Hi all,
I have some doubts about the patch - "ipack/carriers/tpci200: Fix a
double free in tpci200_pci_probe".
> In the out_err_bus_register error branch of tpci200_pci_probe,
> tpci200->info->cfg_regs is freed by tpci200_uninstall()->
> tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
> in the first time.
From my code review, although pci_iounmap takes
"tpci200->info->cfg_regs" as its 2nd parameter, the implementation of
pci_iounmap may not use this parameter.
Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
not be freed.
#ifdef CONFIG_PCI
/* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
struct pci_dev;
extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
#elif defined(CONFIG_GENERIC_IOMAP)
struct pci_dev;
static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
{ }
#endif
> But later, iounmap() is called to free tpci200->info->cfg_regs again.
Even if CONFIG_PCI is undefined, it is possible that
tpci200->info->cfg_regs is not freed at all. Therefore, this patch
would cause memory leak. Take a look at the following code:
void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
{
IO_COND(addr, /* nothing */, iounmap(addr));
}
#define IO_COND(addr, is_pio, is_mmio) do { \
unsigned long port = (unsigned long __force)addr; \
if (port >= PIO_RESERVED) { \
is_mmio; \
} else if (port > PIO_OFFSET) { \
port &= PIO_MASK; \
is_pio; \
} else \
bad_io_access(port, #is_pio ); \
} while (0)
If I make any mistakes, please let me know.
--
My best regards to you.
No System Is Safe!
Dongliang Mu
Hello Dongliang Mu,
> Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
> not be freed.
>
> #ifdef CONFIG_PCI
> /* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
> struct pci_dev;
> extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
> #elif defined(CONFIG_GENERIC_IOMAP)
> struct pci_dev;
> static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
> { }
> #endif
I think only `CONFIG_PCI=n` and `CONFIG_GENERIC_IOMAP=y` cause pci_iounmap an empty
implementation. Actually, `CONFIG_PCI` is a default option when run `make defconfig`,
pci_iounmap() usually is acted as an extern function.
> Even if CONFIG_PCI is undefined, it is possible that
> tpci200->info->cfg_regs is not freed at all. Therefore, this patch
> would cause memory leak. Take a look at the following code:
>
> void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
> {
> IO_COND(addr, /* nothing */, iounmap(addr));
> }
Here i am not sure this is the final implementation of pci_iounmap(),
because pci_iounmap() is re-implementated in many architectures.
Even so, i observed there still many call-sites of pci_iounmap() have reset
`the addr = NULL` after calling.
Can you have some ways to determine the actual implementation of
pci_iounmap in our cases?
> #define IO_COND(addr, is_pio, is_mmio) do { \
> unsigned long port = (unsigned long __force)addr; \
> if (port >= PIO_RESERVED) { \
> is_mmio; \
> } else if (port > PIO_OFFSET) { \
> port &= PIO_MASK; \
> is_pio; \
> } else \
> bad_io_access(port, #is_pio ); \
> } while (0)
>
Although the above codes is actually called, the addr might be freed
if `port >= PIO_RESERVED` is true. The double free still existed.
If I make any mistakes, please tell me.
Thanks your report.
---
Lv Yunlong
On Tue, Jul 20, 2021 at 10:38 PM <[email protected]> wrote:
>
>
> Hello Dongliang Mu,
>
> > Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
> > not be freed.
> >
> > #ifdef CONFIG_PCI
> > /* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
> > struct pci_dev;
> > extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
> > #elif defined(CONFIG_GENERIC_IOMAP)
> > struct pci_dev;
> > static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
> > { }
> > #endif
>
> I think only `CONFIG_PCI=n` and `CONFIG_GENERIC_IOMAP=y` cause pci_iounmap an empty
> implementation. Actually, `CONFIG_PCI` is a default option when run `make defconfig`,
> pci_iounmap() usually is acted as an extern function.
I see. From the discussion with other developers, the usage of this
driver needs to enable CONFIG_PCI. So we may not worry about this
point any more.
>
>
> > Even if CONFIG_PCI is undefined, it is possible that
> > tpci200->info->cfg_regs is not freed at all. Therefore, this patch
> > would cause memory leak. Take a look at the following code:
> >
> > void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
> > {
> > IO_COND(addr, /* nothing */, iounmap(addr));
> > }
>
> Here i am not sure this is the final implementation of pci_iounmap(),
> because pci_iounmap() is re-implementated in many architectures.
> Even so, i observed there still many call-sites of pci_iounmap() have reset
> `the addr = NULL` after calling.
> Can you have some ways to determine the actual implementation of
> pci_iounmap in our cases?
Yeah, that's the problem. I am not highly certain about the
implementation of this function. So if the free is not done, your
previous patch would cause a memory leak.
>
>
> > #define IO_COND(addr, is_pio, is_mmio) do { \
> > unsigned long port = (unsigned long __force)addr; \
> > if (port >= PIO_RESERVED) { \
> > is_mmio; \
> > } else if (port > PIO_OFFSET) { \
> > port &= PIO_MASK; \
> > is_pio; \
> > } else \
> > bad_io_access(port, #is_pio ); \
> > } while (0)
> >
>
> Although the above codes is actually called, the addr might be freed
> if `port >= PIO_RESERVED` is true. The double free still existed.
Of course. There exists a path in which the double free occurs.
However, if you directly add this NULL assignment, it will cause a
memory leak in other paths.
I am not suspecting the validation of this patch in defending the
double free. Instead, I agree with this patch, but it may introduce
some other issues, like memory leak.
>
>
>
> If I make any mistakes, please tell me.
> Thanks your report.
> ---
> Lv Yunlong
>
>
>
>