From: Suzuki.Poulose@arm.com (Suzuki K Poulose)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH V3 10/18] coresight: tmc: getting the right read_count on tmc_open()
Date: Mon, 25 Apr 2016 11:47:48 +0100 [thread overview]
Message-ID: <571DF5D4.8070300@arm.com> (raw)
In-Reply-To: <1461345255-11758-11-git-send-email-mathieu.poirier@linaro.org>
On 22/04/16 18:14, Mathieu Poirier wrote:
> In function tmc_open(), if tmc_read_prepare() fails variable
> drvdata->read_count is not decremented, causing unwanted
> access to drvdata->buf and very likely, a crash dump.
>
> By moving the incrementation to a place where we know things
> are stable this kind of situation is avoided.
>
> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> Reviewed-by: Suzuki K Poulose <Suzuki.Poulose@arm.com>
> ---
> drivers/hwtracing/coresight/coresight-tmc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hwtracing/coresight/coresight-tmc.c b/drivers/hwtracing/coresight/coresight-tmc.c
> index e8e12a9b917a..55806352b1f1 100644
> --- a/drivers/hwtracing/coresight/coresight-tmc.c
> +++ b/drivers/hwtracing/coresight/coresight-tmc.c
> @@ -121,13 +121,14 @@ static int tmc_open(struct inode *inode, struct file *file)
> struct tmc_drvdata, miscdev);
> int ret = 0;
>
On a second thought, I think there could be a race here.
> - if (drvdata->read_count++)
> + if (drvdata->read_count)
> goto out;
>
> ret = tmc_read_prepare(drvdata);
> if (ret)
> return ret;
> out:
What prevents someone else doing a release() on the file when we get here, without
incrementing the read_count ? Also, read_count accesses are not protected. Either should
be covered by the drvdata->spinlock or convert it to atomic.
> + drvdata->read_count++;
> nonseekable_open(inode, file);
Cheers
Suzuki
WARNING: multiple messages have this Message-ID (diff)
From: Suzuki K Poulose <Suzuki.Poulose@arm.com>
To: Mathieu Poirier <mathieu.poirier@linaro.org>,
linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH V3 10/18] coresight: tmc: getting the right read_count on tmc_open()
Date: Mon, 25 Apr 2016 11:47:48 +0100 [thread overview]
Message-ID: <571DF5D4.8070300@arm.com> (raw)
In-Reply-To: <1461345255-11758-11-git-send-email-mathieu.poirier@linaro.org>
On 22/04/16 18:14, Mathieu Poirier wrote:
> In function tmc_open(), if tmc_read_prepare() fails variable
> drvdata->read_count is not decremented, causing unwanted
> access to drvdata->buf and very likely, a crash dump.
>
> By moving the incrementation to a place where we know things
> are stable this kind of situation is avoided.
>
> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> Reviewed-by: Suzuki K Poulose <Suzuki.Poulose@arm.com>
> ---
> drivers/hwtracing/coresight/coresight-tmc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hwtracing/coresight/coresight-tmc.c b/drivers/hwtracing/coresight/coresight-tmc.c
> index e8e12a9b917a..55806352b1f1 100644
> --- a/drivers/hwtracing/coresight/coresight-tmc.c
> +++ b/drivers/hwtracing/coresight/coresight-tmc.c
> @@ -121,13 +121,14 @@ static int tmc_open(struct inode *inode, struct file *file)
> struct tmc_drvdata, miscdev);
> int ret = 0;
>
On a second thought, I think there could be a race here.
> - if (drvdata->read_count++)
> + if (drvdata->read_count)
> goto out;
>
> ret = tmc_read_prepare(drvdata);
> if (ret)
> return ret;
> out:
What prevents someone else doing a release() on the file when we get here, without
incrementing the read_count ? Also, read_count accesses are not protected. Either should
be covered by the drvdata->spinlock or convert it to atomic.
