* CAIF device
@ 2010-04-01 15:09 Alan
2010-04-05 11:19 ` Sjur BRENDELAND
0 siblings, 1 reply; 6+ messages in thread
From: Alan @ 2010-04-01 15:09 UTC (permalink / raw)
To: netdev, sjur.brandeland
I was reading through the CAIF code and I noticed a couple of bugs
Doesn't check there is a write method so set on a read only
device it's not good news (doubly so as there seem to be no
permission checks ?) plus no permissions checks and also the
following which looks unsafe
dev_close(ser->dev);
unregister_netdevice(ser->dev);
list_del(&ser->node);
debugfs_deinit(ser);
Now ser is the netdev private data so what stops it going away when
unregister_netdev is called ?
Secondly tty devices are ref counted and this for some reason didn't get
fixed in the driver yet.
[Patches to follow for the write and kref bugs, the others need the
authors and someone who knows the netdev code these days to fix]
^ permalink raw reply [flat|nested] 6+ messages in thread* RE: CAIF device
2010-04-01 15:09 CAIF device Alan
@ 2010-04-05 11:19 ` Sjur BRENDELAND
2010-04-07 13:13 ` [PATCH] Caif: Ref counting Alan Cox
2010-04-07 13:17 ` [PATCH] CAIF: write check Alan Cox
0 siblings, 2 replies; 6+ messages in thread
From: Sjur BRENDELAND @ 2010-04-05 11:19 UTC (permalink / raw)
To: Alan, netdev
Hi Alan.
Alan wrote:
> I was reading through the CAIF code and I noticed a couple of bugs
>
> Doesn't check there is a write method so set on a read only
> device it's not good news (doubly so as there seem to be no
> permission checks ?) plus no permissions checks and also the
> following which looks unsafe
>
> dev_close(ser->dev);
> unregister_netdevice(ser->dev);
> list_del(&ser->node);
> debugfs_deinit(ser);
>
> Now ser is the netdev private data so what stops it going away when
> unregister_netdev is called ?
I think this should work fine as the unregistration of the ser->dev is done after rtnl_lock,
this delays the freeing of the device until rtnl_unlock.
>
> Secondly tty devices are ref counted and this for some reason didn't
> get fixed in the driver yet.
>
> [Patches to follow for the write and kref bugs, the others need the
> authors and someone who knows the netdev code these days to fix]
Thanks, looking forward to review your patches.
BR/Sjur
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] Caif: Ref counting
2010-04-05 11:19 ` Sjur BRENDELAND
@ 2010-04-07 13:13 ` Alan Cox
2010-04-07 23:50 ` David Miller
2010-04-07 13:17 ` [PATCH] CAIF: write check Alan Cox
1 sibling, 1 reply; 6+ messages in thread
From: Alan Cox @ 2010-04-07 13:13 UTC (permalink / raw)
To: Sjur BRENDELAND; +Cc: netdev
caif: tty's are kref objects so take a reference
From: Alan Cox <alan@linux.intel.com>
I don't think this can be abused in this case but do things properly.
Signed-off-by: Alan Cox <alan@linux.intel.com>
---
drivers/net/caif/caif_serial.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 3502f60..b271aa0 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -315,7 +315,7 @@ static int ldisc_open(struct tty_struct *tty)
sprintf(name, "cf%s", tty->name);
dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
ser = netdev_priv(dev);
- ser->tty = tty;
+ ser->tty = tty_kref_get(tty);
ser->dev = dev;
debugfs_init(ser, tty);
tty->receive_room = N_TTY_BUF_SIZE;
@@ -348,6 +348,7 @@ static void ldisc_close(struct tty_struct *tty)
unregister_netdevice(ser->dev);
list_del(&ser->node);
debugfs_deinit(ser);
+ tty_kref_put(ser->tty);
if (!islocked)
rtnl_unlock();
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] CAIF: write check
2010-04-05 11:19 ` Sjur BRENDELAND
2010-04-07 13:13 ` [PATCH] Caif: Ref counting Alan Cox
@ 2010-04-07 13:17 ` Alan Cox
2010-04-07 23:49 ` David Miller
1 sibling, 1 reply; 6+ messages in thread
From: Alan Cox @ 2010-04-07 13:17 UTC (permalink / raw)
To: Sjur BRENDELAND; +Cc: netdev
caif: check write operations
From: Alan Cox <alan@linux.intel.com>
write is optional for a tty device. Check that we have a write op rather
than calling NULL.
Signed-off-by: Alan Cox <alan@linux.intel.com>
---
drivers/net/caif/caif_serial.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index b271aa0..38c0186 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -312,6 +312,10 @@ static int ldisc_open(struct tty_struct *tty)
char name[64];
int result;
+ /* No write no play */
+ if (tty->ops->write == NULL)
+ return -EOPNOTSUPP;
+
sprintf(name, "cf%s", tty->name);
dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
ser = netdev_priv(dev);
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-04-07 23:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-01 15:09 CAIF device Alan
2010-04-05 11:19 ` Sjur BRENDELAND
2010-04-07 13:13 ` [PATCH] Caif: Ref counting Alan Cox
2010-04-07 23:50 ` David Miller
2010-04-07 13:17 ` [PATCH] CAIF: write check Alan Cox
2010-04-07 23:49 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.