Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3741746imm; Mon, 18 Jun 2018 03:20:31 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKiboJDcBx6o5Z+4tE3tA1ozI1HbjghE4kmzc6khXvac+tVz3zCPPVJoQy637HebgQJzWPX X-Received: by 2002:aa7:8298:: with SMTP id s24-v6mr12776433pfm.136.1529317231096; Mon, 18 Jun 2018 03:20:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529317231; cv=none; d=google.com; s=arc-20160816; b=txnAI9kejEQ951Lv7ZZhQQcEqbltchpqT2b/oPdfrtLctRQgEHkiUrzQ3zDv9W/yrA SkoT14CZsoFfMBPZuF+mCeth1ukaW7yIz6Ck34hBcJkEu1C3l1VNdYStVdzm7YuFil4O rlyrNwFZdqWj737ULLBMr0u/WJwn4GTXiVLGhWX+JGcFNj53gGOL+J4NwL+e/Qd5Ml+E OmKhiUiNRTWaF+NHjUeLgUd37YLc+7buto+HZnfdKWdys+eFMGo6BJzBq1s9BDkfjn2z SBSQCmKL9Aajw+NMLc+z+D4hwmtCKdcDAwlcZuZCNOrpu/mOkYR0g9qvXOvJ1ibv6EKr +Rtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=+4WdmHIXGalIxVJ754jvmJYpuTp1XA5A7Kamod648Tc=; b=ppPYghdXsrlIR4tBgemKU01k1tPIKkM4bk+gOatmHTUpACzIJZmhaxl2khlc9e7J5Q VuEwwvdth6H88t/XpXIaU5jf4NiOuTjPtzJz00H0wbbof9a0vLxKU1bDca+hcOqKlhyf 3/jGYAXuuYgI6KpxbwbwdzK+waWTVrSvMDRQB/2JxWQJf9R0xXFRfm432eiYDKGf3fOe tsNdZuLs+hWH4F3cNn2UtdnTi7vvF7LT0zMxIycoCgCBAI5P8x5w7oOhYWP4b6c/XoVr usjr8Hpz8GuuvFgLo/d7G+0R08ar7Pcptnvzvh6T7Z7lql52BT1U9gcXLPTD4HN1hnnY /yrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ZDujZu3g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7-v6si15137375plb.253.2018.06.18.03.20.17; Mon, 18 Jun 2018 03:20:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ZDujZu3g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935882AbeFRKTA (ORCPT + 99 others); Mon, 18 Jun 2018 06:19:00 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:43080 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933409AbeFRKS5 (ORCPT ); Mon, 18 Jun 2018 06:18:57 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w5IADnUh193802; Mon, 18 Jun 2018 10:18:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=+4WdmHIXGalIxVJ754jvmJYpuTp1XA5A7Kamod648Tc=; b=ZDujZu3g7oNPhVdy/w4I2LVYq/OVWLw2dNdnYCUgBFWvk/Z0zqkKFlnjHhZ0eby7jH+E qVyA/3xK8wjPhmW2FmqmLhvn/WHhNeb5hx3GvtE0rXfPD605wQcMaXjGHrsIj0iRdk9f tIZaApXwHRPCRqcNNTUMTI7a5F7uDkS76LG/jEcopdJSXIXgVNJR6f3oLf+QJM6q+QEi cm+wtCqdf+iYh/j++9n3j5pICaQvsVvKWl4mVT74slKjaG5QfsIYkZdNSEZf21uClSuq tXSmY0TjBePCDRzBifvy0QUE0fAzNbhpTIXfFGL9ETqUUdduPApo3koMsqq2zuOezWpT sA== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2jmu6xkdyq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Jun 2018 10:18:49 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w5IAImBt019763 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Jun 2018 10:18:48 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w5IAIkm6013077; Mon, 18 Jun 2018 10:18:46 GMT Received: from mwanda (/197.157.0.62) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 18 Jun 2018 03:18:45 -0700 Date: Mon, 18 Jun 2018 13:18:38 +0300 From: Dan Carpenter To: Hugo Lefeuvre Cc: Greg Kroah-Hartman , devel@driverdev.osuosl.org, Marcus Wolf , linux-kernel@vger.kernel.org Subject: Re: [PATCH] staging: pi433: fix race condition in pi433_open Message-ID: <20180618101838.gzbrxabilnqyilsi@mwanda> References: <20180618022400.GA1893@hle-laptop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180618022400.GA1893@hle-laptop.local> User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8927 signatures=668702 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806180125 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 17, 2018 at 10:24:00PM -0400, Hugo Lefeuvre wrote: > Whenever pi433_open and pi433_remove execute concurrently, a race > condition potentially resulting in use-after-free might happen. > > Let T1 and T2 be two kernel threads. > > 1. T1 executes pi433_open and stops before "device->users++". > 2. The pi433 device was removed inbetween, so T2 executes pi433_remove > and frees device because the user count has not been incremented yet. > 3. T1 executes "device->users++" (use-after-free). > > This race condition happens because the check of minor number and > user count increment does not happen atomically. > > Fix: Extend scope of minor_lock in pi433_open(). > > Signed-off-by: Hugo Lefeuvre > --- > drivers/staging/pi433/pi433_if.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c > index 94e0bfcec991..73c511249f7f 100644 > --- a/drivers/staging/pi433/pi433_if.c > +++ b/drivers/staging/pi433/pi433_if.c > @@ -957,11 +957,13 @@ static int pi433_open(struct inode *inode, struct file *filp) > > mutex_lock(&minor_lock); > device = idr_find(&pi433_idr, iminor(inode)); > - mutex_unlock(&minor_lock); > if (!device) { > + mutex_unlock(&minor_lock); > pr_debug("device: minor %d unknown.\n", iminor(inode)); > return -ENODEV; > } > + device->users++; > + mutex_unlock(&minor_lock); > > if (!device->rx_buffer) { > device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL); We need to decrement device->users-- on the error paths as well. This function was already slightly broken with respect to counting the users, but let's not make it worse. I think it's still a tiny bit racy because it's not an atomic type. I'm not sure the error handling in open() works either. It's releasing device->rx_buffer but there could be another user. The ->rx_buffer should be allocated in probe() instead of open() probably, no? And then freed in pi433_remove(). Then once we put that in the right layer it means we can just get rid of ->users... The lines: 1008 if (!device->spi) 1009 kfree(device); make no sort of sense at all... Fortunately it's not posssible for device->spi to be NULL so it's dead code. regards, dan carpenter