From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752500AbbDRJCS (ORCPT ); Sat, 18 Apr 2015 05:02:18 -0400 Received: from pandora.arm.linux.org.uk ([78.32.30.218]:37884 "EHLO pandora.arm.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751542AbbDRJCJ (ORCPT ); Sat, 18 Apr 2015 05:02:09 -0400 Date: Sat, 18 Apr 2015 10:01:47 +0100 From: Russell King - ARM Linux To: Jason Gunthorpe Cc: Jens Wiklander , valentin.manea@huawei.com, devicetree@vger.kernel.org, javier@javigon.com, emmanuel.michel@st.com, Herbert Xu , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, jean-michel.delorme@st.com, tpmdd-devel@lists.sourceforge.net, linux-arm-kernel@lists.infradead.org Subject: Re: [tpmdd-devel] [RFC PATCH 1/2] tee: generic TEE subsystem Message-ID: <20150418090147.GF12732@n2100.arm.linux.org.uk> References: <1429257057-7935-1-git-send-email-jens.wiklander@linaro.org> <1429257057-7935-2-git-send-email-jens.wiklander@linaro.org> <20150417163054.GA28241@obsidianresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150417163054.GA28241@obsidianresearch.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 17, 2015 at 10:30:54AM -0600, Jason Gunthorpe wrote: > On Fri, Apr 17, 2015 at 09:50:56AM +0200, Jens Wiklander wrote: > > + teedev = devm_kzalloc(dev, sizeof(*teedev), GFP_KERNEL); > [..] > > + rc = misc_register(&teedev->miscdev); > [..] > > +void tee_unregister(struct tee_device *teedev) > > +{ > [..] > > + misc_deregister(&teedev->miscdev); > > +} > [..] > >+static int optee_remove(struct platform_device *pdev) > >+{ > >+ tee_unregister(optee->teedev); > > Isn't that a potential use after free? AFAIK misc_deregister does not > guarentee the miscdev will no longer be accessed after it returns, and > the devm will free it after optee_remove returns. > > Memory backing a stuct device needs to be freed via the release > function. Out of interest, which struct device are you talking about here? struct tee_device contains two things - a struct device _pointer_ to the device passed into the registration function, and a miscdev. A miscdev contains two struct device _pointers_ - a pointer to the parent device, and a pointer to the char class device. As both of these are pointers, freeing struct tee_device does not free the memory underlying any device structure. What does need to be taken care of is that unbinding the parent device may cause an already-open user of the userspace interface to dereference the memory which was freed. Tying this to the lifetime of a struct device doesn't seem right. I would suggest adding a kref to struct tee_device and use that to manage the lifetime of that structure - incrementing the refcount on fops->open and dropping it at fops->release time, so that the struct is automatically freed when the last user closes the miscdev after the device has been unbound. You should probably also have a flag to indicate that the device is no longer present too to prevent further userspace IO. It would be nice if miscdev provided help with this... -- FTTC broadband for 0.8mile line: currently at 10.5Mbps down 400kbps up according to speedtest.net.