RE: [PATCH v3 4/5] i3c: add i3cdev module to expose i3c dev in /dev

[Vitor Soares]

Hi Boris,

From: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>
Date: Fri, Feb 21, 2020 at 22:32:16

> On Wed, 19 Feb 2020 01:20:42 +0100
> Vitor Soares <Vitor.Soares@xxxxxxxxxxxx> wrote:
> 
> > +static int i3cdev_detach(struct device *dev, void *dummy)
> > +{
> > +	struct i3cdev_data *i3cdev;
> > +	struct i3c_device *i3c;
> > +
> > +	if (dev->type == &i3c_masterdev_type)
> > +		return 0;
> > +
> > +	i3c = dev_to_i3cdev(dev);
> > +
> > +	i3cdev = i3cdev_get_drvdata(i3c);
> > +	if (!i3cdev)
> > +		return 0;
> > +
> > +	/* Prevent transfers while cdev removal */
> > +	mutex_lock(&i3cdev->xfer_lock);
> > +	cdev_del(&i3cdev->cdev);
> 
> When cdev_del() returns there might be opened FDs pointing to your
> i3cdev [1] ...

Yes, I know. I protected the driver part but I missed the 
file->private_data.

> 
> > +	device_destroy(i3cdev_class, MKDEV(MAJOR(i3cdev_number), i3cdev->id));
> > +	mutex_unlock(&i3cdev->xfer_lock);
> > +
> > +	ida_simple_remove(&i3cdev_ida, i3cdev->id);
> > +	put_i3cdev(i3cdev);
> 
> ... and you call put_i3cdev() here which frees the i3cdev object,
> leading to potential use-after-free if any of the fops (ioctl, read,
> write) are called on those dangling FDs. That's exactly the kind of
> nightmare I'd like to avoid.
> 
> > +
> > +	pr_debug("i3cdev: device [%s] unregistered\n", dev_name(&i3c->dev));
> > +
> > +	return 0;
> > +}
> > +
> 
> [1]https://urldefense.proofpoint.com/v2/url?u=https-3A__elixir.bootlin.com_linux_latest_source_fs_char-5Fdev.c-23L587&d=DwICAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=qVuU64u9x77Y0Kd0PhDK_lpxFgg6PK9PateHwjb_DY0&m=tn0F5CeiGtvih3B93GkstU1b2CzoxKklNq4vIvshH8I&s=FwSMjJ-YZFPUB6WCQM0KnFqFSVKp5KdKHdqSiu_0ycU&e=