Received: by 2002:a05:7412:f589:b0:e2:908c:2ebd with SMTP id eh9csp104846rdb; Tue, 31 Oct 2023 02:01:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHovRsbGrDMpSbp0Y9ZzHd0Wt0qDcrlq1+SmKxm7ERafegAz0JqDlTWU8re6V/gSQc/408j X-Received: by 2002:a17:90b:24a:b0:280:771:e90a with SMTP id fz10-20020a17090b024a00b002800771e90amr10552439pjb.19.1698742868359; Tue, 31 Oct 2023 02:01:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698742868; cv=none; d=google.com; s=arc-20160816; b=o2jgvjgLkfQ95dKoPjtiPF4PKqLN74Qs1H1nSymEj+l+qs5FJs34Ep/IDbMxtRftrO pBqbUc9tHhFFmAH+ssAbNtJmladZioxeY3F6e6PIoQSpGh3a1b42KLkjv27JysHLulYR YkmUOcNoNzkey36tJKxFy/LNr34fhueMyhhVnyTOz3J/NFiq7Mpj8OtIEPTSmQtxbLSY FPCCHS+y8NjtcZM3VqF4wr3zN8P5+2UV0fqBi/VZ7Kyo534DPaVGBCGcfz3lwW5uZi3D iFWJ7YLTM/oAj76kbrYv1LeyDR0nsNcSrji1aU8u6FlM2LpK4a8hSceu28nBdMk8grUS Ckvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=HolwFtH31Q6ywKQODQ0148en20rqb3PsUXQ91SE+TOY=; fh=dCJNPtNjbbTRGsDUawe9dT6mQ7ybdYU7uAmHSwTIi/I=; b=QemNMZaZPC7PEnHiUU1xkMyqegV4axwsARcjR4SLXNBZ3zyl8h5vnxqyupFrWjaZA0 zho/Qoyi1muZ3z5cfA8I8S9kRMS2FPnJ1S+unLEG0esLlZOKRJEYg7x0nlGg8y34af/i BCSlf+6E4Uszn0t7zgb1glosreuYaSiwTgMFrnS+j5Aum6F0oeykIIJYDSwKckz0xeHz uwDrhqPepxaHww9V57EaGp3Vmk3jwXxHQQ15PX1twu9WpbtAjZ+beCuwJ8fQBQR7a1vs Yo8ju3KC9j3GGx6fZhm/Znf4TkBZSYRk8NU0t27Kz4B4HlPtJOIGFXOXPdoRD991kZMB Z5/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=Sy27MN8i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id pc3-20020a17090b3b8300b002806bdcaa5esi696260pjb.110.2023.10.31.02.01.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 02:01:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=Sy27MN8i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id C3AF680785F1; Tue, 31 Oct 2023 02:00:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235763AbjJaI75 (ORCPT + 99 others); Tue, 31 Oct 2023 04:59:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235753AbjJaI7y (ORCPT ); Tue, 31 Oct 2023 04:59:54 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:242:246e::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5460BE8 for ; Tue, 31 Oct 2023 01:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=HolwFtH31Q6ywKQODQ0148en20rqb3PsUXQ91SE+TOY=; t=1698742791; x=1699952391; b=Sy27MN8iVjWwE3XGdhMdVktv6Rd1BKZsMsroEsXTIQ7zFVo 9RttbYY5Ml2veAieJk3UP1SaqTfXPx0gnE+2/MaigyMzIrWlpu2PbSxEzDu5R/u3qvRuuO2LR8KuA n5pNjOCXCcU7p1Agfw7B6IWTEdPsAcxmmQbVk4BDyVTdtbC2LkwXN9NRiOFV8UHsV2xNnPSvSxu7M yZb7ZA4iNXkYlEo7tmdknWdf7EiMQDAOhsKxBJmr0Iv99OLVfpZY7NGLiCEXveLNaqDhxJijJWlBe C8fzSbQCemrUSFCMmGlkPshaDaRVCyeRbwvclWaEboVM5jZSIYqANJHePRxU/N4g==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97-RC1) (envelope-from ) id 1qxkbE-000000091HJ-0OuS; Tue, 31 Oct 2023 09:59:48 +0100 Message-ID: Subject: Re: [PATCH] Devcoredump: fix use-after-free issue when releasing devcd device From: Johannes Berg To: Yu Wang , Greg KH Cc: rafael@kernel.org, linux-kernel@vger.kernel.org, kernel@quicinc.com Date: Tue, 31 Oct 2023 09:59:47 +0100 In-Reply-To: References: <20231027055521.2679-1-quic_yyuwang@quicinc.com> <2023102730-twins-thieving-d04e@gregkh> <22ab53d1ae36d4925732e6e1dc989dc75af126da.camel@sipsolutions.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-malware-bazaar: not-scanned X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 31 Oct 2023 02:00:07 -0700 (PDT) On Tue, 2023-10-31 at 16:29 +0800, Yu Wang wrote: >=20 > In this case, the device is temporarily added for dump only, so we need t= o > delete it when dump is completed. > The other users doesn't add/delete the device like this. For good reason, I guess? I think this is probably a bad idea. The whole point of this was to actually know which device created the coredump? If you make one up on the fly that's ... pointless? Surely you must have _some_ device that already exists? > It removes the device when the @free function has been called, I think > the @free function should be considered as a completion signal, and so > we need to put @free at the end of falling-device-related-clean-up in > devcoredump framework (the change in the patch). That may be true for the case you have, but really, I wouldn't consider that a bug now? Besides, we do hav Yes, I know we don't need to care about the dump data, but as mentioned > upon, the device is locally and temporarily created for this one-time dum= p > only, we need to free it when dump is completed, so introduce this comple= tion. > Refer to drivers/remoteproc/remoteproc_coredump.c. I still don't think this is right ... Even the code there is awful, it potentially blocks for 5 minutes? I'm not sure we should encourage that. Note that you could also argue exactly the other way around - what if the *free* function requires access to the device? It gets arbitrary data after all. > Regarding NULL for the struct module pointer, looks it's allowed for this > API ( also pass NULL)? But yes, it's not nice inde= ed, > we need this to get a reference of the calling module for safety. > Will correct in the next patch set. Well, it's not really allowed to literally write NULL - maybe we should have a macro that fills in THIS_MODULE. But THIS_MODULE can be NULL at runtime if it's in built-in code ... so we can't catch it. But actually if you do have the completion you wouldn't care about this specific case, but ... johannes