From patchwork Fri Mar 17 18:48:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Logan Gunthorpe X-Patchwork-Id: 740478 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vlF1J1Pyjz9ryj for ; Sat, 18 Mar 2017 05:56:20 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751378AbdCQSuf (ORCPT ); Fri, 17 Mar 2017 14:50:35 -0400 Received: from ale.deltatee.com ([207.54.116.67]:56509 "EHLO ale.deltatee.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751182AbdCQSuZ (ORCPT ); Fri, 17 Mar 2017 14:50:25 -0400 Received: from cgy1-donard.priv.deltatee.com ([172.16.1.31]) by ale.deltatee.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1cowvs-0002ZM-Sd; Fri, 17 Mar 2017 12:49:08 -0600 Received: from gunthorp by cgy1-donard.priv.deltatee.com with local (Exim 4.84_2) (envelope-from ) id 1cowvq-0000qu-J0; Fri, 17 Mar 2017 12:48:58 -0600 From: Logan Gunthorpe To: Greg Kroah-Hartman , Dan Williams , Hans Verkuil , Alexander Viro , Alexandre Belloni , Jason Gunthorpe , Johannes Thumshirn , Dmitry Torokhov , Linus Walleij , Jarkko Sakkinen , "James E.J. Bottomley" , "Martin K. Petersen" , David Woodhouse , Brian Norris , Boris Brezillon , Marek Vasut , Cyrille Pitchen Cc: linux-pci@vger.kernel.org, linux-scsi@vger.kernel.org, rtc-linux@googlegroups.com, linux-mtd@lists.infradead.org, linux-media@vger.kernel.org, linux-iio@vger.kernel.org, linux-rdma@vger.kernel.org, linux-gpio@vger.kernel.org, linux-input@vger.kernel.org, linux-nvdimm@lists.01.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Logan Gunthorpe Date: Fri, 17 Mar 2017 12:48:22 -0600 Message-Id: <1489776503-3151-16-git-send-email-logang@deltatee.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1489776503-3151-1-git-send-email-logang@deltatee.com> References: <1489776503-3151-1-git-send-email-logang@deltatee.com> X-SA-Exim-Connect-IP: 172.16.1.31 X-SA-Exim-Rcpt-To: gregkh@linuxfoundation.org, dan.j.williams@intel.com, hans.verkuil@cisco.com, viro@zeniv.linux.org.uk, jgunthorpe@obsidianresearch.com, jthumshirn@suse.de, linus.walleij@linaro.org, jarkko.sakkinen@linux.intel.com, jejb@linux.vnet.ibm.com, martin.petersen@oracle.com, dwmw2@infradead.org, alexandre.belloni@free-electrons.com, boris.brezillon@free-electrons.com, dmitry.torokhov@gmail.com, computersforpeace@gmail.com, marek.vasut@gmail.com, cyrille.pitchen@atmel.com, rtc-linux@googlegroups.com, linux-mtd@lists.infradead.org, linux-nvdimm@lists.01.org, linux-pci@vger.kernel.org, linux-scsi@vger.kernel.org, linux-media@vger.kernel.org, linux-iio@vger.kernel.org, linux-rdma@vger.kernel.org, linux-gpio@vger.kernel.org, linux-input@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, logang@deltatee.com X-SA-Exim-Mail-From: gunthorp@deltatee.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ale.deltatee.com X-Spam-Level: X-Spam-Status: No, score=-8.5 required=5.0 tests=ALL_TRUSTED,BAYES_00, GREYLIST_ISWHITE, MYRULES_FREE, MYRULES_NO_TEXT, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 Subject: [PATCH v5 15/16] scsi: utilize new cdev_device_add helper function X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on ale.deltatee.com) Sender: linux-gpio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-gpio@vger.kernel.org This driver did not set kobj.parent so it likely suffered from a potential use after free race if the user unregistered the device while it was in use. This was not so straightforward a conversion but I think this patch cleans up its probe's error path significantly. This patch adds device_initialize, which is required for cdev_device_add. Then it switches to put_device instead