Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp214074imm; Tue, 19 Jun 2018 19:35:06 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIubTd9p+osO4tPWQUc6AEiqvaVrC9XnQqHZrOdT0biKUnu6XjjeCYZKrE/IWWMRMiSBQFS X-Received: by 2002:a65:4545:: with SMTP id x5-v6mr16958974pgr.4.1529462106801; Tue, 19 Jun 2018 19:35:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529462106; cv=none; d=google.com; s=arc-20160816; b=dLPAA2YVOcpzN29BwbwN2s7Ly/FgBaaOS8e3JzunFXTCTBPx5/wk8bcTGhVBv8PLun uMDYwECHIwKkkQZN94YjsMTwcL+5T44VhLQScF9Q+lShS0aR83JUDTerVuqS5m2hrcmb l9o8cVfeIJing7BD6VAhIT+wxFin2xMiycjlth187UynLneE+kxdMgJq63YPjHUtIs62 Vgq+F7b//t2KxNweztBHRTUNmSO1bKES9baWjCoyw9SLSK49gZKNf+nnSuxHMk9CMkr5 OZ8rcpmM4yPY8jDjzJ83TesbwZ5FGiBvXEf+tNyk+suYQc97gTCwXBGrO+mNkKuwmmXy HIiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date :arc-authentication-results; bh=oM8DIhSPlossIpBiHdnUyAAq+mA9sSIeOy2iMU0hL20=; b=oe1qdxmFXy0wUcsEiokf8CrqjUmAsvsGimKf3dQDPdsI57qp/73UcCwEOTG4tCURYP DsOjRBx9KdVhpupSY0jPdv8p4ZvsM/Ifu3KKbrDWKqv5uCZmwLzC/FJZjkeJjyaMTGQw /fvkQiTOSNAX/UowOeGDZZrpqr1LOrxWc2/A2bni2ufJaGzwRLiI4hIgeaW+0NrV/F2h ihgtkZRS0cescKYmPX6Znj9FR1nN8URW2jhzbnSVk109+r8Du1dnwG4yieVrIqREnCA5 pkLuEVxpt+wDb7sXOTH5Khke7k5hAPyF6GM4mN//uqABz3559RAW3RBuBUkRN1YAOiYZ xxSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si1094344pfe.27.2018.06.19.19.34.52; Tue, 19 Jun 2018 19:35:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753972AbeFTCdj (ORCPT + 99 others); Tue, 19 Jun 2018 22:33:39 -0400 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:59191 "EHLO relay1-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752836AbeFTCdi (ORCPT ); Tue, 19 Jun 2018 22:33:38 -0400 X-Originating-IP: 70.80.172.8 Received: from localhost (modemcable008.172-80-70.mc.videotron.ca [70.80.172.8]) (Authenticated sender: hle@owl.eu.com) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 8C5D0240004; Wed, 20 Jun 2018 02:33:36 +0000 (UTC) Date: Tue, 19 Jun 2018 22:33:26 -0400 From: Hugo Lefeuvre To: Greg Kroah-Hartman Cc: devel@driverdev.osuosl.org, Marcus Wolf , linux-kernel@vger.kernel.org, Dan Carpenter Subject: [PATCH v2] staging: pi433: fix race condition in pi433_open Message-ID: <20180620023326.GA30440@hle-laptop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Level: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The device structure contains a useless non-atomic users counter which is subject to race conditions. It has probably been created to handle the case where remove is executed while operations are still executing on open fds but this will never happen because of reference counts. Drop the users counter and move rx buffer {de,}allocation to probe() and remove(). Remove associated dead code from open() and release(). Remove related TODO entry from ioctl(). Signed-off-by: Hugo Lefeuvre --- Changes in v2: - Remove useless users counter. - Remove unneeded TODO entry in ioctl(). - Move rx buffer {de,}allocation to probe() and remove(). --- diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c index 94e0bfcec991..a5aa9c5bc6fd 100644 --- a/drivers/staging/pi433/pi433_if.c +++ b/drivers/staging/pi433/pi433_if.c @@ -78,7 +78,6 @@ struct pi433_device { struct device *dev; struct cdev *cdev; struct spi_device *spi; - unsigned int users; /* irq related values */ struct gpio_desc *gpiod[NUM_DIO]; @@ -887,9 +886,6 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (_IOC_TYPE(cmd) != PI433_IOC_MAGIC) return -ENOTTY; - /* TODO? guard against device removal before, or while, - * we issue this ioctl. --> device_get() - */ instance = filp->private_data; device = instance->device; @@ -963,19 +959,9 @@ static int pi433_open(struct inode *inode, struct file *filp) return -ENODEV; } - if (!device->rx_buffer) { - device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); - if (!device->rx_buffer) - return -ENOMEM; - } - - device->users++; instance = kzalloc(sizeof(*instance), GFP_KERNEL); - if (!instance) { - kfree(device->rx_buffer); - device->rx_buffer = NULL; + if (!instance) return -ENOMEM; - } /* setup instance data*/ instance->device = device; @@ -992,23 +978,11 @@ static int pi433_open(struct inode *inode, struct file *filp) static int pi433_release(struct inode *inode, struct file *filp) { struct pi433_instance *instance; - struct pi433_device *device; instance = filp->private_data; - device = instance->device; kfree(instance); filp->private_data = NULL; - /* last close? */ - device->users--; - - if (!device->users) { - kfree(device->rx_buffer); - device->rx_buffer = NULL; - if (!device->spi) - kfree(device); - } - return 0; } @@ -1178,6 +1152,11 @@ static int pi433_probe(struct spi_device *spi) device->tx_active = false; device->interrupt_rx_allowed = false; + /* init rx buffer */ + device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); + if (!device->rx_buffer) + return -ENOMEM; + /* init wait queues */ init_waitqueue_head(&device->tx_wait_queue); init_waitqueue_head(&device->rx_wait_queue); @@ -1280,6 +1259,7 @@ static int pi433_probe(struct spi_device *spi) minor_failed: free_gpio(device); GPIO_failed: + kfree(device->rx_buffer); kfree(device); return retval; @@ -1303,8 +1283,8 @@ static int pi433_remove(struct spi_device *spi) pi433_free_minor(device); - if (device->users == 0) - kfree(device); + kfree(device->rx_buffer); + kfree(device); return 0; } -- 2.17.1