Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4659188imm; Mon, 18 Jun 2018 20:12:37 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKztPO+EoG+BizNMp8Fv3uBffkQE13N7YWnH8q7WO/c6lnLjL14CPER/5QGzUiwruZjrv9H X-Received: by 2002:a62:2414:: with SMTP id r20-v6mr16137952pfj.108.1529377957173; Mon, 18 Jun 2018 20:12:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529377957; cv=none; d=google.com; s=arc-20160816; b=w4T86o+rclNYhhtxwDiL8S2Lj0RIx09dbd9HTKgZ6VW6KuV+fPsPxenH53Pc3WS3xM Z+O9hWRBHocveox/czhXWZ+onB1xN+wnijjUtI6xjGUH748Iz1jTHa0lc4r5V564L8yi 4E0qtiRTWS2EL3v/5KgoAFgWkWJed0iBeLS2LjnzQLgJ0QOww6fDhBST5ea+xLPWnrVq I9RARDyajWd+4jygr0XvYE98obycmFmRJL3nGduFA4Cnp7hHRBBs5QH1VgyTJBaqL2NT IfnT+96lRh/OseOX9OTPKDQuoJVcfq/hHBul+v2baFKcrJt2PkfJRyeS04jXa755TWxu DIUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=XdVp1LVnsMK5RgELNsvSEhimuax12BZON5s3QqKtrOU=; b=S0xg3mg5E65OB8SIb5CWL6oUlHt8Ll56+GiSTVhrRRDX/j+UfTbNGsRRPDKQ4h2zpv eztWX4MmfuBp3YpKkugkpYhtJ7k0huTYWlxAYXs+SSQlsOqzFTDzISRb06oPqqs8Krrg u52ossR4U5RCh20Wqz0EKtze3lVnyxZkZitWd9Yt5V+kebYYux+av76N6WaXErS9yZBL yXs/G/Gkx15DY6sv+BPq5TXDJ/+9h2KI1ITrEzmRh6DDrY72tEx3tXJ9lc7c673gQhJC 6Axwu++A1FoNethkK6MeX/c/+5kmc3HusP7CS1vQFTb/wuSs+9pMb680SAuJ/HAWAUdG BlQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n187-v6si13201023pga.98.2018.06.18.20.12.22; Mon, 18 Jun 2018 20:12:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937240AbeFSDLo (ORCPT + 99 others); Mon, 18 Jun 2018 23:11:44 -0400 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:45151 "EHLO relay1-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937096AbeFSDLn (ORCPT ); Mon, 18 Jun 2018 23:11:43 -0400 X-Originating-IP: 70.80.172.8 Received: from localhost (modemcable008.172-80-70.mc.videotron.ca [70.80.172.8]) (Authenticated sender: hle@owl.eu.com) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id C3457240004; Tue, 19 Jun 2018 03:11:42 +0000 (UTC) Date: Mon, 18 Jun 2018 23:11:36 -0400 From: Hugo Lefeuvre To: Dan Carpenter Cc: Greg Kroah-Hartman , devel@driverdev.osuosl.org, Marcus Wolf , linux-kernel@vger.kernel.org Subject: Re: [PATCH] staging: pi433: fix race condition in pi433_open Message-ID: <20180619030850.GA1876@hle-laptop.local> References: <20180618022400.GA1893@hle-laptop.local> <20180618101838.gzbrxabilnqyilsi@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180618101838.gzbrxabilnqyilsi@mwanda> User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Level: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Dan, > We need to decrement device->users-- on the error paths as well. > This function was already slightly broken with respect to counting the > users, but let's not make it worse. > > I think it's still a tiny bit racy because it's not an atomic type. Oh right, I missed that. I'll fix it in the v2. :) > I'm not sure the error handling in open() works either. It's releasing > device->rx_buffer but there could be another user. Agree. > The ->rx_buffer > should be allocated in probe() instead of open() probably, no? And then > freed in pi433_remove(). Then once we put that in the right layer > it means we can just get rid of ->users... It would be great to get rid of this counter, indeed. But how to do it properly without breaking things ? It seems to be useful to me... For example, how do you handle the case where remove() is called but some operations are still running on existing fds ? What if remove frees the rx_buffer while a read() call executes this ? copy_to_user(buf, device->rx_buffer, bytes_received) rx_buffer is freed by release() because it's the only buffer from the device structure used in read/write/ioctl, meaning that we can only free it when we are sure that it isn't used anywhere anymore. So, we can't do it in remove() unless remove() is delayed until the last release() has returned. > The lines: > > 1008 if (!device->spi) > 1009 kfree(device); > > make no sort of sense at all... Fortunately it's not posssible for > device->spi to be NULL so it's dead code. Really ? device->spi is NULL-ed in remove() so that operations on remaining fds can detect remove() was already called and free remaining resources: 1296 /* make sure ops on existing fds can abort cleanly */ 1297 device->spi = NULL; Thanks for your time ! Regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA