Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933606AbbDQQbX (ORCPT <rfc822;w@1wt.eu>);
	Fri, 17 Apr 2015 12:31:23 -0400
Received: from quartz.orcorp.ca ([184.70.90.242]:44371 "EHLO quartz.orcorp.ca"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932069AbbDQQbS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 17 Apr 2015 12:31:18 -0400
Date: Fri, 17 Apr 2015 10:30:54 -0600
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Jens Wiklander <jens.wiklander@linaro.org>
Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        devicetree@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>, javier@javigon.com,
        valentin.manea@huawei.com, emmanuel.michel@st.com,
        Herbert Xu <herbert@gondor.apana.org.au>, jean-michel.delorme@st.com,
        tpmdd-devel@lists.sourceforge.net
Subject: Re: [tpmdd-devel] [RFC PATCH 1/2] tee: generic TEE subsystem
Message-ID: <20150417163054.GA28241@obsidianresearch.com>
References: <1429257057-7935-1-git-send-email-jens.wiklander@linaro.org>
 <1429257057-7935-2-git-send-email-jens.wiklander@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1429257057-7935-2-git-send-email-jens.wiklander@linaro.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Broken-Reverse-DNS: no host name found for IP address 10.0.0.183
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1067
Lines: 32

On Fri, Apr 17, 2015 at 09:50:56AM +0200, Jens Wiklander wrote:
> +	teedev = devm_kzalloc(dev, sizeof(*teedev), GFP_KERNEL);
[..]
> +	rc = misc_register(&teedev->miscdev);
[..]
> +void tee_unregister(struct tee_device *teedev)
> +{
[..]
> +	misc_deregister(&teedev->miscdev);
> +}
[..]
>+static int optee_remove(struct platform_device *pdev)
>+{
>+       tee_unregister(optee->teedev);

Isn't that a potential use after free? AFAIK misc_deregister does not
guarentee the miscdev will no longer be accessed after it returns, and
the devm will free it after optee_remove returns.

Memory backing a stuct device needs to be freed via the release
function.

We have been going through this for a while with TPM - it seems like
using misc devices dynamically is not a good idea. Manage your own
struct device directly..

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/