of kfree as recommended by device_initialize's documentation. This removes a lot from the error path which was already in __remove. A couple things needed to be re-ordered to be entirely correct, though. ida_remove is also moved out of __remove and into unregister to simplify things and follow the pattern other devices are using. This also drop an extra unnecessary get_device/put_device in the code. Signed-off-by: Logan Gunthorpe --- drivers/scsi/osd/osd_uld.c | 56 +++++++++++++++++----------------------------- 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c index e0ce5d2..4101c31 100644 --- a/drivers/scsi/osd/osd_uld.c +++ b/drivers/scsi/osd/osd_uld.c @@ -400,9 +400,6 @@ static void __remove(struct device *dev) kfree(oud->odi.osdname); - if (oud->cdev.owner) - cdev_del(&oud->cdev); - osd_dev_fini(&oud->od); scsi_device_put(scsi_device); @@ -411,7 +408,6 @@ static void __remove(struct device *dev) if (oud->disk) put_disk(oud->disk); - ida_remove(&osd_minor_ida, oud->minor); kfree(oud); } @@ -446,8 +442,20 @@ static int osd_probe(struct device *dev) if (NULL == oud) goto err_retract_minor; + /* class device member */ + device_initialize(&oud->class_dev); dev_set_drvdata(dev, oud); oud->minor = minor; + oud->class_dev.devt = MKDEV(SCSI_OSD_MAJOR, oud->minor); + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; + + /* hold one more reference to the scsi_device that will get released + * in __release, in case a logout is happening while fs is mounted + */ + scsi_device_get(scsi_device); + osd_dev_init(&oud->od, scsi_device); /* allocate a disk and set it up */ /* FIXME: do we need this since sg has already done that */ @@ -461,59 +469,34 @@ static int osd_probe(struct device *dev) sprintf(disk->disk_name, "osd%d", oud->minor); oud->disk = disk; - /* hold one more reference to the scsi_device that will get released - * in __release, in case a logout is happening while fs is mounted - */ - scsi_device_get(scsi_device); - osd_dev_init(&oud->od, scsi_device); - /* Detect the OSD Version */ error = __detect_osd(oud); if (error) { OSD_ERR("osd detection failed, non-compatible OSD device\n"); - goto err_put_disk; + goto err_free_osd; } /* init the char-device for communication with user-mode */ cdev_init(&oud->cdev, &osd_fops); oud->cdev.owner = THIS_MODULE; - error = cdev_add(&oud->cdev, - MKDEV(SCSI_OSD_MAJOR, oud->minor), 1); - if (error) { - OSD_ERR("cdev_add failed\n"); - goto err_put_disk; - } - /* class device member */ - oud->class_dev.devt = oud->cdev.dev; - oud->class_dev.class = &osd_uld_class; - oud->class_dev.parent = dev; - oud->class_dev.release = __remove; error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); if (error) { OSD_ERR("dev_set_name failed => %d\n", error); - goto err_put_cdev; + goto err_free_osd; } - error = device_register(&oud->class_dev); + error = cdev_device_add(&oud->cdev, &oud->class_dev); if (error) { OSD_ERR("device_register failed => %d\n", error); - goto err_put_cdev; + goto err_free_osd; } - get_device(&oud->class_dev); - OSD_INFO("osd_probe %s\n", disk->disk_name); return 0; -err_put_cdev: - cdev_del(&oud->cdev); -err_put_disk: - scsi_device_put(scsi_device); - put_disk(disk); err_free_osd: - dev_set_drvdata(dev, NULL); - kfree(oud); + put_device(&oud->class_dev); err_retract_minor: ida_remove(&osd_minor_ida, minor); return error; @@ -530,9 +513,10 @@ static int osd_remove(struct device *dev) scsi_device); } - device_unregister(&oud->class_dev); - + cdev_device_del(&oud->cdev, &oud->class_dev); + ida_remove(&osd_minor_ida, oud->minor); put_device(&oud->class_dev); + return 0; }