From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Dave Jones <davej@redhat.com>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: weird use-after-free bug in module_put
Date: Fri, 19 Oct 2012 18:50:46 +0100 [thread overview]
Message-ID: <20121019175046.GP2616@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20121019173639.GD2152@core.coreip.homeip.net>
On Fri, Oct 19, 2012 at 10:36:39AM -0700, Dmitry Torokhov wrote:
> On Fri, Oct 19, 2012 at 06:09:51PM +0100, Al Viro wrote:
> > On Fri, Oct 19, 2012 at 09:33:18AM -0700, Dmitry Torokhov wrote:
> >
> > > We are now removing instance of character device corresponding to input
> > > device when input device disappears.
> > >
> > > Ah, I know... cdev is embedded in evdev, but lives longer.. I do want to
> > > keep cdev embedded as it allows me to easily get to evdev in
> > > evdev_open(), but I need to be able to add and then drop reference to
> > > evdev from cdev's ->release() method. This means I need to override it.
> > >
> > > Or I could have cdev separately allocated, but then I'd like to have a
> > > void pointer in "struct cdev" so I could get from it back to
> > > corresponding evdev.
> >
> > Your real problem is that you have two kobjects embedded into the same
> > thing. It can work, but you need to make the secondary (one that does
> > *not* free in its ->release()) pin the primary. Sigh... Device model
> > sucks, film at 11...
>
> Right, but "cdev" is currently "sealed": it does not allow specifying a
> custom release function from which I could unpin primary (evdev). You
> are the author/owner of cdev code, so that is why I was asking for
> your opinion as to what is the best way to proceed:
>
> 1. Allocate cdev separately and add void * to struct cdev so that it is
> easy to get to corresponding structure on evdev_open.
>
> 2. Keep cdev embedded in evdev but export cdev's cleanup method and
> have evdev override ->release with its own version that calls
> cdev_default_release() and then unpins evdev stucture.
>
> 3. Add struct device *parent to struct cdev and have it pin and unpin it
> for us (if it is set up).
The last one would be my preference, TBH, but I'm not sure how to do it
cleanly. The thing is, kobject_del() would have to be done at some point.
_Before_ we have dropped the last references. And once we have, we are
back to the original race, AFAICS.
What's pinning that cdev reference, BTW?
next prev parent reply other threads:[~2012-10-19 17:50 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-19 14:43 weird use-after-free bug in module_put Dave Jones
2012-10-19 15:34 ` Dave Jones
2012-10-19 16:33 ` Dmitry Torokhov
2012-10-19 17:09 ` Al Viro
2012-10-19 17:36 ` Dmitry Torokhov
2012-10-19 17:50 ` Al Viro [this message]
2012-10-19 18:12 ` Dmitry Torokhov
2012-10-21 7:24 ` [PATCH 1/2] char_dev: allow setting up and pinning parent devices Dmitry Torokhov
2012-10-21 7:24 ` [PATCH 2/2] Input: fix use-after-free introduced with dynamic minor changes Dmitry Torokhov
2012-10-21 7:39 ` [PATCH 1/2] char_dev: allow setting up and pinning parent devices Al Viro
2012-10-21 8:13 ` Dmitry Torokhov
2012-10-22 0:57 ` [PATCH 1/2] char_dev: pin parent kobject Dmitry Torokhov
2012-10-22 0:57 ` [PATCH 2/2] Input: fix use-after-free introduced with dynamic minor changes Dmitry Torokhov
2012-10-22 5:02 ` [PATCH 1/2] char_dev: pin parent kobject Linus Torvalds
2012-10-22 5:42 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121019175046.GP2616@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davej@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.