[tpmdd-devel] [RFC PATCH 1/2] tee: generic TEE subsystem
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Fri Apr 17 09:30:54 PDT 2015
On Fri, Apr 17, 2015 at 09:50:56AM +0200, Jens Wiklander wrote:
> + teedev = devm_kzalloc(dev, sizeof(*teedev), GFP_KERNEL);
[..]
> + rc = misc_register(&teedev->miscdev);
[..]
> +void tee_unregister(struct tee_device *teedev)
> +{
[..]
> + misc_deregister(&teedev->miscdev);
> +}
[..]
>+static int optee_remove(struct platform_device *pdev)
>+{
>+ tee_unregister(optee->teedev);
Isn't that a potential use after free? AFAIK misc_deregister does not
guarentee the miscdev will no longer be accessed after it returns, and
the devm will free it after optee_remove returns.
Memory backing a stuct device needs to be freed via the release
function.
We have been going through this for a while with TPM - it seems like
using misc devices dynamically is not a good idea. Manage your own
struct device directly..
Jason
More information about the linux-arm-kernel
mailing list