Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
On Tue, Nov 01, 2016 at 12:48:48PM -0400, David Miller wrote: > From: Johan Hovold> Date: Tue, 1 Nov 2016 17:42:25 +0100 > > > On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: > >> From: Johan Hovold > >> Date: Tue, 1 Nov 2016 12:03:35 +0100 > >> > >> > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > index 054a8dd23dae..589beb843f56 100644 > >> > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, > >> > phy_interface_t phy_mode, int slave) > >> > } > >> > > >> > dev = bus_find_device(_bus_type, NULL, node, match); > >> > +of_node_put(node); > >> > priv = dev_get_drvdata(dev); > >> > > >> > +put_device(dev); > >> > + > >> > priv->cpsw_phy_sel(priv, phy_mode, slave); > >> > } > >> > EXPORT_SYMBOL_GPL(cpsw_phy_sel); > >> > >> The only reference you have to 'dev' is the one obtained from the > >> bus_find_device() call, therefore you must at least hold onto > >> 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. > > > > As I mentioned in the commit message "...there is no guarantee that the > > devres-managed struct cpsw_phy_sel_priv will continue to be valid until > > this function returns regardless of this change". > > > > Specifically, holding a reference to dev does not prevent the > > cpsw_phy_sel driver from being unbound and priv from being freed. > > But you should at least hold onto the object while you call a function > pointer embedded in a data structure referred by it. But there is no such reference to be held (currently). While priv is valid (i.e. dev has a driver bound), driver core will hold a reference to dev. If someone unbinds the driver, priv will be gone long before dev and all bets are off anyway. So I released the reference to dev before dereferencing priv on purpose to avoid having someone make false assumptions about the lifetime of priv. Johan
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
On Tue, Nov 01, 2016 at 12:48:48PM -0400, David Miller wrote: > From: Johan Hovold > Date: Tue, 1 Nov 2016 17:42:25 +0100 > > > On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: > >> From: Johan Hovold > >> Date: Tue, 1 Nov 2016 12:03:35 +0100 > >> > >> > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > index 054a8dd23dae..589beb843f56 100644 > >> > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > >> > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, > >> > phy_interface_t phy_mode, int slave) > >> > } > >> > > >> > dev = bus_find_device(_bus_type, NULL, node, match); > >> > +of_node_put(node); > >> > priv = dev_get_drvdata(dev); > >> > > >> > +put_device(dev); > >> > + > >> > priv->cpsw_phy_sel(priv, phy_mode, slave); > >> > } > >> > EXPORT_SYMBOL_GPL(cpsw_phy_sel); > >> > >> The only reference you have to 'dev' is the one obtained from the > >> bus_find_device() call, therefore you must at least hold onto > >> 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. > > > > As I mentioned in the commit message "...there is no guarantee that the > > devres-managed struct cpsw_phy_sel_priv will continue to be valid until > > this function returns regardless of this change". > > > > Specifically, holding a reference to dev does not prevent the > > cpsw_phy_sel driver from being unbound and priv from being freed. > > But you should at least hold onto the object while you call a function > pointer embedded in a data structure referred by it. But there is no such reference to be held (currently). While priv is valid (i.e. dev has a driver bound), driver core will hold a reference to dev. If someone unbinds the driver, priv will be gone long before dev and all bets are off anyway. So I released the reference to dev before dereferencing priv on purpose to avoid having someone make false assumptions about the lifetime of priv. Johan
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
From: Johan HovoldDate: Tue, 1 Nov 2016 17:42:25 +0100 > On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: >> From: Johan Hovold >> Date: Tue, 1 Nov 2016 12:03:35 +0100 >> >> > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > b/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > index 054a8dd23dae..589beb843f56 100644 >> > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t >> > phy_mode, int slave) >> >} >> > >> >dev = bus_find_device(_bus_type, NULL, node, match); >> > + of_node_put(node); >> >priv = dev_get_drvdata(dev); >> > >> > + put_device(dev); >> > + >> >priv->cpsw_phy_sel(priv, phy_mode, slave); >> > } >> > EXPORT_SYMBOL_GPL(cpsw_phy_sel); >> >> The only reference you have to 'dev' is the one obtained from the >> bus_find_device() call, therefore you must at least hold onto >> 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. > > As I mentioned in the commit message "...there is no guarantee that the > devres-managed struct cpsw_phy_sel_priv will continue to be valid until > this function returns regardless of this change". > > Specifically, holding a reference to dev does not prevent the > cpsw_phy_sel driver from being unbound and priv from being freed. But you should at least hold onto the object while you call a function pointer embedded in a data structure referred by it.
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
From: Johan Hovold Date: Tue, 1 Nov 2016 17:42:25 +0100 > On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: >> From: Johan Hovold >> Date: Tue, 1 Nov 2016 12:03:35 +0100 >> >> > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > b/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > index 054a8dd23dae..589beb843f56 100644 >> > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c >> > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t >> > phy_mode, int slave) >> >} >> > >> >dev = bus_find_device(_bus_type, NULL, node, match); >> > + of_node_put(node); >> >priv = dev_get_drvdata(dev); >> > >> > + put_device(dev); >> > + >> >priv->cpsw_phy_sel(priv, phy_mode, slave); >> > } >> > EXPORT_SYMBOL_GPL(cpsw_phy_sel); >> >> The only reference you have to 'dev' is the one obtained from the >> bus_find_device() call, therefore you must at least hold onto >> 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. > > As I mentioned in the commit message "...there is no guarantee that the > devres-managed struct cpsw_phy_sel_priv will continue to be valid until > this function returns regardless of this change". > > Specifically, holding a reference to dev does not prevent the > cpsw_phy_sel driver from being unbound and priv from being freed. But you should at least hold onto the object while you call a function pointer embedded in a data structure referred by it.
