From: NeilBrown <neilb@suse.de>
To: Olivier Sobrie <olivier@sobrie.be>,
"David S. Miller" <davem@davemloft.net>,
Jan Dumon <j.dumon@option.com>
Cc: linux-usb@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
GTA04 owners <gta04-owner@goldelico.com>
Subject: Re: [PATCH] hso: fix refcnt leak in recent patch.
Date: Tue, 14 Apr 2015 11:03:03 +1000 [thread overview]
Message-ID: <20150414110303.66edcfee@notabene.brown> (raw)
In-Reply-To: <20150414093634.4fe24ba3@notabene.brown>
[-- Attachment #1: Type: text/plain, Size: 3171 bytes --]
On Tue, 14 Apr 2015 09:36:34 +1000 NeilBrown <neilb@suse.de> wrote:
>
>
> Prior to
> commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> hso: fix crash when device disappears while serial port is open
>
> hso_serial_open would always kref_get(&serial->parent->ref) before
> returning zero.
> Since that commit, it only calls kref_get when returning 0 if
> serial->port.count was zero.
>
> This results in calls to
> kref_put(&serial->parent->ref, hso_serial_ref_free);
>
> after hso_serial_ref_free has been called, which dereferences a freed
> pointer.
>
> This patch adds the missing kref_get().
>
> Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> Cc: stable@vger.kernel.org (v4.0)
> Cc: Olivier Sobrie <olivier@sobrie.be>
> Signed-off-by: NeilBrown <neilb@suse.de>
>
> diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
> index 75befc1bd816..6848fc903340 100644
> --- a/drivers/net/usb/hso.c
> +++ b/drivers/net/usb/hso.c
> @@ -1299,6 +1299,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
> }
> } else {
> D1("Port was already open");
> + kref_get(&serial->parent->ref);
> }
>
> usb_autopm_put_interface(serial->parent->interface);
Sorry - that was wrong.
I'm getting crashes which strongly suggest the kref_put is being called extra
times, but I misunderstood the code and was hasty.
Maybe this instead?
Thanks,
NeilBrown
From: NeilBrown <neil@brown.name>
Date: Tue, 14 Apr 2015 09:33:03 +1000
Subject: [PATCH] hso: fix refcnt leak in recent patch.
Prior to
commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
hso: fix crash when device disappears while serial port is open
a kref_get on serial->parent->ref would be taken on each open,
and it would be kref_put on each close.
Now the kref_put happens when the tty_struct is finally put (via
the 'cleanup') providing tty->driver_data has been set.
So the kref_get must be called exact once when tty->driver_data is
set.
With the current code, if the first open fails the kref_get() is never
called, but the kref_put() is called, leaving to a crash.
So change the kref_get call to happen exactly when ->driver_data is
changed from NULL to non-NULL.
Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
Cc: stable@vger.kernel.org (v4.0)
Cc: Olivier Sobrie <olivier@sobrie.be>
Signed-off-by: NeilBrown <neil@brown.name>
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 75befc1bd816..17fd3820263a 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1278,6 +1278,8 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
D1("Opening %d", serial->minor);
/* setup */
+ if (tty->driver_data == NULL)
+ kref_get(&serial->parent->ref);
tty->driver_data = serial;
tty_port_tty_set(&serial->port, tty);
@@ -1294,8 +1296,6 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
if (result) {
hso_stop_serial_device(serial->parent);
serial->port.count--;
- } else {
- kref_get(&serial->parent->ref);
}
} else {
D1("Port was already open");
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: NeilBrown <neilb-l3A5Bk7waGM@public.gmane.org>
To: Olivier Sobrie <olivier-Ui3EtX6WB9GzQB+pC5nmwQ@public.gmane.org>,
"David S. Miller" <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>,
Jan Dumon <j.dumon-x9gZzRpC1QbQT0dZR+AlfA@public.gmane.org>
Cc: linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
GTA04 owners
<gta04-owner-xXXSsgcRVICgSpxsJD1C4w@public.gmane.org>
Subject: Re: [PATCH] hso: fix refcnt leak in recent patch.
