Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp786168imm; Wed, 20 Jun 2018 06:38:26 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIxv2+ONSsUwCtSooHFxJIOF3Yy9CCYZYNm9iEggvwZIVvBxhd4BocT6rJu9FHArNopPdpI X-Received: by 2002:a63:6ec8:: with SMTP id j191-v6mr19071019pgc.232.1529501906518; Wed, 20 Jun 2018 06:38:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529501906; cv=none; d=google.com; s=arc-20160816; b=t0JfKXf1SawDok/Dg67iGns9Dj0D/8FFJcBaRoQFhEV123UmhOAm73i+gPIzWwNF+t PwZbTKQBHFB95fEKmDKs1Up9m89NZv+xi4Kws+EOKzbl5DumZan0XYchASFPnz8KOD4F Cmx48qqMQf4Yw4UcZBnSN0yw2uiMNwuprr/upixkv6OBq3BR2svxIivijasFbQgErlD9 XlEHBlyp2x+ZqUCdY5j5KjKxD06eDtWxZcEpBvtLCjSwXFvmnCwJHBPBNskssbKLHz/L 3K/fl05OD3/oMkSUmZeXUqJtcJp/45QnRQ/dNhsP6K2NimDQTMu4moOjYlOD8CnCZ6+5 MPhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date :arc-authentication-results; bh=IfAvW6c8Evq+Jxzmt4iyO43B4sOSNooBHcEKgEolcn0=; b=NUIOfBKITDVEpQvmcEGv6RgG0Ot9rgRJwTb/yfDtLUo8OxH1V9qoH1AXME9EPFC71a wBEuqv/y6dnPzgfkQtXhIS/rIrCZDOUANPXxUnrX4U/73vi6u1RwdsnV2hBRY0ehApJK zMugKqJawNtAK59SagLp1SbJNYA/OGz9U3Bknm3B9xTRPQd3/zW0VmM+yU/IjtLNTjou wde7EGt6eaZ0MxA3RUrPnbtqZhK/tW4ByLZcHH/8uX+XgoZUAHRDxQjEG4wBJheU0iec TzUCsXG5auVt9H30/8bfl6fqJF83ulimiMQ7jh/g0UosSffIxvPCwywuyveC8RdFx7VF UeeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si2315704plh.387.2018.06.20.06.38.12; Wed, 20 Jun 2018 06:38:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754084AbeFTNhZ (ORCPT + 99 others); Wed, 20 Jun 2018 09:37:25 -0400 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:54237 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752870AbeFTNhY (ORCPT ); Wed, 20 Jun 2018 09:37:24 -0400 X-Originating-IP: 208.88.110.46 Received: from localhost (mtl.savoirfairelinux.net [208.88.110.46]) (Authenticated sender: hle@owl.eu.com) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id A5D591BF203; Wed, 20 Jun 2018 13:37:29 +0000 (UTC) Date: Wed, 20 Jun 2018 09:37:19 -0400 From: Hugo Lefeuvre To: Greg Kroah-Hartman Cc: devel@driverdev.osuosl.org, Marcus Wolf , linux-kernel@vger.kernel.org, Dan Carpenter Subject: [PATCH v3] staging: pi433: fix race condition in pi433_open Message-ID: <20180620133719.GA17525@hle-laptop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Level: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The device structure contains a useless non-atomic users counter which is subject to race conditions. It has probably been created to handle the case where remove is executed while operations are still executing on open fds but this will never happen because of reference counts. Drop the users counter and move rx buffer {de,}allocation to probe() and remove(). Remove associated dead code from open() and release(). Remove related TODO entry from ioctl(). Signed-off-by: Hugo Lefeuvre --- Changes in v3: - add missing free call in probe() (in case of failure during memory allocation for rx buffer). --- diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c index 94e0bfcec991..0638fd5f14d9 100644 --- a/drivers/staging/pi433/pi433_if.c +++ b/drivers/staging/pi433/pi433_if.c @@ -78,7 +78,6 @@ struct pi433_device { struct device *dev; struct cdev *cdev; struct spi_device *spi; - unsigned int users; /* irq related values */ struct gpio_desc *gpiod[NUM_DIO]; @@ -887,9 +886,6 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (_IOC_TYPE(cmd) != PI433_IOC_MAGIC) return -ENOTTY; - /* TODO? guard against device removal before, or while, - * we issue this ioctl. --> device_get() - */ instance = filp->private_data; device = instance->device; @@ -963,19 +959,9 @@ static int pi433_open(struct inode *inode, struct file *filp) return -ENODEV; } - if (!device->rx_buffer) { - device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); - if (!device->rx_buffer) - return -ENOMEM; - } - - device->users++; instance = kzalloc(sizeof(*instance), GFP_KERNEL); - if (!instance) { - kfree(device->rx_buffer); - device->rx_buffer = NULL; + if (!instance) return -ENOMEM; - } /* setup instance data*/ instance->device = device; @@ -992,23 +978,11 @@ static int pi433_open(struct inode *inode, struct file *filp) static int pi433_release(struct inode *inode, struct file *filp) { struct pi433_instance *instance; - struct pi433_device *device; instance = filp->private_data; - device = instance->device; kfree(instance); filp->private_data = NULL; - /* last close? */ - device->users--; - - if (!device->users) { - kfree(device->rx_buffer); - device->rx_buffer = NULL; - if (!device->spi) - kfree(device); - } - return 0; } @@ -1178,6 +1152,13 @@ static int pi433_probe(struct spi_device *spi) device->tx_active = false; device->interrupt_rx_allowed = false; + /* init rx buffer */ + device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); + if (!device->rx_buffer) { + retval = -ENOMEM; + goto RX_failed; + } + /* init wait queues */ init_waitqueue_head(&device->tx_wait_queue); init_waitqueue_head(&device->rx_wait_queue); @@ -1280,6 +1261,8 @@ static int pi433_probe(struct spi_device *spi) minor_failed: free_gpio(device); GPIO_failed: + kfree(device->rx_buffer); +RX_failed: kfree(device); return retval; @@ -1303,8 +1286,8 @@ static int pi433_remove(struct spi_device *spi) pi433_free_minor(device); - if (device->users == 0) - kfree(device); + kfree(device->rx_buffer); + kfree(device); return 0; } -- 2.17.1