Re: [PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-30 Thread Simon Horman 
On Thu, Apr 26, 2018 at 05:20:05PM +0200, Niklas Söderlund wrote:
> Hi Simon,
> 
> Thanks for your feedback.
> 
> On 2018-04-25 09:18:51 +0200, Simon Horman wrote:
> > On Wed, Apr 25, 2018 at 01:45:06AM +0200, Niklas Söderlund wrote:
> > > Store the group pointer before disassociating the VIN from the group.
> > > 
> > > Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
> > > Reported-by: Colin Ian King 
> > > Signed-off-by: Niklas Söderlund 
> > > ---
> > >  drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
> > >  1 file changed, 7 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
> > > b/drivers/media/platform/rcar-vin/rcar-core.c
> > > index 7bc2774a11232362..d3072e166a1ca24f 100644
> > > --- a/drivers/media/platform/rcar-vin/rcar-core.c
> > > +++ b/drivers/media/platform/rcar-vin/rcar-core.c
> > > @@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
> > >  
> > >  static void rvin_group_put(struct rvin_dev *vin)
> > >  {
> > > - mutex_lock(>group->lock);
> > > + struct rvin_group *group = vin->group;
> > > +
> > > + mutex_lock(>lock);
> > 
> > Hi Niklas, its not clear to me why moving the lock is safe.
> > Could you explain the locking scheme a little?
> 
> The lock here protects the members of the group struct and not any of 
> the members of the vin struct. The intent of the rvin_group_put() 
> function is:
> 
> 1. Disassociate the vin struct from the group struct. This is done by 
>removing the pointer to the vin from the group->vin array and 
>removing the pointer from vin->group to the group struct. Here the 
>lock is needed to protect access to the group->vin array.
> 
> 2. Decrease the refcount of the struct group and if we are the last one 
>out release the group.
> 
> The problem with the original code is that I first disassociate group 
> from the vin 'vin->group = NULL' but still use the pointer stored in the 
> vin struct when I try to disassociate the vin from the group 
> 'vin->group->vin[vin->id]'.
> 
> AFIK can tell the locking here is fine, the problem was that I pulled 
> the rug from under my own feet in how I access the lock in order to not 
> having to declare a variable to store the pointer in ;-)
> 
> Do this explanation help put you at ease?

Thanks, I am completely relaxed now :)

Reviewed-by: Simon Horman 

> > >   vin->group = NULL;
> > >   vin->v4l2_dev.mdev = NULL;
> > >  
> > > - if (WARN_ON(vin->group->vin[vin->id] != vin))
> > > + if (WARN_ON(group->vin[vin->id] != vin))
> > >   goto out;
> > >  
> > > - vin->group->vin[vin->id] = NULL;
> > > + group->vin[vin->id] = NULL;
> > >  out:
> > > - mutex_unlock(>group->lock);
> > > + mutex_unlock(>lock);
> > >  
> > > - kref_put(>group->refcount, rvin_group_release);
> > > + kref_put(>refcount, rvin_group_release);
> > >  }
> > >  
> > >  /* 
> > > -
> > > -- 
> > > 2.17.0
> > > 
> 
> -- 
> Regards,
> Niklas Söderlund
>

Re: [PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-26 Thread Niklas Söderlund 
Hi Geert,

Thanks for your feedback.

On 2018-04-25 09:25:56 +0200, Geert Uytterhoeven wrote:
> On Wed, Apr 25, 2018 at 1:45 AM, Niklas Söderlund
>  wrote:
> > Store the group pointer before disassociating the VIN from the group.
> 
> s/get/put/ in one-line summary?

Yes, silly copy paste error, must have copied function name from the @@ 
context line and not from the diff itself. Thanks for noticing.

Will send a v2 after I have checked with Simon that the is happy with 
the change itself.

> 
> > Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
> > Reported-by: Colin Ian King 
> > Signed-off-by: Niklas Söderlund 
> > ---
> >  drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
> >  1 file changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
> > b/drivers/media/platform/rcar-vin/rcar-core.c
> > index 7bc2774a11232362..d3072e166a1ca24f 100644
> > --- a/drivers/media/platform/rcar-vin/rcar-core.c
> > +++ b/drivers/media/platform/rcar-vin/rcar-core.c
> > @@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
> >
> >  static void rvin_group_put(struct rvin_dev *vin)
> >  {
> > -   mutex_lock(>group->lock);
> > +   struct rvin_group *group = vin->group;
> 
> Gr{oetje,eeting}s,
> 
> Geert
> 
> -- 
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- 
> ge...@linux-m68k.org
> 
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like 
> that.
> -- Linus Torvalds

-- 
Regards,
Niklas Söderlund

Re: [PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-26 Thread Niklas Söderlund 
Hi Simon,

Thanks for your feedback.

On 2018-04-25 09:18:51 +0200, Simon Horman wrote:
> On Wed, Apr 25, 2018 at 01:45:06AM +0200, Niklas Söderlund wrote:
> > Store the group pointer before disassociating the VIN from the group.
> > 
> > Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
> > Reported-by: Colin Ian King 
> > Signed-off-by: Niklas Söderlund 
> > ---
> >  drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
> >  1 file changed, 7 insertions(+), 5 deletions(-)
> > 
> > diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
> > b/drivers/media/platform/rcar-vin/rcar-core.c
> > index 7bc2774a11232362..d3072e166a1ca24f 100644
> > --- a/drivers/media/platform/rcar-vin/rcar-core.c
> > +++ b/drivers/media/platform/rcar-vin/rcar-core.c
> > @@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
> >  
> >  static void rvin_group_put(struct rvin_dev *vin)
> >  {
> > -   mutex_lock(>group->lock);
> > +   struct rvin_group *group = vin->group;
> > +
> > +   mutex_lock(>lock);
> 
> Hi Niklas, its not clear to me why moving the lock is safe.
> Could you explain the locking scheme a little?

