On Thu, 29 Jun 2023 14:05:26 +0200, Wolfram Sang <wsa+renesas@xxxxxxxxxxxxxxxxxxxx> wrote:
> vm_dev has a separate lifecycle because it has a 'struct device'
> embedded. Thus, having a release callback for it is correct.
>
> Allocating the vm_dev struct with devres totally breaks this protection,
device? or driver?
And why?
> though. Instead of waiting for the vm_dev release callback, the memory
> is freed when the platform_device is removed. Resulting in a
> use-after-free when finally the callback is to be called.
Can we have the break stack?
Thanks.
>
> To easily see the problem, compile the kernel with
> CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
>
> The fix is easy, don't use devres in this case.
>
> Found during my research about object lifetime problems.
>
> Fixes: 7eb781b1bbb7 ("virtio_mmio: add cleanup for virtio_mmio_probe")
> Signed-off-by: Wolfram Sang <wsa+renesas@xxxxxxxxxxxxxxxxxxxx>
> ---
> drivers/virtio/virtio_mmio.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
> index a46a4a29e929..97760f611295 100644
> --- a/drivers/virtio/virtio_mmio.c
> +++ b/drivers/virtio/virtio_mmio.c
> @@ -607,9 +607,8 @@ static void virtio_mmio_release_dev(struct device *_d)
> struct virtio_device *vdev =
> container_of(_d, struct virtio_device, dev);
> struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
> - struct platform_device *pdev = vm_dev->pdev;
>
> - devm_kfree(&pdev->dev, vm_dev);
> + kfree(vm_dev);
> }
>
> /* Platform device */
> @@ -620,7 +619,7 @@ static int virtio_mmio_probe(struct platform_device *pdev)
> unsigned long magic;
> int rc;
>
> - vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
> + vm_dev = kzalloc(sizeof(*vm_dev), GFP_KERNEL);
> if (!vm_dev)
> return -ENOMEM;
>
> --
> 2.35.1
>
