* [PATCH] ntb_transport: use put_device() instead of kfree()
@ 2018-03-09 10:33 Arvind Yadav
2018-03-09 16:46 ` Logan Gunthorpe
2018-05-22 0:48 ` Jon Mason
0 siblings, 2 replies; 4+ messages in thread
From: Arvind Yadav @ 2018-03-09 10:33 UTC (permalink / raw)
To: jdmason, dave.jiang, allenbh; +Cc: linux-kernel, linux-ntb
Never directly free @dev after calling device_register(), even
if it returned an error! Always use put_device() to give up the
reference initialized.
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
---
drivers/ntb/ntb_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
index 9878c48..8182a3a 100644
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name)
rc = device_register(dev);
if (rc) {
- kfree(client_dev);
+ put_device(dev);
goto err;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ntb_transport: use put_device() instead of kfree()
2018-03-09 10:33 [PATCH] ntb_transport: use put_device() instead of kfree() Arvind Yadav
@ 2018-03-09 16:46 ` Logan Gunthorpe
2018-05-22 0:48 ` Jon Mason
1 sibling, 0 replies; 4+ messages in thread
From: Logan Gunthorpe @ 2018-03-09 16:46 UTC (permalink / raw)
To: Arvind Yadav, jdmason, dave.jiang, allenbh; +Cc: linux-kernel, linux-ntb
Looks correct to me. Thanks!
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
On 09/03/18 03:33 AM, Arvind Yadav wrote:
> Never directly free @dev after calling device_register(), even
> if it returned an error! Always use put_device() to give up the
> reference initialized.
>
> Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
> ---
> drivers/ntb/ntb_transport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
> index 9878c48..8182a3a 100644
> --- a/drivers/ntb/ntb_transport.c
> +++ b/drivers/ntb/ntb_transport.c
> @@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name)
>
> rc = device_register(dev);
> if (rc) {
> - kfree(client_dev);
> + put_device(dev);
> goto err;
> }
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ntb_transport: use put_device() instead of kfree()
2018-03-09 10:33 [PATCH] ntb_transport: use put_device() instead of kfree() Arvind Yadav
2018-03-09 16:46 ` Logan Gunthorpe
@ 2018-05-22 0:48 ` Jon Mason
2018-05-22 16:56 ` Logan Gunthorpe
1 sibling, 1 reply; 4+ messages in thread
From: Jon Mason @ 2018-05-22 0:48 UTC (permalink / raw)
To: Arvind Yadav; +Cc: dave.jiang, allenbh, linux-kernel, linux-ntb
On Fri, Mar 09, 2018 at 04:03:24PM +0530, Arvind Yadav wrote:
> Never directly free @dev after calling device_register(), even
> if it returned an error! Always use put_device() to give up the
> reference initialized.
>
> Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
> ---
> drivers/ntb/ntb_transport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
> index 9878c48..8182a3a 100644
> --- a/drivers/ntb/ntb_transport.c
> +++ b/drivers/ntb/ntb_transport.c
> @@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name)
>
> rc = device_register(dev);
> if (rc) {
> - kfree(client_dev);
> + put_device(dev);
Now we are leaking client_dev, which is bigger than just dev. I think
we are going to need both now.
Thanks,
Jon
> goto err;
> }
>
> --
> 1.9.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ntb_transport: use put_device() instead of kfree()
2018-05-22 0:48 ` Jon Mason
@ 2018-05-22 16:56 ` Logan Gunthorpe
0 siblings, 0 replies; 4+ messages in thread
From: Logan Gunthorpe @ 2018-05-22 16:56 UTC (permalink / raw)
To: Jon Mason, Arvind Yadav; +Cc: dave.jiang, allenbh, linux-kernel, linux-ntb
On 21/05/18 06:48 PM, Jon Mason wrote:
> On Fri, Mar 09, 2018 at 04:03:24PM +0530, Arvind Yadav wrote:
>> Never directly free @dev after calling device_register(), even
>> if it returned an error! Always use put_device() to give up the
>> reference initialized.
>>
>> Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
>> ---
>> drivers/ntb/ntb_transport.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
>> index 9878c48..8182a3a 100644
>> --- a/drivers/ntb/ntb_transport.c
>> +++ b/drivers/ntb/ntb_transport.c
>> @@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name)
>>
>> rc = device_register(dev);
>> if (rc) {
>> - kfree(client_dev);
>> + put_device(dev);
>
> Now we are leaking client_dev, which is bigger than just dev. I think
> we are going to need both now.
No, when put_device is called, ntb_transport_client_release() will be
called which then kfree's the structure there. This is the preferred way
of freeing anything that's reference counted (as all struct devices
are). See [1].
Though, if I remember correctly, the NTB tree breaks this rule a lot.
ie. the fact that ntb_dev_release() doesn't actually free the underlying
structure has always irked me a bit because it forces the calling
drivers to break this rule. This means the reference counting on the NTB
devices is broken so if someone ever uses get_device() on an struct
ntb_dev and doesn't put it back before the driver is unbound, there will
be a use after free bug. As far as I know though, at this time this
isn't done.
Logan
[1]
https://elixir.bootlin.com/linux/v4.17-rc6/source/drivers/base/core.c#L1931
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-05-22 16:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-09 10:33 [PATCH] ntb_transport: use put_device() instead of kfree() Arvind Yadav
2018-03-09 16:46 ` Logan Gunthorpe
2018-05-22 0:48 ` Jon Mason
2018-05-22 16:56 ` Logan Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).