From: Dan Carpenter <dan.carpenter@oracle.com>
To: Won Kang <wkang77@gmail.com>
Cc: linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
joe@perches.co, gregkh@linuxfoundation.org,
Won Kang <wonkang@gctsemi.com>,
sachin.kamat@linaro.org
Subject: Re: [PATCH] staging: gdm7240: a TTY rewrite according to the latest TTY APIs
Date: Fri, 9 Aug 2013 13:57:54 +0300 [thread overview]
Message-ID: <20130809105754.GJ5502@mwanda> (raw)
In-Reply-To: <1376036357-7216-1-git-send-email-wonkang@gctsemi.com>
Whenever I see "rewrite" in the subject, my first reaction is to
start typing, "Please break this big patch up into a series of small
patches". In this case, I guess it's hard to do that so you're ok.
I do wish you had put the variable renaming into a separate patch
though.
On Fri, Aug 09, 2013 at 05:19:17PM +0900, Won Kang wrote:
> Removed the old style reference countings and termios.
I guess this is clear but if you wanted to say some more comments
about this in the change log that would be nice as well.
> Renamed variables to meaninful ones.
>
> Signed-off-by: Won Kang <wonkang@gctsemi.com>
This signed-off-by doesn't match the email address where the patch
was sent.
> +static void gdm_port_destruct(struct tty_port *port)
> +{
> + struct gdm *gdm = container_of(port, struct gdm, port);
> +
> + mutex_lock(&gdm_table_lock);
> + gdm_table[gdm->index][gdm->minor] = NULL;
> + mutex_unlock(&gdm_table_lock);
> +
> + kfree(gdm);
We only take the lock when we are getting the "gdm" pointer from the
gdm_table. We release the lock as soon as we have our pointer but
we still are using it after we have released the lock. In other
words:
mutex_lock(&gdm_table_lock);
gdm = gdm_table[index][minor];
mutex_unlock(&gdm_table_lock);
if (!GDM_TTY_READY(gdm)) { <-- we have released the lock
but we are still using the
pointer.
So this could be a use after free bug here. I haven't followed
through to actaully see how this is called, this sort of locking is
a common bug.
> + gdm = kmalloc(sizeof(struct gdm), GFP_KERNEL);
> + if (!gdm)
> + return -ENOMEM;
>
> -int register_lte_tty_device(struct tty_dev *tty_dev, struct device *dev)
> -{
> - struct tty_str *tty_str;
> - int i, j;
> + mutex_lock(&gdm_table_lock);
>
> - for (i = 0; i < TTY_MAX_COUNT; i++) {
> for (j = 0; j < GDM_TTY_MINOR; j++) {
> - if (!g_tty_str[i][j])
> + if (!gdm_table[i][j])
> break;
> }
>
> if (j == GDM_TTY_MINOR) {
> - tty_dev->minor[i] = j;
> - return -1;
> + tty_dev->minor[i] = GDM_TTY_MINOR;
> + mutex_unlock(&gdm_table_lock);
> + return -EINVAL;
Static checkers will complain that we need to kfree(gdm) here. It's
unlikely that this affects real life, but it's good to be pedantic.
regards,
dan carpenter
next prev parent reply other threads:[~2013-08-09 10:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 8:19 [PATCH] staging: gdm7240: a TTY rewrite according to the latest TTY APIs Won Kang
2013-08-09 10:57 ` Dan Carpenter [this message]
2013-08-13 10:46 ` [PATCH v2] " Won Kang
2013-08-14 21:12 ` Greg KH
2013-08-16 4:13 ` [PATCH 1/2] " Won Kang
2013-08-16 4:13 ` [PATCH 2/2] " Won Kang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130809105754.GJ5502@mwanda \
--to=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=joe@perches.co \
--cc=linux-kernel@vger.kernel.org \
--cc=sachin.kamat@linaro.org \
--cc=wkang77@gmail.com \
--cc=wonkang@gctsemi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox