Re: [PATCH] driver core: fix race between creating/querying glue dir and its cleanup

From: Jason Hrycay
Date: Tue Jun 21 2016 - 12:55:39 EST

Next message: Tejun Heo: "[PATCH] memcg: css_alloc should return an ERR_PTR value on error"
Previous message: Stephan Mueller: "Re: [Y2038] [PATCH] crypto: use timespec64 for jent_get_nstime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Ming/Chandrasekhar,

Chandra Sekhar Lingutla <clingutla <at> codeaurora.org> writes:

>
> Hi Ming,
>
> [...]
> > +static inline bool live_in_glue_dir(struct kobject *kobj,
> > + struct device *dev)
> > +{
> > + if (!kobj || !dev->class ||
> > + kobj->kset != &dev->class->p->glue_dirs)
> > + return true;
> > + return false;
> > +}
> I think we should return false if kobj->kset != &dev->class->p->glue_dirs.
> If kboj->kset points to dev->class->p->glue_dirs, then we live in glue dir.
> So logic should be:
> if (!kobj || !dev->class ||
> kobj->kset != &dev->class->p->glue_dirs)
> return false;
> return true;
>
> > +
> > +static inline struct kobject *get_glue_dir(struct device *dev)
> > +{
> > + if (live_in_glue_dir(&dev->kobj, dev))
> > + return dev->kobj.parent;
> > + return NULL;
> > +}

I don't think we should be checking the live_in_glue_dir on dev->kobj above,
but rather, dev->kobj.parent. That being said, I don't think the check is
even needed as it's going to be re-checked in the cleanup_glue_dir.

The issue is, if we fail the 'live_in_glue_dir' check on the dev->kobj, we'll
return NULL and subsequently fail to kobject_put the dev->kobj.parent in the
cleanup_glue_dir function, leaking a reference.

> [snip]

Regards,
Jason Hrycay
jason.hrycay@xxxxxxxxxxxx

Next message: Tejun Heo: "[PATCH] memcg: css_alloc should return an ERR_PTR value on error"
Previous message: Stephan Mueller: "Re: [Y2038] [PATCH] crypto: use timespec64 for jent_get_nstime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]