Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp554332imm; Fri, 1 Jun 2018 05:51:47 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKh8emhkzLXZI7YganAemEW3q95J7yFMjQBwSwVs9PFQP1QFgDnAWiH6hjaEuZpwMXlVae7 X-Received: by 2002:a17:902:4303:: with SMTP id i3-v6mr11327217pld.394.1527857507827; Fri, 01 Jun 2018 05:51:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527857507; cv=none; d=google.com; s=arc-20160816; b=nbYDSH8jDMBnamfnextbLEnRwvpYvVv4TgFsCs4wbj+TvD2NMqF8rex+yiV1hjrYEX PAgYv7JBROKZg7tUPvYfdXjs+iYaJ6s9Vlqi9YAJyCihbh9HQF0NRYAtIMU2IgEz8q13 /DYKQn/pJSfpZdVq2uVa5FRE7eDwvqgjQXVOMMJd+9PPUIemir3wZaTBwJckoIogB1M9 bMaKoz0lPrSFbxgObrCSBO6hu6rCY2FJrYFsnt+me8XSMFeolfRJm37d8JXNZo0jO5Wv KOh5SSh/hC2fMbd028V67XhUvvmBd4Oh+tPx2RQYM26tdHO8CHhMPmFN14HCjfWys4vp wzmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date :arc-authentication-results; bh=ZIiYBJfcWjkSHvorYipmO2h4xAvtFLPZDtcII0yvnbo=; b=wg8zHe7pcG/2TtUNfeRY6bh2CNGOAH34P6xcl434zUGgmrsYNBOIITduhKhx8qJpJy 0mFmTIwg4P2cWHbelWAmZZr47/WcyS5DD/yhXdQxJOgbZQHyebIUf/isgQ1EqkCZRi6S Ye/oXw9RefvuAwpK1ZSai/vmaiddruF2LnSxGthDJPt4bTOL0GxKr9fpLFwD0zDH4ocm HMhuUte8STU8sgEyAGhAsXqhYkJwqN6M88rv9tQ9Wybtniwcmhzd/iMK7An/1nTC/IE0 qGDAGmlYRh0LHLtDy4eB9VDzcA2mUqdIOzBgaGz4OfsIAKo9uXIGi5yt56pZXqj5eu+b RFOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v5-v6si14661030pgq.32.2018.06.01.05.51.33; Fri, 01 Jun 2018 05:51:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751968AbeFAMuq (ORCPT + 99 others); Fri, 1 Jun 2018 08:50:46 -0400 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:56619 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751602AbeFAMun (ORCPT ); Fri, 1 Jun 2018 08:50:43 -0400 X-Originating-IP: 96.22.60.141 Received: from localhost (modemcable141.60-22-96.mc.videotron.ca [96.22.60.141]) (Authenticated sender: hle@owl.eu.com) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id AEF691BF206; Fri, 1 Jun 2018 14:50:48 +0200 (CEST) Date: Fri, 1 Jun 2018 08:50:37 -0400 From: Hugo Lefeuvre To: Greg Kroah-Hartman Cc: kernelnewbies@kernelnewbies.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org Subject: [PATCH] staging: pi433: add rw semaphore fixing concurrency issues Message-ID: <20180601125037.GA2339@hle-laptop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Level: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a rw semaphore fixing potential NULL pointer dereferences in the pi433 driver. If pi433_release and pi433_ioctl are concurrently called, pi433_release might set filp->private_data to NULL while pi433_ioctl is still accessing it, leading to NULL pointer dereference. This issue might also affect pi433_write and pi433_read. The newly introduced semaphore makes sure that filp->private_data will not be freed by pi433_release (writer) as long as pi433_write, pi433_read or pi433_ioctl (readers) are still executing. Signed-off-by: Hugo Lefeuvre --- drivers/staging/pi433/pi433_if.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c index d1e0ddbc79ce..ce83139cc795 100644 --- a/drivers/staging/pi433/pi433_if.c +++ b/drivers/staging/pi433/pi433_if.