Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Date:   Tue, 15 Mar 2022 15:39:22 -0300
From:   Jason Gunthorpe <jgg@ziepe.ca>
To:     Mika =?utf-8?B?UGVudHRpbMOk?= <mpenttil@redhat.com>
Cc:     linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        apopple@nvidia.com, jhubbard@nvidia.com, rcampbell@nvidia.com,
        vbabka@suse.cz
Subject: Re: [PATCH v2] mm/hmm/test: simplify hmm test code: use miscdevice
 instead of char dev
Message-ID: <20220315183922.GC64706@ziepe.ca>
References: <20220311033050.22724-1-mpenttil@redhat.com>
 <20220314182439.GB64706@ziepe.ca>
 <d9b9c82e-4012-cf0a-d966-d9669a684a27@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <d9b9c82e-4012-cf0a-d966-d9669a684a27@redhat.com>
Precedence: bulk

On Tue, Mar 15, 2022 at 05:22:15AM +0200, Mika Penttilä wrote:
> Hi Jason and thanks for your comments..
> 
> On 14.3.2022 20.24, Jason Gunthorpe wrote:
> > On Fri, Mar 11, 2022 at 05:30:50AM +0200, mpenttil@redhat.com wrote:
> > > From: Mika Penttilä <mpenttil@redhat.com>
> > > 
> > > HMM selftests use an in-kernel pseudo device to emulate device private
> > > memory. The pseudo device registers a major device range for two pseudo
> > > device instances. User space has a script that reads /proc/devices in
> > > order to find the assigned major number, and sends that to mknod(1),
> > > once for each node.
> > > 
> > > This duplicates a fair amount of boilerplate that misc device can do
> > > instead.
> > > 
> > > Change this to use misc device, which makes the device node names appear
> > > for us. This also enables udev-like processing if desired.
> > 
> > This is borderline the wrong way to use misc devices, they should
> > never be embedded into other structs like this. It works out here
> > because they are eventually only placed in a static array, but still
> > it is a generally bad pattern to see.
> 
> Could you elaborate on this one? We have many in-tree usages of the same
> pattern, like:

The kernel is full of bugs

> drivers/video/fbdev/pxa3xx-gcu.c

ie this is broken because it allocates like this:

        priv = devm_kzalloc(dev, sizeof(struct pxa3xx_gcu_priv), GFP_KERNEL);
        if (!priv)
                return -ENOMEM;

And free's via devm:


static int pxa3xx_gcu_remove(struct platform_device *pdev)
{
        struct pxa3xx_gcu_priv *priv = platform_get_drvdata(pdev);

        misc_deregister(&priv->misc_dev);
        return 0;
}

But this will UAF if it races fops open with misc_desregister.

Proper use of cdevs with proper struct devices prevent this bug.

> You mention "placed in a static array", are you seeing a potential lifetime
> issue or what? Many of the examples above embed miscdevice in a dynamically
> allocated object also.
> 
> The file object's private_data holds a pointer to the miscdevice, and
> fops_get() pins the module. So freeing the objects miscdevice is embedded in
> at module_exit time should be fine. But, as you said, in this case the
> miscdevices are statically allocated, so that shouldn't be an issue
> either.

Correct, it is OK here because the module refcounts prevent the
miscdevice memory from being freed, the above cases with dynamic
allocations do not have that protection and are wrong.

This is why I don't care for the pattern of putting misc devices
inside other structs, it suggests this is perhaps generally safe but
it is not.

> I think using cdev_add ends up in the same results in device_* api
> sense.

Nope, everything works right once you use cdev_device_add on a
properly registered struct device.

> miscdevice acting like a mux at a higher abstraction level simplifies the
> code.

It does avoid the extra struct device, but at the cost of broken
memory lifetime

Jason