| Message ID | 1487653253-11497-14-git-send-email-logang@deltatee.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 02/21/2017 07:00 AM, Logan Gunthorpe wrote: > Note: the chardev instance in osd_uld.c originally did not > set the kobject parent. Thus, I'm reasonably confident that because > of this, this code would have suffered from a minor use after free > bug if the cdev was open when the backing device was released. > > Signed-off-by: Logan Gunthorpe <logang@deltatee.com> Cool thanks. And even a bug fix ACK-by: Boaz Harrosh <ooo@electrozaur.com> > --- > drivers/scsi/osd/osd_uld.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c > index 243eab3..519be56 100644 > --- a/drivers/scsi/osd/osd_uld.c > +++ b/drivers/scsi/osd/osd_uld.c > @@ -473,18 +473,19 @@ static int osd_probe(struct device *dev) > goto err_put_disk; > } > > + device_initialize(&oud->class_dev); > + oud->class_dev.devt = MKDEV(SCSI_OSD_MAJOR, oud->minor); > + > /* init the char-device for communication with user-mode */ > cdev_init(&oud->cdev, &osd_fops); > oud->cdev.owner = THIS_MODULE; > - error = cdev_add(&oud->cdev, > - MKDEV(SCSI_OSD_MAJOR, oud->minor), 1); > + error = device_add_cdev(&oud->class_dev, &oud->cdev); > if (error) { > OSD_ERR("cdev_add failed\n"); > goto err_put_disk; > } > > /* class device member */ > - oud->class_dev.devt = oud->cdev.dev; > oud->class_dev.class = &osd_uld_class; > oud->class_dev.parent = dev; > oud->class_dev.release = __remove; > @@ -494,7 +495,7 @@ static int osd_probe(struct device *dev) > goto err_put_cdev; > } > > - error = device_register(&oud->class_dev); > + error = device_add(&oud->class_dev); > if (error) { > OSD_ERR("device_register failed => %d\n", error); > goto err_put_cdev; > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c index 243eab3..519be56 100644 --- a/drivers/scsi/osd/osd_uld.c +++ b/drivers/scsi/osd/osd_uld.c @@ -473,18 +473,19 @@ static int osd_probe(struct device *dev) goto err_put_disk; } + device_initialize(&oud->class_dev); + oud->class_dev.devt = MKDEV(SCSI_OSD_MAJOR, oud->minor); + /* init the char-device for communication with user-mode */ cdev_init(&oud->cdev, &osd_fops); oud->cdev.owner = THIS_MODULE; - error = cdev_add(&oud->cdev, - MKDEV(SCSI_OSD_MAJOR, oud->minor), 1); + error = device_add_cdev(&oud->class_dev, &oud->cdev); if (error) { OSD_ERR("cdev_add failed\n"); goto err_put_disk; } /* class device member */ - oud->class_dev.devt = oud->cdev.dev; oud->class_dev.class = &osd_uld_class; oud->class_dev.parent = dev; oud->class_dev.release = __remove; @@ -494,7 +495,7 @@ static int osd_probe(struct device *dev) goto err_put_cdev; } - error = device_register(&oud->class_dev); + error = device_add(&oud->class_dev); if (error) { OSD_ERR("device_register failed => %d\n", error); goto err_put_cdev;
Note: the chardev instance in osd_uld.c originally did not set the kobject parent. Thus, I'm reasonably confident that because of this, this code would have suffered from a minor use after free bug if the cdev was open when the backing device was released. Signed-off-by: Logan Gunthorpe <logang@deltatee.com> --- drivers/scsi/osd/osd_uld.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)