All of lore.kernel.org
 help / color / mirror / Atom feed
* CAIF device
@ 2010-04-01 15:09 Alan
  2010-04-05 11:19 ` Sjur BRENDELAND
  0 siblings, 1 reply; 6+ messages in thread
From: Alan @ 2010-04-01 15:09 UTC (permalink / raw)
  To: netdev, sjur.brandeland

I was reading through the CAIF code and I noticed a couple of bugs

Doesn't check there is a write method so set on a read only
device it's not good news (doubly so as there seem to be no
permission checks ?) plus no permissions checks and also the
following which looks unsafe

        dev_close(ser->dev);
        unregister_netdevice(ser->dev);
        list_del(&ser->node);
        debugfs_deinit(ser);

Now ser is the netdev private data so what stops it going away when
unregister_netdev is called ?

Secondly tty devices are ref counted and this for some reason didn't get
fixed in the driver yet.

[Patches to follow for the write and kref bugs, the others need the
authors and someone who knows the netdev code these days to fix]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: CAIF device
  2010-04-01 15:09 CAIF device Alan
@ 2010-04-05 11:19 ` Sjur BRENDELAND
  2010-04-07 13:13   ` [PATCH] Caif: Ref counting Alan Cox
  2010-04-07 13:17   ` [PATCH] CAIF: write check Alan Cox
  0 siblings, 2 replies; 6+ messages in thread
From: Sjur BRENDELAND @ 2010-04-05 11:19 UTC (permalink / raw)
  To: Alan, netdev

Hi Alan.

Alan wrote:
> I was reading through the CAIF code and I noticed a couple of bugs
> 
> Doesn't check there is a write method so set on a read only
> device it's not good news (doubly so as there seem to be no
> permission checks ?) plus no permissions checks and also the
> following which looks unsafe
> 
>         dev_close(ser->dev);
>         unregister_netdevice(ser->dev);
>         list_del(&ser->node);
>         debugfs_deinit(ser);
> 
> Now ser is the netdev private data so what stops it going away when
> unregister_netdev is called ?

I think this should work fine as the unregistration of the ser->dev is done after rtnl_lock,
this delays the freeing of the device until rtnl_unlock.
> 
> Secondly tty devices are ref counted and this for some reason didn't
> get fixed in the driver yet.
> 
> [Patches to follow for the write and kref bugs, the others need the
> authors and someone who knows the netdev code these days to fix]

Thanks, looking forward to review your patches.

BR/Sjur

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] Caif: Ref counting
  2010-04-05 11:19 ` Sjur BRENDELAND
@ 2010-04-07 13:13   ` Alan Cox
  2010-04-07 23:50     ` David Miller
  2010-04-07 13:17   ` [PATCH] CAIF: write check Alan Cox
  1 sibling, 1 reply; 6+ messages in thread
From: Alan Cox @ 2010-04-07 13:13 UTC (permalink / raw)
  To: Sjur BRENDELAND; +Cc: netdev

caif: tty's are kref objects so take a reference

From: Alan Cox <alan@linux.intel.com>

I don't think this can be abused in this case but do things properly.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 drivers/net/caif/caif_serial.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 3502f60..b271aa0 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -315,7 +315,7 @@ static int ldisc_open(struct tty_struct *tty)
 	sprintf(name, "cf%s", tty->name);
 	dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
 	ser = netdev_priv(dev);
-	ser->tty = tty;
+	ser->tty = tty_kref_get(tty);
 	ser->dev = dev;
 	debugfs_init(ser, tty);
 	tty->receive_room = N_TTY_BUF_SIZE;
@@ -348,6 +348,7 @@ static void ldisc_close(struct tty_struct *tty)
 	unregister_netdevice(ser->dev);
 	list_del(&ser->node);
 	debugfs_deinit(ser);
+	tty_kref_put(ser->tty);
 	if (!islocked)
 		rtnl_unlock();
 }

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH] CAIF: write check
  2010-04-05 11:19 ` Sjur BRENDELAND
  2010-04-07 13:13   ` [PATCH] Caif: Ref counting Alan Cox
@ 2010-04-07 13:17   ` Alan Cox
  2010-04-07 23:49     ` David Miller
  1 sibling, 1 reply; 6+ messages in thread
From: Alan Cox @ 2010-04-07 13:17 UTC (permalink / raw)
  To: Sjur BRENDELAND; +Cc: netdev

caif: check write operations

From: Alan Cox <alan@linux.intel.com>

write is optional for a tty device. Check that we have a write op rather
than calling NULL.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 drivers/net/caif/caif_serial.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)


diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index b271aa0..38c0186 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -312,6 +312,10 @@ static int ldisc_open(struct tty_struct *tty)
 	char name[64];
 	int result;
 
+	/* No write no play */
+	if (tty->ops->write == NULL)
+		return -EOPNOTSUPP;
+
 	sprintf(name, "cf%s", tty->name);
 	dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
 	ser = netdev_priv(dev);


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] CAIF: write check
  2010-04-07 13:17   ` [PATCH] CAIF: write check Alan Cox
@ 2010-04-07 23:49     ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2010-04-07 23:49 UTC (permalink / raw)
  To: alan; +Cc: sjur.brandeland, netdev

From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Wed, 7 Apr 2010 14:17:03 +0100

> caif: check write operations
> 
> From: Alan Cox <alan@linux.intel.com>
> 
> write is optional for a tty device. Check that we have a write op rather
> than calling NULL.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Applied, thanks Alan.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] Caif: Ref counting
  2010-04-07 13:13   ` [PATCH] Caif: Ref counting Alan Cox
@ 2010-04-07 23:50     ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2010-04-07 23:50 UTC (permalink / raw)
  To: alan; +Cc: sjur.brandeland, netdev

From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Wed, 7 Apr 2010 14:13:19 +0100

> caif: tty's are kref objects so take a reference
> 
> From: Alan Cox <alan@linux.intel.com>
> 
> I don't think this can be abused in this case but do things properly.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Also applied, thanks Alan.

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-04-07 23:50 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-01 15:09 CAIF device Alan
2010-04-05 11:19 ` Sjur BRENDELAND
2010-04-07 13:13   ` [PATCH] Caif: Ref counting Alan Cox
2010-04-07 23:50     ` David Miller
2010-04-07 13:17   ` [PATCH] CAIF: write check Alan Cox
2010-04-07 23:49     ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.