From: Dongliang Mu <mudongliangabcd@gmail.com>
To: Pavel Skripkin <paskripkin@gmail.com>
Cc: "Dongliang Mu" <dzm91@hust.edu.cn>,
"Wolfgang Grandegger" <wg@grandegger.com>,
"Marc Kleine-Budde" <mkl@pengutronix.de>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Stephane Grosjean" <s.grosjean@peak-system.com>,
"Stefan Mätje" <stefan.maetje@esd.eu>,
"Vincent Mailhol" <mailhol.vincent@wanadoo.fr>,
linux-can@vger.kernel.org,
"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] drivers: net: remove a dangling pointer in peak_usb_create_dev
Date: Fri, 21 Jan 2022 13:58:58 +0800 [thread overview]
Message-ID: <CAD-N9QUZ95zqboe=58gybue6ssSO-M-raijd3XnGXkXnp3wiqQ@mail.gmail.com> (raw)
In-Reply-To: <CAD-N9QUfiTNqs7uOH3C99oMNdqFXh+MKLQ94BkQou_T7-yU_mg@mail.gmail.com>
On Fri, Jan 21, 2022 at 11:36 AM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>
> On Fri, Jan 21, 2022 at 8:09 AM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
> >
> > On Thu, Jan 20, 2022 at 10:27 PM Pavel Skripkin <paskripkin@gmail.com> wrote:
> > >
> > > Hi Dongliang,
> > >
> > > On 1/20/22 16:05, Dongliang Mu wrote:
> > > > From: Dongliang Mu <mudongliangabcd@gmail.com>
> > > >
> > > > The error handling code of peak_usb_create_dev forgets to reset the
> > > > next_siblings of previous entry.
> > > >
> > > > Fix this by nullifying the (dev->prev_siblings)->next_siblings in the
> > > > error handling code.
> > > >
> > > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> > > > ---
> > > > drivers/net/can/usb/peak_usb/pcan_usb_core.c | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
> > > > index b850ff8fe4bd..f858810221b6 100644
> > > > --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
> > > > +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
> > > > @@ -894,6 +894,9 @@ static int peak_usb_create_dev(const struct peak_usb_adapter *peak_usb_adapter,
> > > > dev->adapter->dev_free(dev);
> > > >
> > > > lbl_unregister_candev:
> > > > + /* remove the dangling pointer in next_siblings */
> > > > + if (dev->prev_siblings)
> > > > + (dev->prev_siblings)->next_siblings = NULL;
> > > > unregister_candev(netdev);
> > > >
> > > > lbl_restore_intf_data:
> > >
> > >
> > > Is this pointer used somewhere? I see, that couple of
> > > struct peak_usb_adapter::dev_free() functions use it, but
> > > peak_usb_disconnect() sets dev->next_siblings to NULL before calling
> > > ->dev_free().
> > >
> > > Do you have a calltrace or oops log?
> >
> > Hi Pavel,
> >
> > I have no calltrace or log since this dangling pointer may not be
> > dereferenced in the following code. But I am not sure. So the commit
> > title of this patch is "remove a dangling pointer in
> > peak_usb_create_dev".
>
> BTW, as you mentioned, dev->next_siblings is used in struct
> peak_usb_adapter::dev_free() (i.e., pcan_usb_fd_free or
> pcan_usb_pro_free), how about the following path?
>
> peak_usb_probe
> -> peak_usb_create_dev (goto adap_dev_free;)
> -> dev->adapter->dev_free()
> -> pcan_usb_fd_free or pcan_usb_pro_free (This function uses
> next_siblings as condition elements)
>
> static void pcan_usb_fd_free(struct peak_usb_device *dev)
> {
> /* last device: can free shared objects now */
> if (!dev->prev_siblings && !dev->next_siblings) {
> struct pcan_usb_fd_device *pdev =
> container_of(dev, struct pcan_usb_fd_device, dev);
>
> /* free commands buffer */
> kfree(pdev->cmd_buffer_addr);
>
> /* free usb interface object */
> kfree(pdev->usb_if);
> }
> }
>
> If next_siblings is not NULL, will it lead to the missing free of
> cmd_buffer_addr and usb_if?
The answer is No. Forget my silly thought.
>
> Please let me know if I made any mistakes.
>
> > >
> > >
> > >
> > >
> > > With regards,
> > > Pavel Skripkin
next prev parent reply other threads:[~2022-01-21 5:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-20 13:05 [PATCH] drivers: net: remove a dangling pointer in peak_usb_create_dev Dongliang Mu
2022-01-20 14:27 ` Pavel Skripkin
2022-01-21 0:09 ` Dongliang Mu
2022-01-21 3:36 ` Dongliang Mu
2022-01-21 5:58 ` Dongliang Mu [this message]
2022-01-21 19:36 ` Pavel Skripkin
2022-01-22 6:45 ` Dongliang Mu
2022-01-23 13:48 ` Pavel Skripkin
2022-01-24 6:04 ` Dongliang Mu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD-N9QUZ95zqboe=58gybue6ssSO-M-raijd3XnGXkXnp3wiqQ@mail.gmail.com' \
--to=mudongliangabcd@gmail.com \
--cc=davem@davemloft.net \
--cc=dzm91@hust.edu.cn \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mailhol.vincent@wanadoo.fr \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=s.grosjean@peak-system.com \
--cc=stefan.maetje@esd.eu \
--cc=wg@grandegger.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.