| Message ID | 2cafa0607ca171ebd00ac6c7e073b46808e24f00.1640537669.git.christophe.jaillet@wanadoo.fr |
|---|---|
| State | New |
| Headers | show |
| Series | fsi: Aspeed: Fix a potential double free | expand |
Le 27/12/2021 à 07:29, Greg KH a écrit : > On Sun, Dec 26, 2021 at 05:56:02PM +0100, Christophe JAILLET wrote: >> 'aspeed' is a devm_alloc'ed, so there is no need to free it explicitly or >> there will be a double free(). > > A struct device can never be devm_alloced for obvious reasons. Perhaps > that is the real problem here? Thanks for the feed-back. This goes beyond my knowledge of how this should work. As I can not test myself, I won't be of any help. I'll let you or anyone else check if something needs to be fixed, and how to fix it properly. Just take my patch as a "Hey! Looks strange to have a kfree() in a driver that only call devm_kzalloc() to allocate memory. S.o. should give a deeper look at it". :) CJ > >> Remove the 'release' function that is wrong and unneeded. >> >> Fixes: 606397d67f41 ("fsi: Add ast2600 master driver") >> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> >> --- >> This patch is completely theoretical. It looks good to me, but there is a >> little too much indirections for me. I'm also not that familiar with >> fixing issue related to 'release' function... >> >> ... So review with care :) >> --- >> drivers/fsi/fsi-master-aspeed.c | 9 --------- >> 1 file changed, 9 deletions(-) >> >> diff --git a/drivers/fsi/fsi-master-aspeed.c b/drivers/fsi/fsi-master-aspeed.c >> index 8606e55c1721..4a745ccb60cf 100644 >> --- a/drivers/fsi/fsi-master-aspeed.c >> +++ b/drivers/fsi/fsi-master-aspeed.c >> @@ -373,14 +373,6 @@ static int aspeed_master_break(struct fsi_master *master, int link) >> return aspeed_master_write(master, link, 0, addr, &cmd, 4); >> } >> >> -static void aspeed_master_release(struct device *dev) >> -{ >> - struct fsi_master_aspeed *aspeed = >> - to_fsi_master_aspeed(dev_to_fsi_master(dev)); >> - >> - kfree(aspeed); >> -} >> - >> /* mmode encoders */ >> static inline u32 fsi_mmode_crs0(u32 x) >> { >> @@ -603,7 +595,6 @@ static int fsi_master_aspeed_probe(struct platform_device *pdev) >> dev_info(&pdev->dev, "hub version %08x (%d links)\n", reg, links); >> >> aspeed->master.dev.parent = &pdev->dev; >> - aspeed->master.dev.release = aspeed_master_release; > > Odd, then what deletes this device structure when the release function > wants to be called? You should have gotten a big warning from the > kernel when removing the device from the system at runtime, did you test > this somehow? > > This does not look correct at all. > > greg k-h >
Le 06/01/2022 à 18:25, Guenter Roeck a écrit : > On 1/6/22 12:14 AM, Dan Carpenter wrote: >> On Mon, Dec 27, 2021 at 07:29:07AM +0100, Greg KH wrote: >>> On Sun, Dec 26, 2021 at 05:56:02PM +0100, Christophe JAILLET wrote: >>>> 'aspeed' is a devm_alloc'ed, so there is no need to free it >>>> explicitly or >>>> there will be a double free(). >>> >>> A struct device can never be devm_alloced for obvious reasons. Perhaps >>> that is the real problem here? >>> >> >> I don't understand how "aspeed" is a struct device. >> > > -static void aspeed_master_release(struct device *dev) > -{ > - struct fsi_master_aspeed *aspeed = > - to_fsi_master_aspeed(dev_to_fsi_master(dev)); > - > - kfree(aspeed); > -} > > So "dev" is embedded in struct fsi_master, and struct fsi_master is > embedded > in struct fsi_master_aspeed. Since "struct device" is embedded, the data > structure embedding it must be released with the release function, as is > done > here. The problem is indeed that the data structure is allocated with > devm_kzalloc(), which as Greg points out must not be devm_ allocated > (because its lifetime does not match the lifetime of devm_ allocated > memory). Thanks a lot for the detailed explanation. Crystal clear for me now. Do you want me to send a patch to remove the devm_ or will you? CJ > >> I've been working on understanding device managed memory recently for >> Smatch. It's really complicated. There are a bunch of rules/heuristics >> that I'm slowly creating to generate new warnings but I'm a long way >> from understanding it well myself. >> > > A data structure embedding struct device must not be devm_ allocated, > and it must be released with the release callback. Maybe there is > a means to flag that somehow ? > > Guenter >
diff --git a/drivers/fsi/fsi-master-aspeed.c b/drivers/fsi/fsi-master-aspeed.c index 8606e55c1721..4a745ccb60cf 100644 --- a/drivers/fsi/fsi-master-aspeed.c +++ b/drivers/fsi/fsi-master-aspeed.c @@ -373,14 +373,6 @@ static int aspeed_master_break(struct fsi_master *master, int link) return aspeed_master_write(master, link, 0, addr, &cmd, 4); } -static void aspeed_master_release(struct device *dev) -{ - struct fsi_master_aspeed *aspeed = - to_fsi_master_aspeed(dev_to_fsi_master(dev)); - - kfree(aspeed); -} - /* mmode encoders */ static inline u32 fsi_mmode_crs0(u32 x) { @@ -603,7 +595,6 @@ static int fsi_master_aspeed_probe(struct platform_device *pdev) dev_info(&pdev->dev, "hub version %08x (%d links)\n", reg, links); aspeed->master.dev.parent = &pdev->dev; - aspeed->master.dev.release = aspeed_master_release; aspeed->master.dev.of_node = of_node_get(dev_of_node(&pdev->dev)); aspeed->master.n_links = links;
'aspeed' is a devm_alloc'ed, so there is no need to free it explicitly or there will be a double free(). Remove the 'release' function that is wrong and unneeded. Fixes: 606397d67f41 ("fsi: Add ast2600 master driver") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> --- This patch is completely theoretical. It looks good to me, but there is a little too much indirections for me. I'm also not that familiar with fixing issue related to 'release' function... ... So review with care :) --- drivers/fsi/fsi-master-aspeed.c | 9 --------- 1 file changed, 9 deletions(-)