Date: Tue, 14 Apr 2015 11:03:03 +1000 [thread overview]
Message-ID: <20150414110303.66edcfee@notabene.brown> (raw)
In-Reply-To: <20150414093634.4fe24ba3-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 3379 bytes --]
On Tue, 14 Apr 2015 09:36:34 +1000 NeilBrown <neilb-l3A5Bk7waGM@public.gmane.org> wrote:
>
>
> Prior to
> commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> hso: fix crash when device disappears while serial port is open
>
> hso_serial_open would always kref_get(&serial->parent->ref) before
> returning zero.
> Since that commit, it only calls kref_get when returning 0 if
> serial->port.count was zero.
>
> This results in calls to
> kref_put(&serial->parent->ref, hso_serial_ref_free);
>
> after hso_serial_ref_free has been called, which dereferences a freed
> pointer.
>
> This patch adds the missing kref_get().
>
> Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org (v4.0)
> Cc: Olivier Sobrie <olivier-Ui3EtX6WB9GzQB+pC5nmwQ@public.gmane.org>
> Signed-off-by: NeilBrown <neilb-l3A5Bk7waGM@public.gmane.org>
>
> diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
> index 75befc1bd816..6848fc903340 100644
> --- a/drivers/net/usb/hso.c
> +++ b/drivers/net/usb/hso.c
> @@ -1299,6 +1299,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
> }
> } else {
> D1("Port was already open");
> + kref_get(&serial->parent->ref);
> }
>
> usb_autopm_put_interface(serial->parent->interface);
Sorry - that was wrong.
I'm getting crashes which strongly suggest the kref_put is being called extra
times, but I misunderstood the code and was hasty.
Maybe this instead?
Thanks,
NeilBrown
From: NeilBrown <neil-+NVA1uvv1dVBDLzU/O5InQ@public.gmane.org>
Date: Tue, 14 Apr 2015 09:33:03 +1000
Subject: [PATCH] hso: fix refcnt leak in recent patch.
Prior to
commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
hso: fix crash when device disappears while serial port is open
a kref_get on serial->parent->ref would be taken on each open,
and it would be kref_put on each close.
Now the kref_put happens when the tty_struct is finally put (via
the 'cleanup') providing tty->driver_data has been set.
So the kref_get must be called exact once when tty->driver_data is
set.
With the current code, if the first open fails the kref_get() is never
called, but the kref_put() is called, leaving to a crash.
So change the kref_get call to happen exactly when ->driver_data is
changed from NULL to non-NULL.
Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org (v4.0)
Cc: Olivier Sobrie <olivier-Ui3EtX6WB9GzQB+pC5nmwQ@public.gmane.org>
Signed-off-by: NeilBrown <neil-+NVA1uvv1dVBDLzU/O5InQ@public.gmane.org>
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 75befc1bd816..17fd3820263a 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1278,6 +1278,8 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
D1("Opening %d", serial->minor);
/* setup */
+ if (tty->driver_data == NULL)
+ kref_get(&serial->parent->ref);
tty->driver_data = serial;
tty_port_tty_set(&serial->port, tty);
@@ -1294,8 +1296,6 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
if (result) {
hso_stop_serial_device(serial->parent);
serial->port.count--;
- } else {
- kref_get(&serial->parent->ref);
}
} else {
D1("Port was already open");
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
next prev parent reply other threads:[~2015-04-14 1:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 23:36 [PATCH] hso: fix refcnt leak in recent patch NeilBrown
2015-04-14 1:03 ` NeilBrown [this message]
2015-04-14 1:03 ` NeilBrown
2015-04-14 6:50 ` Olivier Sobrie
2015-04-14 6:50 ` Olivier Sobrie
2015-04-14 7:35 ` NeilBrown
2015-04-16 13:21 ` Olivier Sobrie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150414110303.66edcfee@notabene.brown \
--to=neilb@suse.de \
--cc=davem@davemloft.net \
--cc=gta04-owner@goldelico.com \
--cc=j.dumon@option.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olivier@sobrie.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.