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -116,6 +117,7 @@ struct pi433_device { struct pi433_instance { struct pi433_device *device; struct pi433_tx_cfg tx_cfg; + struct rw_semaphore instance_sem; }; /*-------------------------------------------------------------------------*/ @@ -778,6 +780,7 @@ pi433_read(struct file *filp, char __user *buf, size_t size, loff_t *f_pos) if (size > MAX_MSG_SIZE) return -EMSGSIZE; + down_read(&instance->instance_sem); instance = filp->private_data; device = instance->device; @@ -785,6 +788,7 @@ pi433_read(struct file *filp, char __user *buf, size_t size, loff_t *f_pos) mutex_lock(&device->rx_lock); if (device->rx_active) { mutex_unlock(&device->rx_lock); + up_read(&instance->instance_sem); return -EAGAIN; } @@ -805,9 +809,11 @@ pi433_read(struct file *filp, char __user *buf, size_t size, loff_t *f_pos) if (bytes_received > 0) { retval = copy_to_user(buf, device->rx_buffer, bytes_received); if (retval) + up_read(&instance->instance_sem); return -EFAULT; } + up_read(&instance->instance_sem); return bytes_received; } @@ -820,11 +826,13 @@ pi433_write(struct file *filp, const char __user *buf, int retval; unsigned int copied; + down_read(&instance->instance_sem); instance = filp->private_data; device = instance->device; /* check, whether internal buffer (tx thread) is big enough for requested size */ if (count > MAX_MSG_SIZE) + up_read(&instance->instance_sem); return -EMSGSIZE; /* write the following sequence into fifo: @@ -851,6 +859,7 @@ pi433_write(struct file *filp, const char __user *buf, /* start transfer */ wake_up_interruptible(&device->tx_wait_queue); dev_dbg(device->dev, "write: generated new msg with %d bytes.", copied); + up_read(&instance->instance_sem); return copied; @@ -858,6 +867,7 @@ pi433_write(struct file *filp, const char __user *buf, dev_dbg(device->dev, "write to fifo failed: 0x%x", retval); kfifo_reset(&device->tx_fifo); // TODO: maybe find a solution, not to discard already stored, valid entries mutex_unlock(&device->tx_fifo_lock); + up_read(&instance->instance_sem); return -EAGAIN; } @@ -873,29 +883,31 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (_IOC_TYPE(cmd) != PI433_IOC_MAGIC) return -ENOTTY; - /* TODO? guard against device removal before, or while, - * we issue this ioctl. --> device_get() - */ + down_read(&instance->instance_sem); instance = filp->private_data; device = instance->device; if (!device) + up_read(&instance->instance_sem); return -ESHUTDOWN; switch (cmd) { case PI433_IOC_RD_TX_CFG: if (copy_to_user(argp, &instance->tx_cfg, sizeof(struct pi433_tx_cfg))) + up_read(&instance->instance_sem); return -EFAULT; break; case PI433_IOC_WR_TX_CFG: if (copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg))) + up_read(&instance->instance_sem); return -EFAULT; break; case PI433_IOC_RD_RX_CFG: if (copy_to_user(argp, &device->rx_cfg, sizeof(struct pi433_rx_cfg))) + up_read(&instance->instance_sem); return -EFAULT; break; case PI433_IOC_WR_RX_CFG: @@ -904,21 +916,26 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) /* during pendig read request, change of config not allowed */ if (device->rx_active) { mutex_unlock(&device->rx_lock); + up_read(&instance->instance_sem); return -EAGAIN; } if (copy_from_user(&device->rx_cfg, argp, sizeof(struct pi433_rx_cfg))) { mutex_unlock(&device->rx_lock); + up_read(&instance->instance_sem); return -EFAULT; } mutex_unlock(&device->rx_lock); + up_read(&instance->instance_sem); break; default: + up_read(&instance->instance_sem); retval = -EINVAL; } + up_read(&instance->instance_sem); return retval; } @@ -964,6 +981,7 @@ static int pi433_open(struct inode *inode, struct file *filp) /* setup instance data*/ instance->device = device; instance->tx_cfg.bit_rate = 4711; + init_rwsem(&instance->instance_sem); // TODO: fill instance->tx_cfg; /* instance data as context */ @@ -978,6 +996,7 @@ static int pi433_release(struct inode *inode, struct file *filp) struct pi433_instance *instance; struct pi433_device *device; + down_write(&instance->instance_sem); instance = filp->private_data; device = instance->device; kfree(instance); -- 2.17.1