On Mon, Nov 16, 2020 at 11:23:43AM -0800, Andrey Smirnov wrote:
> On Mon, Nov 16, 2020 at 12:44 AM Lukas Wunner <lukas@xxxxxxxxx> wrote:
> > If the call to devm_spi_register_master() fails on probe of the GPIO SPI
> > driver, the spi_master struct is erroneously not freed:
> >
> > After allocating the spi_master, its reference count is 1. The driver
> > unconditionally decrements the reference count on unbind using a devm
> > action. Before calling devm_spi_register_master(), the driver
> > unconditionally increments the reference count because on success,
> > that function will decrement the reference count on unbind. However on
> > failure, devm_spi_register_master() does *not* decrement the reference
> > count, so the spi_master is leaked.
>
> Not sure I fully understand this. On failure
> devm_spi_register_master() will return a negative error code which
> should result in probe failure and release of devres resource, right?
Yes, but that just decrements the refcount from 2 to 1:
/* refcount initialized to 1 */
master = spi_alloc_master(dev, sizeof(*spi_gpio));
...
/* refcount incremented to 2 */
return devm_spi_register_master(&pdev->dev, spi_master_get(master));
...
/* on failure of devm_spi_register_master(), refcount decremented to 1
by devres action */
spi_gpio_put()
> > The issue was introduced by commits 8b797490b4db ("spi: gpio: Make sure
> > spi_master_put() is called in every error path") and 79567c1a321e ("spi:
> > gpio: Use devm_spi_register_master()"), which sought to plug leaks
> > introduced by 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO
> > descriptors") but missed this remaining leak.
>
> That extra spi_master_get() that might be problematic was present in
> the code before 8b797490b4db ("spi: gpio: Make sure spi_master_put()
> is called in every error path") and I think was first introduced in
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers?h=v5.9-rc4&id=702a4879ec337463f858c8ab467482cce260bf18
>
> Or am I missing something?
The extra spi_master_get() was introduced by 79567c1a321e.
I don't see it in spi-gpio.c before that commit.
Its quite possible that I missed something myself, nobody's perfect.
But just from code inspection it seems wrong the way it is right now.
Shout if I failed to explain it properly and I'll try again. :)
Thanks,
Lukas
Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- From: Lukas Wunner <lukas@xxxxxxxxx>
- Date: Tue, 17 Nov 2020 00:03:39 +0100
- Cc: Mark Brown <broonie@xxxxxxxxxx>, linux-spi@xxxxxxxxxxxxxxx, Navid Emamdoost <navid.emamdoost@xxxxxxxxx>, Linus Walleij <linus.walleij@xxxxxxxxxx>
- In-reply-to: <CAHQ1cqHs+jTzp2dYx0cAosLaoBWXpmBivW5bPKbckS=un9k9SA@mail.gmail.com>
- References: <73adc6ba84a4f968f2e1499a776e5c928fbdde56.1605512876.git.lukas@wunner.de> <49102f5bbb3f1592d9cfd7b39ac5e131a031f950.1605512876.git.lukas@wunner.de> <CAHQ1cqHs+jTzp2dYx0cAosLaoBWXpmBivW5bPKbckS=un9k9SA@mail.gmail.com>
- User-agent: Mutt/1.10.1 (2018-07-13)
- Follow-Ups:
- Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- From: Andrey Smirnov
- Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- References:
- [PATCH for-5.10] spi: spi-geni-qcom: Fix use-after-free on unbind
- From: Lukas Wunner
- [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- From: Lukas Wunner
- Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- From: Andrey Smirnov
- [PATCH for-5.10] spi: spi-geni-qcom: Fix use-after-free on unbind
- Prev by Date: Re: [PATCH 04/32] spi: dw: Introduce polling device tree property
- Next by Date: Re: [PATCH v2] spi: cadence-quadspi: Fix error return code in cqspi_probe
- Previous by thread: Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- Next by thread: Re: [PATCH for-5.10] spi: gpio: Don't leak SPI master in probe error path
- Index(es):
 |