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: > From: Johan Hovold> Date: Tue, 1 Nov 2016 12:03:35 +0100 > > > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > > index 054a8dd23dae..589beb843f56 100644 > > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t > > phy_mode, int slave) > > } > > > > dev = bus_find_device(_bus_type, NULL, node, match); > > + of_node_put(node); > > priv = dev_get_drvdata(dev); > > > > + put_device(dev); > > + > > priv->cpsw_phy_sel(priv, phy_mode, slave); > > } > > EXPORT_SYMBOL_GPL(cpsw_phy_sel); > > The only reference you have to 'dev' is the one obtained from the > bus_find_device() call, therefore you must at least hold onto > 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. As I mentioned in the commit message "...there is no guarantee that the devres-managed struct cpsw_phy_sel_priv will continue to be valid until this function returns regardless of this change". Specifically, holding a reference to dev does not prevent the cpsw_phy_sel driver from being unbound and priv from being freed. Thanks, Johan
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
On Tue, Nov 01, 2016 at 12:27:11PM -0400, David Miller wrote: > From: Johan Hovold > Date: Tue, 1 Nov 2016 12:03:35 +0100 > > > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > > index 054a8dd23dae..589beb843f56 100644 > > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t > > phy_mode, int slave) > > } > > > > dev = bus_find_device(_bus_type, NULL, node, match); > > + of_node_put(node); > > priv = dev_get_drvdata(dev); > > > > + put_device(dev); > > + > > priv->cpsw_phy_sel(priv, phy_mode, slave); > > } > > EXPORT_SYMBOL_GPL(cpsw_phy_sel); > > The only reference you have to 'dev' is the one obtained from the > bus_find_device() call, therefore you must at least hold onto > 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call. As I mentioned in the commit message "...there is no guarantee that the devres-managed struct cpsw_phy_sel_priv will continue to be valid until this function returns regardless of this change". Specifically, holding a reference to dev does not prevent the cpsw_phy_sel driver from being unbound and priv from being freed. Thanks, Johan
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
From: Johan HovoldDate: Tue, 1 Nov 2016 12:03:35 +0100 > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > index 054a8dd23dae..589beb843f56 100644 > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t > phy_mode, int slave) > } > > dev = bus_find_device(_bus_type, NULL, node, match); > + of_node_put(node); > priv = dev_get_drvdata(dev); > > + put_device(dev); > + > priv->cpsw_phy_sel(priv, phy_mode, slave); > } > EXPORT_SYMBOL_GPL(cpsw_phy_sel); The only reference you have to 'dev' is the one obtained from the bus_find_device() call, therefore you must at least hold onto 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call.
Re: [PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
From: Johan Hovold Date: Tue, 1 Nov 2016 12:03:35 +0100 > diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c > b/drivers/net/ethernet/ti/cpsw-phy-sel.c > index 054a8dd23dae..589beb843f56 100644 > --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c > +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c > @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t > phy_mode, int slave) > } > > dev = bus_find_device(_bus_type, NULL, node, match); > + of_node_put(node); > priv = dev_get_drvdata(dev); > > + put_device(dev); > + > priv->cpsw_phy_sel(priv, phy_mode, slave); > } > EXPORT_SYMBOL_GPL(cpsw_phy_sel); The only reference you have to 'dev' is the one obtained from the bus_find_device() call, therefore you must at least hold onto 'dev' until after the priv->cpsw_phy_sel(priv, phy_mode, slave); call.
[PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
Make sure to drop the references taken by of_get_child_by_name() and bus_find_device() before returning from cpsw_phy_sel(). Note that there is no guarantee that the devres-managed struct cpsw_phy_sel_priv will continue to be valid until this function returns regardless of this change. Fixes: 5892cd135e16 ("drivers: net: cpsw-phy-sel: Add new driver...") Signed-off-by: Johan Hovold--- drivers/net/ethernet/ti/cpsw-phy-sel.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c b/drivers/net/ethernet/ti/cpsw-phy-sel.c index 054a8dd23dae..589beb843f56 100644 --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t phy_mode, int slave) } dev = bus_find_device(_bus_type, NULL, node, match); + of_node_put(node); priv = dev_get_drvdata(dev); + put_device(dev); + priv->cpsw_phy_sel(priv, phy_mode, slave); } EXPORT_SYMBOL_GPL(cpsw_phy_sel); -- 2.7.3
[PATCH net 2/4] net: ethernet: ti: cpsw: fix device and of_node leaks
Make sure to drop the references taken by of_get_child_by_name() and bus_find_device() before returning from cpsw_phy_sel(). Note that there is no guarantee that the devres-managed struct cpsw_phy_sel_priv will continue to be valid until this function returns regardless of this change. Fixes: 5892cd135e16 ("drivers: net: cpsw-phy-sel: Add new driver...") Signed-off-by: Johan Hovold --- drivers/net/ethernet/ti/cpsw-phy-sel.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c b/drivers/net/ethernet/ti/cpsw-phy-sel.c index 054a8dd23dae..589beb843f56 100644 --- a/drivers/net/ethernet/ti/cpsw-phy-sel.c +++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c @@ -176,8 +176,11 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t phy_mode, int slave) } dev = bus_find_device(_bus_type, NULL, node, match); + of_node_put(node); priv = dev_get_drvdata(dev); + put_device(dev); + priv->cpsw_phy_sel(priv, phy_mode, slave); } EXPORT_SYMBOL_GPL(cpsw_phy_sel); -- 2.7.3