Jonas Karlman <jonas@...boo.se>,
        Laurent Pinchart <Laurent.pinchart@...asonboard.com>,
        Linus Walleij <linus.walleij@...aro.org>,
        Neil Armstrong <neil.armstrong@...aro.org>,
        Robert Foss <rfoss@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime

Quoting Douglas Anderson (2023-06-12 16:53:03)
> Memory for the "struct device" for any given device isn't supposed to
> be released until the device's release() is called. This is important
> because someone might be holding a kobject reference to the "struct
> device" and might try to access one of its members even after any
> other cleanup/uninitialization has happened.
>
> Code analysis of ti-sn65dsi86 shows that this isn't quite right. When
> the code was written, it was believed that we could rely on the fact
> that the child devices would all be freed before the parent devices
> and thus we didn't need to worry about a release() function. While I
> still believe that the parent's "struct device" is guaranteed to
> outlive the child's "struct device" (because the child holds a kobject
> reference to the parent), the parent's "devm" allocated memory is a
> different story. That appears to be freed much earlier.
>
> Let's make this better for ti-sn65dsi86 by allocating each auxiliary
> with kzalloc and then free that memory in the release().
>
> Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers")
> Suggested-by: Stephen Boyd <swboyd@...omium.org>
> Signed-off-by: Douglas Anderson <dianders@...omium.org>
> ---

Thanks!

> diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
> index 597ceb7024e0..db1461cc3170 100644
> --- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
> +++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
> @@ -464,27 +464,32 @@ static void ti_sn65dsi86_delete_aux(void *data)
>         auxiliary_device_delete(data);
>  }
>
> -/*
> - * AUX bus docs say that a non-NULL release is mandatory, but it makes no
> - * sense for the model used here where all of the aux devices are allocated
> - * in the single shared structure. We'll use this noop as a workaround.
> - */
> -static void ti_sn65dsi86_noop(struct device *dev) {}
> +static void ti_sn65dsi86_aux_device_release(struct device *dev)
> +{
> +       struct auxiliary_device *aux = container_of(dev, struct auxiliary_device, dev);
> +
> +       kfree(aux);
> +}
>
>  static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
> -                                      struct auxiliary_device *aux,
> +                                      struct auxiliary_device **aux_out,
>                                        const char *name)
>  {
>         struct device *dev = pdata->dev;
> +       struct auxiliary_device *aux;
>         int ret;
>
> +       aux = kzalloc(sizeof(*aux), GFP_KERNEL);

Check for allocation failure?

> +
>         aux->name = name;
>         aux->dev.parent = dev;
> -       aux->dev.release = ti_sn65dsi86_noop;
> +       aux->dev.release = ti_sn65dsi86_aux_device_release;
>         device_set_of_node_from_dev(&aux->dev, dev);
>         ret = auxiliary_device_init(aux);
> -       if (ret)
> +       if (ret) {
> +               kfree(aux);
>                 return ret;
> +       }
>         ret = devm_add_action_or_reset(dev, ti_sn65dsi86_uninit_aux, aux);
>         if (ret)
>                 return ret;
> @@ -494,6 +499,9 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
>                 return ret;
>         ret = devm_add_action_or_reset(dev, ti_sn65dsi86_delete_aux, aux);
>

Nitpick: Stick this if line to the line above

> +       if (!ret)
> +               *aux_out = aux;
> +
>         return ret;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