From 513b032c98b4b9414aa4e9b4a315cb1bf0380101 Mon Sep 17 00:00:00 2001 From: George Spelvin Date: Sun, 10 Feb 2013 04:08:32 -0500 Subject: pps: Add pps_lookup_dev() function The PPS serial line discipline wants to attach a PPS device to a tty without changing the tty code to add a struct pps_device * pointer. Since the number of PPS devices in a typical system is generally very low (n=1 is by far the most common), it's practical to search the entire list of allocated pps devices. (We capture the timestamp before the lookup, so the timing isn't affected.) It is a bit ugly that this function, which is part of the in-kernel PPS API, has to be in pps.c as opposed to kapi,c, but that's not something that affects users. Signed-off-by: George Spelvin Acked-by: Rodolfo Giometti Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/pps/pps.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'drivers/pps/pps.c') diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c index 2420d5af0583..a70e384262e5 100644 --- a/drivers/pps/pps.c +++ b/drivers/pps/pps.c @@ -352,10 +352,43 @@ free_idr: void pps_unregister_cdev(struct pps_device *pps) { + pps->lookup_cookie = NULL; device_destroy(pps_class, pps->dev->devt); cdev_del(&pps->cdev); } +/* + * Look up a pps device by magic cookie. + * The cookie is usually a pointer to some enclosing device, but this + * code doesn't care; you should never be dereferencing it. + * + * This is a bit of a kludge that is currently used only by the PPS + * serial line discipline. It may need to be tweaked when a second user + * is found. + * + * There is no function interface for setting the lookup_cookie field. + * It's initialized to NULL when the pps device is created, and if a + * client wants to use it, just fill it in afterward. + * + * The cookie is automatically set to NULL in pps_unregister_source() + * so that it will not be used again, even if the pps device cannot + * be removed from the idr due to pending references holding the minor + * number in use. + */ +struct pps_device *pps_lookup_dev(void const *cookie) +{ + struct pps_device *pps; + unsigned id; + + rcu_read_lock(); + idr_for_each_entry(&pps_idr, pps, id) + if (cookie == pps->lookup_cookie) + break; + rcu_read_unlock(); + return pps; +} +EXPORT_SYMBOL(pps_lookup_dev); + /* * Module stuff */ -- cgit v1.2.3 From d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Mon Sep 17 00:00:00 2001 From: George Spelvin Date: Tue, 12 Feb 2013 02:27:20 -0500 Subject: pps: Fix a use-after free bug when unregistering a source. Remove the cdev from the system (with cdev_del) *before* deallocating it (in pps_device_destruct, called via kobject_put from device_destroy). Also prevent deallocating a device with open file handles. A better long-term fix is probably to remove the cdev from the pps_device entirely, and instead have all devices reference one global cdev. Then the deallocation ordering becomes simpler. But that's more complex and invasive change, so we leave that for later. Signed-off-by: George Spelvin Cc: stable Acked-by: Rodolfo Giometti Signed-off-by: Greg Kroah-Hartman --- drivers/pps/pps.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'drivers/pps/pps.c') diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c index a70e384262e5..6437703eb10f 100644 --- a/drivers/pps/pps.c +++ b/drivers/pps/pps.c @@ -247,12 +247,15 @@ static int pps_cdev_open(struct inode *inode, struct file *file) struct pps_device *pps = container_of(inode->i_cdev, struct pps_device, cdev); file->private_data = pps; - + kobject_get(&pps->dev->kobj); return 0; } static int pps_cdev_release(struct inode *inode, struct file *file) { + struct pps_device *pps = container_of(inode->i_cdev, + struct pps_device, cdev); + kobject_put(&pps->dev->kobj); return 0; } @@ -274,8 +277,10 @@ static void pps_device_destruct(struct device *dev) { struct pps_device *pps = dev_get_drvdata(dev); - /* release id here to protect others from using it while it's - * still in use */ + cdev_del(&pps->cdev); + + /* Now we can release the ID for re-use */ + pr_debug("deallocating pps%d\n", pps->id); mutex_lock(&pps_idr_lock); idr_remove(&pps_idr, pps->id); mutex_unlock(&pps_idr_lock); @@ -332,6 +337,7 @@ int pps_register_cdev(struct pps_device *pps) goto del_cdev; } + /* Override the release function with our own */ pps->dev->release = pps_device_destruct; pr_debug("source %s got cdev (%d:%d)\n", pps->info.name, @@ -352,9 +358,9 @@ free_idr: void pps_unregister_cdev(struct pps_device *pps) { + pr_debug("unregistering pps%d\n", pps->id); pps->lookup_cookie = NULL; device_destroy(pps_class, pps->dev->devt); - cdev_del(&pps->cdev); } /* -- cgit v1.2.3