Re: Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe"

From: Dongliang Mu <mudongliangabcd@gmail.com>
To: lyl2019@mail.ustc.edu.cn
Cc: siglesias@igalia.com, jens.taprogge@taprogge.org,
	Greg KH <gregkh@linuxfoundation.org>,
	industrypack-devel@lists.sourceforge.net,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe"
Date: Wed, 21 Jul 2021 12:44:09 +0800	[thread overview]
Message-ID: <CAD-N9QUEdMMfAC46Wb7DJJRs792_3ukK0ykyh1_U1MAekM1L5g@mail.gmail.com> (raw)
In-Reply-To: <77df3e1f.22e1.17ac45a1bd9.Coremail.lyl2019@mail.ustc.edu.cn>

On Tue, Jul 20, 2021 at 10:38 PM <lyl2019@mail.ustc.edu.cn> wrote:
>
>
> Hello Dongliang Mu,
>
> >  Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
> > not be freed.
> >
> > #ifdef CONFIG_PCI
> > /* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
> > struct pci_dev;
> > extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
> > #elif defined(CONFIG_GENERIC_IOMAP)
> > struct pci_dev;
> > static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
> > { }
> > #endif
>
> I think only `CONFIG_PCI=n` and `CONFIG_GENERIC_IOMAP=y` cause pci_iounmap an empty
> implementation. Actually, `CONFIG_PCI` is a default option when run `make defconfig`,
> pci_iounmap() usually is acted as an extern function.

I see. From the discussion with other developers, the usage of this
driver needs to enable CONFIG_PCI. So we may not worry about this
point any more.

>
>
> > Even if CONFIG_PCI is undefined, it is possible that
> > tpci200->info->cfg_regs is not freed at all. Therefore, this patch
> > would cause memory leak. Take a look at the following code:
> >
> > void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
> > {
> >         IO_COND(addr, /* nothing */, iounmap(addr));
> > }
>
> Here i am not sure this is the final implementation of pci_iounmap(),
> because pci_iounmap() is re-implementated in many architectures.
> Even so, i observed there still many call-sites of pci_iounmap() have reset
> `the addr = NULL` after calling.
> Can you have some ways to determine the actual implementation of
> pci_iounmap in our cases?

Yeah, that's the problem. I am not highly certain about the
implementation of this function. So if the free is not done, your
previous patch would cause a memory leak.

>
>
> > #define IO_COND(addr, is_pio, is_mmio) do {                     \
> >         unsigned long port = (unsigned long __force)addr;       \
> >         if (port >= PIO_RESERVED) {                             \
> >                 is_mmio;                                        \
> >         } else if (port > PIO_OFFSET) {                         \
> >                 port &= PIO_MASK;                               \
> >                 is_pio;                                         \
> >         } else                                                  \
> >                 bad_io_access(port, #is_pio );                  \
> > } while (0)
> >
>
> Although the above codes is actually called, the addr might be freed
> if `port >= PIO_RESERVED` is true. The double free still existed.

Of course. There exists a path in which the double free occurs.
However, if you directly add this NULL assignment, it will cause a
memory leak in other paths.

I am not suspecting the validation of this patch in defending the
double free. Instead, I agree with this patch, but it may introduce
some other issues, like memory leak.

>
>
>
> If I make any mistakes, please tell me.
> Thanks your report.
> ---
> Lv Yunlong
>
>
>
>