linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Lars-Peter Clausen <lars@metafoo.de>
To: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>,
	David Lechner <david@lechnology.com>,
	Fabrice Gasnier <fabrice.gasnier@foss.st.com>,
	Jarkko Nikula <jarkko.nikula@linux.intel.com>,
	Kamel Bouhara <kamel.bouhara@bootlin.com>,
	Maxime Coquelin <mcoquelin.stm32@gmail.com>,
	Oleksij Rempel <linux@rempel-privat.de>,
	Patrick Havelange <patrick.havelange@essensium.com>,
	Syed Nayyar Waris <syednwaris@gmail.com>,
	William Breathitt Gray <vilhelm.gray@gmail.com>,
	linux-arm-kernel@lists.infradead.org, linux-iio@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-stm32@st-md-mailman.stormreply.com
Subject: Re: [PATCH 0/8] counter: Remove struct counter_device::priv
Date: Tue, 21 Dec 2021 13:04:50 +0100	[thread overview]
Message-ID: <65009237-7e61-21aa-60cd-b7f7e0bb2f91@metafoo.de> (raw)
In-Reply-To: <20211221113542.rl4aburbzzrgs3km@pengutronix.de>

On 12/21/21 12:35 PM, Uwe Kleine-König wrote:
> Hello Lars,
>
> On Tue, Dec 21, 2021 at 12:12:12PM +0100, Lars-Peter Clausen wrote:
>> On 12/21/21 11:45 AM, Uwe Kleine-König wrote:
>>> similar to patch
>>> https://lore.kernel.org/r/4bde7cbd9e43a5909208102094444219d3154466.1640072891.git.vilhelm.gray@gmail.com
>>> the usage of struct counter_device::priv can be replaced by
>>> container_of which improves type safety and code size.
>>>
>>> This series depends on above patch, converts the remaining drivers and
>>> finally drops struct counter_device::priv.
>> Not sure if this is such a good idea. struct counter_device should not be
>> embedded in the drivers state struct in the first place.
> Just to mention it: My patch series didn't change this, this was already
> broken before.
I know, but this series has to be reverted when the framework is fixed.
>
>> struct counter_device contains a struct device, which is a reference counted
>> object. But by embedding it in the driver state struct the life time of both
>> the struct counter_device and and struct device are bound to the life time
>> of the driver state struct.
>>
>> Which means the struct device memory can get freed before the last reference
>> is dropped, which leads to a use-after-free and undefined behavior.
> Well, the driver struct is allocated using devm_kzalloc for all drivers.

devm_kzalloc() doesn't make a difference. The managed memory is freed 
when the parent device is unbound/removed. There may very well be 
reference to the counter_device at this point.

> So I think it's not *very* urgent to fix. Still you're right, this
> should be addressed.

Yes and no, this can trivially be used for privilege escalation, but 
then again on systems with a counter_device probably everything runs as 
root anyway.

>   
>> The framework should be changed to rather then embedding the struct
>> counter_device in the state struct to just have a pointer to it. With the
>> struct counter_device having its own allocation that will be freed when the
>> last reference to the struct device is dropped.
> My favourite would be to implement a counter_device_alloc /
> counter_device_add approach, similar to what spi_alloc_controller and
> alloc_etherdev do. The downside is that this isn't typesafe either :-\



  reply	other threads:[~2021-12-21 12:05 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-21 10:45 [PATCH 0/8] counter: Remove struct counter_device::priv Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 1/8] counter: 104-quad-8: Use container_of instead of " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 2/8] counter: ftm-quaddec: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 3/8] counter: intel-qeb: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 4/8] counter: interrupt-cnt: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 5/8] counter: microchip-tcp-capture: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 6/8] counter: stm32-lptimer-cnt: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 7/8] counter: stm32-timer-cnt: " Uwe Kleine-König
2021-12-21 10:45 ` [PATCH 8/8] counter: Remove unused member from struct counter_device Uwe Kleine-König
2021-12-21 11:12 ` [PATCH 0/8] counter: Remove struct counter_device::priv Lars-Peter Clausen
2021-12-21 11:35   ` Uwe Kleine-König
2021-12-21 12:04     ` Lars-Peter Clausen [this message]
2021-12-21 13:22       ` Uwe Kleine-König
2021-12-21 14:12         ` Lars-Peter Clausen
2021-12-22 17:51       ` Uwe Kleine-König

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=65009237-7e61-21aa-60cd-b7f7e0bb2f91@metafoo.de \
    --to=lars@metafoo.de \
    --cc=alexandre.torgue@foss.st.com \
    --cc=david@lechnology.com \
    --cc=fabrice.gasnier@foss.st.com \
    --cc=jarkko.nikula@linux.intel.com \
    --cc=kamel.bouhara@bootlin.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-stm32@st-md-mailman.stormreply.com \
    --cc=linux@rempel-privat.de \
    --cc=mcoquelin.stm32@gmail.com \
    --cc=patrick.havelange@essensium.com \
    --cc=syednwaris@gmail.com \
    --cc=u.kleine-koenig@pengutronix.de \
    --cc=vilhelm.gray@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).