Re: spi: Add call to spi_slave_abort() function when spidev driver is released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Geert,

> Hi Lukasz,
> 
> On Thu, Sep 26, 2019 at 12:14 PM Lukasz Majewski <lukma@xxxxxxx>
> wrote:
> > > Static analysis with Coverity has detected an potential
> > > dereference of a free'd object with commit:
> > >
> > > commit 9f918a728cf86b2757b6a7025e1f46824bfe3155
> > > Author: Lukasz Majewski <lukma@xxxxxxx>
> > > Date:   Wed Sep 25 11:11:42 2019 +0200
> > >
> > >     spi: Add call to spi_slave_abort() function when spidev
> > > driver is released
> > >
> > > In spidev_release() in drivers/spi/spidev.c the analysis is as
> > > follows:
> > >
> > > 600static int spidev_release(struct inode *inode, struct file
> > > *filp) 601{
> > > 602        struct spidev_data      *spidev;
> > > 603
> > > 604        mutex_lock(&device_list_lock);
> > >
> > >    1. alias: Assigning: spidev = filp->private_data. Now both
> > > point to the same storage.
> > >
> > > 605        spidev = filp->private_data;
> > > 606        filp->private_data = NULL;
> > > 607
> > > 608        /* last close? */
> > > 609        spidev->users--;
> > >
> > >    2. Condition !spidev->users, taking true branch.
> > >
> > > 610        if (!spidev->users) {
> > > 611                int             dofree;
> > > 612
> > > 613                kfree(spidev->tx_buffer);
> > > 614                spidev->tx_buffer = NULL;
> > > 615
> > > 616                kfree(spidev->rx_buffer);
> > > 617                spidev->rx_buffer = NULL;
> > > 618
> > > 619                spin_lock_irq(&spidev->spi_lock);
> > >
> > >    3. Condition spidev->spi, taking false branch.
> > >
> > > 620                if (spidev->spi)
> > > 621                        spidev->speed_hz =
> > > spidev->spi->max_speed_hz; 622
> > > 623                /* ... after we unbound from the underlying
> > > device? */
> > >
> > >    4. Condition spidev->spi == NULL, taking true branch.
> > >
> > > 624                dofree = (spidev->spi == NULL);
> > > 625                spin_unlock_irq(&spidev->spi_lock);
> > > 626
> > >
> > >    5. Condition dofree, taking true branch.
> > >
> > > 627                if (dofree)
> > >
> > >    6. freed_arg: kfree frees spidev.
> > >
> > > 628                        kfree(spidev);
> > > 629        }
> > > 630#ifdef CONFIG_SPI_SLAVE
> > >
> > >    CID 89726 (#1 of 1): Read from pointer after free
> > > (USE_AFTER_FREE) 7. deref_after_free: Dereferencing freed pointer
> > > spidev.
> > >
> > > 631        spi_slave_abort(spidev->spi);
> > > 632#endif
> > > 633        mutex_unlock(&device_list_lock);
> > > 634
> > > 635        return 0;
> > > 636}
> > >
> > > The call to spi_slave_abort() on spidev is reading an earlier
> > > kfree'd spidev.  
> >
> > Thanks for spotting this issue - indeed there is a possibility to
> > use spidev after being kfree'd.  
> 
> Worse, this makes me realize spidev->spi may be a NULL pointer, which
> will be dereferenced by spi_slave_abort(), so caching it before the
> call to kfree() won't work.
> 

The patch as it is now can be fixed as follows:

static int spidev_release(struct inode *inode, struct file *filp)
{
	struct spidev_data	*spidev;

	mutex_lock(&device_list_lock);
	spidev = filp->private_data;
	filp->private_data = NULL;

#ifdef CONFIG_SPI_SLAVE
	if (spidev->spi)
		spi_slave_abort(spidev->spi);
#endif

	/* last close? */
	spidev->users--;
	if (!spidev->users) {
		int dofree;

		/* free buffers */

		spin_lock_irq(&spidev->spi_lock);
		if (spidev->spi)
			spidev->speed_hz = spidev->spi->max_speed_hz;

		/* ... after we unbound from the underlying device? */
		//
		// [*]
		//
		dofree = (spidev->spi == NULL);
		spin_unlock_irq(&spidev->spi_lock);

		if (dofree)
			kfree(spidev);
	}

	mutex_unlock(&device_list_lock);

	return 0;
}

The question is if we shall call the spi_slave_abort() when cleaning up
spi after releasing last reference, or each time release callback is
called ?

> > However, Geert (CC'ed) had some questions about placement of this
> > function call, so I will wait with providing fix until he replies.  
> 
> Seems like this needs more thought...

Could you be more specific? 

Do you mean to move the spi_slave_abort() call just before dofree
evaluation ? ([*]).

> 
> Gr{oetje,eeting}s,
> 
>                         Geert
> 




Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma@xxxxxxx

Attachment: pgpgt9ooAxlQ5.pgp
Description: OpenPGP digital signature


[Index of Archives]     [Linux Kernel]     [Linux ARM (vger)]     [Linux ARM MSM]     [Linux Omap]     [Linux Arm]     [Linux Tegra]     [Fedora ARM]     [Linux for Samsung SOC]     [eCos]     [Linux Fastboot]     [Gcc Help]     [Git]     [DCCP]     [IETF Announce]     [Security]     [Linux MIPS]     [Yosemite Campsites]

  Powered by Linux