Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3408669imm; Sun, 17 Jun 2018 19:25:04 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLHyejy0myxsva5q45w833WmvpwUl6yNHbAWtaLAtHSG0KdQXZkAx4PeKGORM8EMfsWGqbR X-Received: by 2002:a63:8048:: with SMTP id j69-v6mr9536773pgd.429.1529288704823; Sun, 17 Jun 2018 19:25:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529288704; cv=none; d=google.com; s=arc-20160816; b=0fiyuy9GICJZ/D+UItJxjPs+nDJj/pWha6TDmEMp5RWHRoLnBbQCS779ZELfHU1eiQ kkHbrbPEkErf6hzB2fc7hjkHgb0FxxoaVp4fZ3JLY9/TZbzpngkBkQS8ZFZyJgdHc6f0 sDOjciAGPkMel4zn2cYrBHCJ0aWzhOX1+tq/4PB6zELdijdWEXwfNA2rSfJ5vplTYZhN z+VoHwniw5y9U6/R232vnnMNLFCPSnhnektwsN+Ey7zAzNgi54SEnxIw2wCxUqKxJYvl 9R/Ialk9U0N0L8xC9fnIz2xNmodE5O684/EVFPGNVX2wmXSL9Ujm309QrhX+ZrrI1afF nVlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date :arc-authentication-results; bh=meQVBciVFt4FJHpOtYS7IbmT/AMVne40BvwgoTD8S18=; b=rjKR+9lkzwpd/NawLEoB4caEuTnr4Mo65ZSH4ijR2GInww2AYvs5mxRmCQHCvzu89p UpzEavJZlGG3GNNyNgOWLgg8j8Tvl2D30cciX+kKii5QzBls6DXcrYd24gO9gg+cI8A2 ZaxEy5THtFeWtddTqhpSJ3gf1ibKzXPtW78g4oAh3XYFyi2ADaaPDJlmlr8fyj8PXtfG F+gZYestPJzts1Z50A4fIyjYeCSXLzZd/UM3vfeZid0jss3t/fs5Ngpy2as1DpsEPwET PjKAXVndsc9XJm2F/WmmmFtNCh6t9PN7aaYlitD6X65Ft1JAm82g/7mHHqG6A9H0w14i EQ9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 82-v6si11625426pgh.144.2018.06.17.19.24.49; Sun, 17 Jun 2018 19:25:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754517AbeFRCYL (ORCPT + 99 others); Sun, 17 Jun 2018 22:24:11 -0400 Received: from relay12.mail.gandi.net ([217.70.178.232]:48695 "EHLO relay12.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754440AbeFRCYK (ORCPT ); Sun, 17 Jun 2018 22:24:10 -0400 Received: from localhost (modemcable008.172-80-70.mc.videotron.ca [70.80.172.8]) (Authenticated sender: hle@owl.eu.com) by relay12.mail.gandi.net (Postfix) with ESMTPSA id 354D5200004; Mon, 18 Jun 2018 02:24:06 +0000 (UTC) Date: Sun, 17 Jun 2018 22:24:00 -0400 From: Hugo Lefeuvre To: Greg Kroah-Hartman Cc: devel@driverdev.osuosl.org, Marcus Wolf , linux-kernel@vger.kernel.org Subject: [PATCH] staging: pi433: fix race condition in pi433_open Message-ID: <20180618022400.GA1893@hle-laptop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Level: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Whenever pi433_open and pi433_remove execute concurrently, a race condition potentially resulting in use-after-free might happen. Let T1 and T2 be two kernel threads. 1. T1 executes pi433_open and stops before "device->users++". 2. The pi433 device was removed inbetween, so T2 executes pi433_remove and frees device because the user count has not been incremented yet. 3. T1 executes "device->users++" (use-after-free). This race condition happens because the check of minor number and user count increment does not happen atomically. Fix: Extend scope of minor_lock in pi433_open(). Signed-off-by: Hugo Lefeuvre --- drivers/staging/pi433/pi433_if.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c index 94e0bfcec991..73c511249f7f 100644 --- a/drivers/staging/pi433/pi433_if.c +++ b/drivers/staging/pi433/pi433_if.c @@ -957,11 +957,13 @@ static int pi433_open(struct inode *inode, struct file *filp) mutex_lock(&minor_lock); device = idr_find(&pi433_idr, iminor(inode)); - mutex_unlock(&minor_lock); if (!device) { + mutex_unlock(&minor_lock); pr_debug("device: minor %d unknown.\n", iminor(inode)); return -ENODEV; } + device->users++; + mutex_unlock(&minor_lock); if (!device->rx_buffer) { device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); @@ -969,7 +971,6 @@ static int pi433_open(struct inode *inode, struct file *filp) return -ENOMEM; } - device->users++; instance = kzalloc(sizeof(*instance), GFP_KERNEL); if (!instance) { kfree(device->rx_buffer); -- 2.17.1