Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3709958imm; Sun, 13 May 2018 18:34:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqGtJ12bkYUNf1R4nvYqdyOJ6K2OIsUl2uv9SWaarEOFfv7isHPK5jnJdxY66lg9aFEK6Aa X-Received: by 2002:a65:48c9:: with SMTP id o9-v6mr6846689pgs.106.1526261683795; Sun, 13 May 2018 18:34:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526261683; cv=none; d=google.com; s=arc-20160816; b=MEoaEC6YXAlIY35QY2G0sWGd5W/Ip78gYFDTDM/SsrNkWw5WlbVRmvPrg+0qGlQmJL UhPbaTuxcNyBzT0vHz1RQW5u5wkYaUkSHqlpllJHwiwQOqX43eXGyM9lsgKJi6iW9oHl P3lIgyVmWLRVYxNVcRn/a3Z4oIy2XOVVl8yZeYiqslc9HxK5qOSEfqXo3W/cmSgfBmE0 DunLTjxN6fLT+7jc3PzSllczpOtGvFL+pZV4otG2dE9oLYPrVvAHQJx2XA0nAPu2Povn JjS2QVSuciaMQwicZtllwkyVYLqrijO3marCPRSytZMJo2aGo3f4+jErJZ5G1hAIo/cA zOnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=J8m0sIjKO8jSSxrY+1F+FTpXKKyJxFPG3JTno+WNtwA=; b=WvjI9OXv7pUA+Wdv8s8Dzl3gQAnKh7Asa7eT3rcpfvYhNVo33AEVV18s62k0OIpjSo fwHQN7cbfQb8uQE5lTjWK53aEmJZG70CbqNT8j5Ymr315gRQ/2LELk0rxHhgS9Up3G5z 6CdhrPq8Rj/vNW/lceAHfL584qySlyKPJ5a7G+kwolL+dJi1iXQz4jK4Iob51ZTLcCT2 Fd0rogNh+dRhrHgKKeur1ezC0yDpG1GnG/ZRb0QsBsuPvR7pNkOyN+ga/AjTN/x3/mV/ Ms+4dh6VYiB8PbPAU06hn9SkHrGJi63Q4wmN84nARtX6zG964zTQmVljbtRx0AEh/Zcs UHog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alliedtelesis.co.nz header.s=mail header.b=ItEAe1Xt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alliedtelesis.co.nz Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v64-v6si6637336pgb.86.2018.05.13.18.34.28; Sun, 13 May 2018 18:34:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@alliedtelesis.co.nz header.s=mail header.b=ItEAe1Xt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alliedtelesis.co.nz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752037AbeENBdA (ORCPT + 99 others); Sun, 13 May 2018 21:33:00 -0400 Received: from gate2.alliedtelesis.co.nz ([202.36.163.20]:37105 "EHLO gate2.alliedtelesis.co.nz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752008AbeENBct (ORCPT ); Sun, 13 May 2018 21:32:49 -0400 Received: from mmarshal3.atlnz.lc (mmarshal3.atlnz.lc [10.32.18.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by gate2.alliedtelesis.co.nz (Postfix) with ESMTPS id B76208365D; Mon, 14 May 2018 13:32:47 +1200 (NZST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alliedtelesis.co.nz; s=mail; t=1526261567; bh=J8m0sIjKO8jSSxrY+1F+FTpXKKyJxFPG3JTno+WNtwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ItEAe1Xt7XwLQ1wH6R4gI+EoLnilAlpbif3WRH6uTXDqVSwLRUamaskzuYkgQMxsp wszKdu3OMmALiJobOJJeV5KX06fVszUysCpV6EiDfvj7bwImDT4hw0lmGeYwy62KQA o+poRlPwzXunAo7+qvahVCvHRo8d9bNl9fu/oLXI= Received: from smtp (Not Verified[10.32.16.33]) by mmarshal3.atlnz.lc with Trustwave SEG (v7,5,8,10121) id ; Mon, 14 May 2018 13:32:48 +1200 Received: from hamishm-dl.ws.atlnz.lc (hamishm-dl.ws.atlnz.lc [10.33.22.10]) by smtp (Postfix) with ESMTP id D4A6E13EDDC; Mon, 14 May 2018 13:32:48 +1200 (NZST) Received: by hamishm-dl.ws.atlnz.lc (Postfix, from userid 1133) id 8032254097A; Mon, 14 May 2018 13:32:47 +1200 (NZST) From: Hamish Martin To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Hamish Martin Subject: [PATCH v2 2/2] uio: Prevent device destruction while fds are open Date: Mon, 14 May 2018 13:32:23 +1200 Message-Id: <20180514013223.4828-3-hamish.martin@alliedtelesis.co.nz> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514013223.4828-1-hamish.martin@alliedtelesis.co.nz> References: <20180514013223.4828-1-hamish.martin@alliedtelesis.co.nz> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Prevent destruction of a uio_device while user space apps hold open file descriptors to that device. Further, access to the 'info' member of the struct uio_device is protected by spinlock. This is to ensure stale pointers to data not under control of the UIO subsystem are not dereferenced. Signed-off-by: Hamish