Re: [tpmdd-devel] [RFC PATCH 1/2] tee: generic TEE subsystem

[Jason Gunthorpe]

On Fri, Apr 17, 2015 at 09:50:56AM +0200, Jens Wiklander wrote:
> +	teedev = devm_kzalloc(dev, sizeof(*teedev), GFP_KERNEL);
[..]
> +	rc = misc_register(&teedev->miscdev);
[..]
> +void tee_unregister(struct tee_device *teedev)
> +{
[..]
> +	misc_deregister(&teedev->miscdev);
> +}
[..]
>+static int optee_remove(struct platform_device *pdev)
>+{
>+       tee_unregister(optee->teedev);

Isn't that a potential use after free? AFAIK misc_deregister does not
guarentee the miscdev will no longer be accessed after it returns, and
the devm will free it after optee_remove returns.

Memory backing a stuct device needs to be freed via the release
function.

We have been going through this for a while with TPM - it seems like
using misc devices dynamically is not a good idea. Manage your own
struct device directly..

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/