The lock here protects the members of the group struct and not any of 
the members of the vin struct. The intent of the rvin_group_put() 
function is:

1. Disassociate the vin struct from the group struct. This is done by 
   removing the pointer to the vin from the group->vin array and 
   removing the pointer from vin->group to the group struct. Here the 
   lock is needed to protect access to the group->vin array.

2. Decrease the refcount of the struct group and if we are the last one 
   out release the group.

The problem with the original code is that I first disassociate group 
from the vin 'vin->group = NULL' but still use the pointer stored in the 
vin struct when I try to disassociate the vin from the group 
'vin->group->vin[vin->id]'.

AFIK can tell the locking here is fine, the problem was that I pulled 
the rug from under my own feet in how I access the lock in order to not 
having to declare a variable to store the pointer in ;-)

Do this explanation help put you at ease?

> 
> >  
> > vin->group = NULL;
> > vin->v4l2_dev.mdev = NULL;
> >  
> > -   if (WARN_ON(vin->group->vin[vin->id] != vin))
> > +   if (WARN_ON(group->vin[vin->id] != vin))
> > goto out;
> >  
> > -   vin->group->vin[vin->id] = NULL;
> > +   group->vin[vin->id] = NULL;
> >  out:
> > -   mutex_unlock(>group->lock);
> > +   mutex_unlock(>lock);
> >  
> > -   kref_put(>group->refcount, rvin_group_release);
> > +   kref_put(>refcount, rvin_group_release);
> >  }
> >  
> >  /* 
> > -
> > -- 
> > 2.17.0
> > 

-- 
Regards,
Niklas Söderlund

Re: [PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-26 Thread Simon Horman 
On Wed, Apr 25, 2018 at 01:45:06AM +0200, Niklas Söderlund wrote:
> Store the group pointer before disassociating the VIN from the group.
> 
> Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
> Reported-by: Colin Ian King 
> Signed-off-by: Niklas Söderlund 
> ---
>  drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
> b/drivers/media/platform/rcar-vin/rcar-core.c
> index 7bc2774a11232362..d3072e166a1ca24f 100644
> --- a/drivers/media/platform/rcar-vin/rcar-core.c
> +++ b/drivers/media/platform/rcar-vin/rcar-core.c
> @@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
>  
>  static void rvin_group_put(struct rvin_dev *vin)
>  {
> - mutex_lock(>group->lock);
> + struct rvin_group *group = vin->group;
> +
> + mutex_lock(>lock);

Hi Niklas, its not clear to me why moving the lock is safe.
Could you explain the locking scheme a little?

>  
>   vin->group = NULL;
>   vin->v4l2_dev.mdev = NULL;
>  
> - if (WARN_ON(vin->group->vin[vin->id] != vin))
> + if (WARN_ON(group->vin[vin->id] != vin))
>   goto out;
>  
> - vin->group->vin[vin->id] = NULL;
> + group->vin[vin->id] = NULL;
>  out:
> - mutex_unlock(>group->lock);
> + mutex_unlock(>lock);
>  
> - kref_put(>group->refcount, rvin_group_release);
> + kref_put(>refcount, rvin_group_release);
>  }
>  
>  /* 
> -
> -- 
> 2.17.0
>

Re: [PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-25 Thread Geert Uytterhoeven 
On Wed, Apr 25, 2018 at 1:45 AM, Niklas Söderlund
 wrote:
> Store the group pointer before disassociating the VIN from the group.

s/get/put/ in one-line summary?

> Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
> Reported-by: Colin Ian King 
> Signed-off-by: Niklas Söderlund 
> ---
>  drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
> b/drivers/media/platform/rcar-vin/rcar-core.c
> index 7bc2774a11232362..d3072e166a1ca24f 100644
> --- a/drivers/media/platform/rcar-vin/rcar-core.c
> +++ b/drivers/media/platform/rcar-vin/rcar-core.c
> @@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
>
>  static void rvin_group_put(struct rvin_dev *vin)
>  {
> -   mutex_lock(>group->lock);
> +   struct rvin_group *group = vin->group;

Gr{oetje,eeting}s,

Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

[PATCH] rcar-vin: fix null pointer dereference in rvin_group_get()

2018-04-24 Thread Niklas Söderlund 
Store the group pointer before disassociating the VIN from the group.

Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions")
Reported-by: Colin Ian King 
Signed-off-by: Niklas Söderlund 
---
 drivers/media/platform/rcar-vin/rcar-core.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
b/drivers/media/platform/rcar-vin/rcar-core.c
index 7bc2774a11232362..d3072e166a1ca24f 100644
--- a/drivers/media/platform/rcar-vin/rcar-core.c
+++ b/drivers/media/platform/rcar-vin/rcar-core.c
@@ -338,19 +338,21 @@ static int rvin_group_get(struct rvin_dev *vin)
 
 static void rvin_group_put(struct rvin_dev *vin)
 {
-   mutex_lock(>group->lock);
+   struct rvin_group *group = vin->group;
+
+   mutex_lock(>lock);
 
vin->group = NULL;
vin->v4l2_dev.mdev = NULL;
 
-   if (WARN_ON(vin->group->vin[vin->id] != vin))
+   if (WARN_ON(group->vin[vin->id] != vin))
goto out;
 
-   vin->group->vin[vin->id] = NULL;
+   group->vin[vin->id] = NULL;
 out:
-   mutex_unlock(>group->lock);
+   mutex_unlock(>lock);
 
-   kref_put(>group->refcount, rvin_group_release);
+   kref_put(>refcount, rvin_group_release);
 }
 
 /* 
-
-- 
2.17.0