Martin Reviewed-by: Chris Packham --- v2: Resolve compiler error detected by kbuild test robot due to missing include of device.h in uio_driver.h drivers/uio/uio.c | 98 ++++++++++++++++++++++++++++++++++------------ include/linux/uio_driver.h | 4 +- 2 files changed, 75 insertions(+), 27 deletions(-) diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c index dd44df17004d..5473e77c85be 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -270,7 +270,7 @@ static int uio_dev_add_attributes(struct uio_device *idev) if (!map_found) { map_found = 1; idev->map_dir = kobject_create_and_add("maps", - &idev->dev->kobj); + &idev->dev.kobj); if (!idev->map_dir) { ret = -ENOMEM; goto err_map; @@ -299,7 +299,7 @@ static int uio_dev_add_attributes(struct uio_device *idev) if (!portio_found) { portio_found = 1; idev->portio_dir = kobject_create_and_add("portio", - &idev->dev->kobj); + &idev->dev.kobj); if (!idev->portio_dir) { ret = -ENOMEM; goto err_portio; @@ -342,7 +342,7 @@ static int uio_dev_add_attributes(struct uio_device *idev) kobject_put(&map->kobj); } kobject_put(idev->map_dir); - dev_err(idev->dev, "error creating sysfs files (%d)\n", ret); + dev_err(&idev->dev, "error creating sysfs files (%d)\n", ret); return ret; } @@ -379,7 +379,7 @@ static int uio_get_minor(struct uio_device *idev) idev->minor = retval; retval = 0; } else if (retval == -ENOSPC) { - dev_err(idev->dev, "too many uio devices\n"); + dev_err(&idev->dev, "too many uio devices\n"); retval = -EINVAL; } mutex_unlock(&minor_lock); @@ -433,6 +433,7 @@ static int uio_open(struct inode *inode, struct file *filep) struct uio_device *idev; struct uio_listener *listener; int ret = 0; + unsigned long flags; mutex_lock(&minor_lock); idev = idr_find(&uio_idr, iminor(inode)); @@ -442,9 +443,11 @@ static int uio_open(struct inode *inode, struct file *filep) goto out; } + get_device(&idev->dev); + if (!try_module_get(idev->owner)) { ret = -ENODEV; - goto out; + goto err_module_get; } listener = kmalloc(sizeof(*listener), GFP_KERNEL); @@ -457,11 +460,13 @@ static int uio_open(struct inode *inode, struct file *filep) listener->event_count = atomic_read(&idev->event); filep->private_data = listener; - if (idev->info->open) { + spin_lock_irqsave(&idev->info_lock, flags); + if (idev->info && idev->info->open) ret = idev->info->open(idev->info, inode); - if (ret) - goto err_infoopen; - } + spin_unlock_irqrestore(&idev->info_lock, flags); + if (ret) + goto err_infoopen; + return 0; err_infoopen: @@ -470,6 +475,9 @@ static int uio_open(struct inode *inode, struct file *filep) err_alloc_listener: module_put(idev->owner); +err_module_get: + put_device(&idev->dev); + out: return ret; } @@ -487,12 +495,16 @@ static int uio_release(struct inode *inode, struct file *filep) int ret = 0; struct uio_listener *listener = filep->private_data; struct uio_device *idev = listener->dev; + unsigned long flags; - if (idev->info->release) + spin_lock_irqsave(&idev->info_lock, flags); + if (idev->info && idev->info->release) ret = idev->info->release(idev->info, inode); + spin_unlock_irqrestore(&idev->info_lock, flags); module_put(idev->owner); kfree(listener); + put_device(&idev->dev); return ret; } @@ -500,9 +512,16 @@ static __poll_t uio_poll(struct file *filep, poll_table *wait) { struct uio_listener *listener = filep->private_data; struct uio_device *idev = listener->dev; + __poll_t ret = 0; + unsigned long flags; - if (!idev->info->irq) - return -EIO; + spin_lock_irqsave(&idev->info_lock, flags); + if (!idev->info || !idev->info->irq) + ret = -EIO; + spin_unlock_irqrestore(&idev->info_lock, flags); + + if (ret) + return ret; poll_wait(filep, &idev->wait, wait); if (listener->event_count != atomic_read(&idev->event)) @@ -516,11 +535,17 @@ static ssize_t uio_read(struct file *filep, char __user *buf, struct uio_listener *listener = filep->private_data; struct uio_device *idev = listener->dev; DECLARE_WAITQUEUE(wait, current); - ssize_t retval; + ssize_t retval = 0; s32 event_count; + unsigned long flags; - if (!idev->info->irq) - return -EIO; + spin_lock_irqsave(&idev->info_lock, flags); + if (!idev->info || !idev->info->irq) + retval = -EIO; + spin_unlock_irqrestore(&idev->info_lock, flags); + + if (retval) + return retval; if (count != sizeof(s32)) return -EINVAL; @@ -567,8 +592,10 @@ static ssize_t uio_write(struct file *filep, const char __user *buf, struct uio_device *idev = listener->dev; ssize_t retval; s32 irq_on; + unsigned long flags; - if (!idev->info->irq) { + spin_lock_irqsave(&idev->info_lock, flags); + if (!idev->info || !idev->info->irq) { retval = -EIO; goto out; } @@ -591,6 +618,7 @@ static ssize_t uio_write(struct file *filep, const char __user *buf, retval = idev->info->irqcontrol(idev->info, irq_on); out: + spin_unlock_irqrestore(&idev->info_lock, flags); return retval ? retval : sizeof(s32); } @@ -803,6 +831,13 @@ static void release_uio_class(void) uio_major_cleanup(); } +static void uio_device_release(struct device *dev) +{ + struct uio_device *idev = dev_get_drvdata(dev); + + kfree(idev); +} + /** * uio_register_device - register a new userspace IO device * @owner: module that creates the new device @@ -823,13 +858,14 @@ int __uio_register_device(struct module *owner, info->uio_dev = NULL; - idev = devm_kzalloc(parent, sizeof(*idev), GFP_KERNEL); + idev = kzalloc(sizeof(*idev), GFP_KERNEL); if (!idev) { return -ENOMEM; } idev->owner = owner; idev->info = info; + spin_lock_init(&idev->info_lock); init_waitqueue_head(&idev->wait); atomic_set(&idev->event, 0); @@ -837,14 +873,19 @@ int __uio_register_device(struct module *owner, if (ret) return ret; - idev->dev = device_create(&uio_class, parent, - MKDEV(uio_major, idev->minor), idev, - "uio%d", idev->minor); - if (IS_ERR(idev->dev)) { - printk(KERN_ERR "UIO: device register failed\n"); - ret = PTR_ERR(idev->dev); + idev->dev.devt = MKDEV(uio_major, idev->minor); + idev->dev.class = &uio_class; + idev->dev.parent = parent; + idev->dev.release = uio_device_release; + dev_set_drvdata(&idev->dev, idev); + + ret = dev_set_name(&idev->dev, "uio%d", idev->minor); + if (ret) + goto err_device_create; + + ret = device_register(&idev->dev); + if (ret) goto err_device_create; - } ret = uio_dev_add_attributes(idev); if (ret) @@ -872,7 +913,7 @@ int __uio_register_device(struct module *owner, err_request_irq: uio_dev_del_attributes(idev); err_uio_dev_add_attributes: - device_destroy(&uio_class, MKDEV(uio_major, idev->minor)); + device_unregister(&idev->dev); err_device_create: uio_free_minor(idev); return ret; @@ -887,6 +928,7 @@ EXPORT_SYMBOL_GPL(__uio_register_device); void uio_unregister_device(struct uio_info *info) { struct uio_device *idev; + unsigned long flags; if (!info || !info->uio_dev) return; @@ -900,7 +942,11 @@ void uio_unregister_device(struct uio_info *info) if (info->irq && info->irq != UIO_IRQ_CUSTOM) free_irq(info->irq, idev); - device_destroy(&uio_class, MKDEV(uio_major, idev->minor)); + spin_lock_irqsave(&idev->info_lock, flags); + idev->info = NULL; + spin_unlock_irqrestore(&idev->info_lock, flags); + + device_unregister(&idev->dev); return; } diff --git a/include/linux/uio_driver.h b/include/linux/uio_driver.h index 3c85c81b0027..6c5f2074e14f 100644 --- a/include/linux/uio_driver.h +++ b/include/linux/uio_driver.h @@ -14,6 +14,7 @@ #ifndef _UIO_DRIVER_H_ #define _UIO_DRIVER_H_ +#include #include #include @@ -68,12 +69,13 @@ struct uio_port { struct uio_device { struct module *owner; - struct device *dev; + struct device dev; int minor; atomic_t event; struct fasync_struct *async_queue; wait_queue_head_t wait; struct uio_info *info; + spinlock_t info_lock; struct kobject *map_dir; struct kobject *portio_dir; }; -- 2.16.2