> + drvdata->read_count++;
> nonseekable_open(inode, file);
Cheers
Suzuki
next prev parent reply other threads:[~2016-04-25 10:47 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 17:13 [PATCH V3 00/18] coresight: tmc: make driver usable by Perf Mathieu Poirier
2016-04-22 17:13 ` Mathieu Poirier
2016-04-22 17:13 ` [PATCH V3 01/18] coresight: tmc: modifying naming convention Mathieu Poirier
2016-04-22 17:13 ` Mathieu Poirier
2016-04-22 17:13 ` [PATCH V3 02/18] coresight: tmc: waiting for TMCReady bit before programming Mathieu Poirier
2016-04-22 17:13 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 03/18] coresight: tmc: re-implementing tmc_read_prepare/unprepare() functions Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 04/18] coresight: tmc: clearly define number of transfers per burst Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 05/18] coresight: tmc: introducing new header file Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 06/18] coresight: tmc: cleaning up " Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 07/18] coresight: tmc: splitting driver in ETB/ETF and ETR components Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 08/18] coresight: tmc: making prepare/unprepare functions generic Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 09/18] coresight: tmc: allocating memory when needed Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-25 10:20 ` Suzuki K Poulose
2016-04-25 10:20 ` Suzuki K Poulose
2016-04-25 14:24 ` Mathieu Poirier
2016-04-25 14:24 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 10/18] coresight: tmc: getting the right read_count on tmc_open() Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-25 10:47 ` Suzuki K Poulose [this message]
2016-04-25 10:47 ` Suzuki K Poulose
2016-04-25 14:25 ` Mathieu Poirier
2016-04-25 14:25 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 11/18] coresight: tmc: adding mode of operation for link/sinks Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 12/18] coresight: tmc: dump system memory content only when needed Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-25 11:16 ` Suzuki K Poulose
2016-04-25 11:16 ` Suzuki K Poulose
2016-04-25 14:38 ` Mathieu Poirier
2016-04-25 14:38 ` Mathieu Poirier
2016-04-25 14:49 ` Suzuki K Poulose
2016-04-25 14:49 ` Suzuki K Poulose
2016-04-22 17:14 ` [PATCH V3 13/18] coresight: tmc: make sysFS and Perf mode mutually exclusive Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-25 14:32 ` Suzuki K Poulose
2016-04-25 14:32 ` Suzuki K Poulose
2016-04-25 14:48 ` Mathieu Poirier
2016-04-25 14:48 ` Mathieu Poirier
2016-04-25 14:52 ` Suzuki K Poulose
2016-04-25 14:52 ` Suzuki K Poulose
2016-04-25 15:05 ` Mathieu Poirier
2016-04-25 15:05 ` Mathieu Poirier
2016-04-25 15:11 ` Suzuki K Poulose
2016-04-25 15:11 ` Suzuki K Poulose
2016-04-25 15:18 ` Mathieu Poirier
2016-04-25 15:18 ` Mathieu Poirier
2016-04-26 9:23 ` Suzuki K Poulose
2016-04-26 9:23 ` Suzuki K Poulose
2016-04-22 17:14 ` [PATCH V3 14/18] coresight: tmc: keep track of memory width Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-25 14:41 ` Suzuki K Poulose
2016-04-25 14:41 ` Suzuki K Poulose
2016-04-25 14:55 ` Mathieu Poirier
2016-04-25 14:55 ` Mathieu Poirier
2016-04-25 15:09 ` Suzuki K Poulose
2016-04-25 15:09 ` Suzuki K Poulose
2016-04-25 15:25 ` Mathieu Poirier
2016-04-25 15:25 ` Mathieu Poirier
2016-04-25 15:28 ` Suzuki K Poulose
2016-04-25 15:28 ` Suzuki K Poulose
2016-04-22 17:14 ` [PATCH V3 15/18] coresight: moving struct cs_buffers to header file Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 16/18] coresight: tmc: implementing TMC-ETF AUX space API Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 17/18] coresight: tmc: implementing TMC-ETR " Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
2016-04-22 17:14 ` [PATCH V3 18/18] coresight: configuring ETF in FIFO mode when acting as link Mathieu Poirier
2016-04-22 17:14 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=571DF5D4.8070300@arm.com \
--to=suzuki.poulose@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.