Re: races in drivers/usb/gadget/inode.c, leak fix in the same file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 25 April 2006 11:20 pm, Al Viro wrote:

Thanks for the review/feedback.  The AIO interfaces have evidently
had some incompatible changes since that code was first written
(as turned up by Alan Stern's recent investigations), and it's
always had a few glitchey (but uncommon) corner cases.


> activate_ep_files() allocates a bunch of ep_data, creates inodes and
> dentries for them and sticks them into a cyclic list.  inode->u.generic_ip
> is set to created ep_data, refcount is 1.
> 
> destroy_ep_files() goes through that cyclic list, gets dentry from each
> ep_data on it and drops ep_data.  Then it kills dentry and inode by
>                 /* break link to dcache */
>                 mutex_lock (&parent->i_mutex);
>                 d_delete (dentry);
>                 dput (dentry);
>                 mutex_unlock (&parent->i_mutex);
> Tries to kill, anyway.  The thing is, ep_open() (->open() on that sucker)
> does

Hmm ... 


> static int
> ep_open (struct inode *inode, struct file *fd)
> {
>         struct ep_data          *data = inode->u.generic_ip;
>         int                     value = -EBUSY;
> 
>         if (down_interruptible (&data->lock) != 0)
>                 return -EINTR;
> followed eventually by pinning data (i.e. ep_data for that inode) down.
> 
> It's way too late - by the time we enter ep_open(), inode->u.generic_ip
> might be already pointing to freed memory.
> 
> AFAICS, the cheapest way to deal with that would be to set ->u.generic_ip
> to NULL before dropping ep_data in ep_destroy_files(), have that done
> under global spinlock and have ep_open() et.al. start with checking if
> the pointer is NULL under the same spinlock and grabbing a reference if
> it isn't.

Sounds right.  I'll look at it some more, and test.


> There's another question: opened files are opened; what protects them
> from gadgetfs_unbind() freeing ep->req while ep is still pinned down
> by an opened file?  We do not hold dev->lock or ep->lock there...

Controller drivers should have canceled all pending requests before
they call the unbind() method ... and must have completed them all by
the time ep_disable() returnes.  Two key invariants:  the controller
driver holds no more usb_request objects, and it won't accept any more
until after the unbind() completes and some new driver is bound.

Now, there are two I/O paths.  The AIO path dynamically allocates
the usb_request objects, one per kiocb, and deallocates them as soon
as the request completes.  So, no issue there.  And for synchronous
I/O paths, there's a task in ep_io() which holds the ep->lock ... and
the return paths there don't reference ep->req.


> One more: what protects dev->state?  I don't see any lock that would
> be held over all places that modify it.

It should be the spinlock.  You're right, there are a few dodgy
references there.  Those should get fixed ... fortunately changing
that is reasonably infrequent.


> Oh, and a trivial leak fix, while we are at it:
> 
> Subject: [PATCH] fix leak in activate_ep_files()

I'd prefer the slightly more comprehensive one from Alan Stern.
Even if they _are_ rare we might as well handle all of them!  :)

- Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux