* PCI dynamic id use after free?
@ 2016-04-07 17:15 Stephen Hemminger
2016-04-07 18:35 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Hemminger @ 2016-04-07 17:15 UTC (permalink / raw)
To: Greg KH; +Cc: linux-pci
I was looking at another PCI problem, and discovered this potential use
after kfree.
static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
struct pci_dev *dev)
{
struct pci_dynid *dynid;
const struct pci_device_id *found_id = NULL;
/* When driver_override is set, only bind to the matching driver */
if (dev->driver_override && strcmp(dev->driver_override, drv->name))
return NULL;
/* Look at the dynamic ids first, before the static ones */
spin_lock(&drv->dynids.lock);
list_for_each_entry(dynid, &drv->dynids.list, node) {
if (pci_match_one_device(&dynid->id, dev)) {
found_id = &dynid->id;
break;
}
}
spin_unlock(&drv->dynids.lock);
At this point found_id if matched (points into dynid) structure but the
lock has been dropped.
What prevents the ID from being removed by store_remvoe_id?
Looks like you need RCU (or ref counts here).
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: PCI dynamic id use after free?
2016-04-07 17:15 PCI dynamic id use after free? Stephen Hemminger
@ 2016-04-07 18:35 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2016-04-07 18:35 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: linux-pci
On Thu, Apr 07, 2016 at 10:15:59AM -0700, Stephen Hemminger wrote:
> I was looking at another PCI problem, and discovered this potential use
> after kfree.
>
> static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
> struct pci_dev *dev)
> {
> struct pci_dynid *dynid;
> const struct pci_device_id *found_id = NULL;
>
> /* When driver_override is set, only bind to the matching driver */
> if (dev->driver_override && strcmp(dev->driver_override, drv->name))
> return NULL;
>
> /* Look at the dynamic ids first, before the static ones */
> spin_lock(&drv->dynids.lock);
> list_for_each_entry(dynid, &drv->dynids.list, node) {
> if (pci_match_one_device(&dynid->id, dev)) {
> found_id = &dynid->id;
> break;
> }
> }
> spin_unlock(&drv->dynids.lock);
>
> At this point found_id if matched (points into dynid) structure but the
> lock has been dropped.
>
> What prevents the ID from being removed by store_remvoe_id?
Nothing, good catch. Luckily no one actually uses that interface :)
> Looks like you need RCU (or ref counts here).
Yes, or create a copy of the id and use that for the short period it is
in use. I don't have the time at the moment to fix this until next
week, if someone wants to write up a patch before then... :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-04-07 18:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-07 17:15 PCI dynamic id use after free? Stephen Hemminger
2016-04-07 18:35 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).