Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp434101imu;
        Thu, 3 Jan 2019 00:13:01 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5k4kGkPD4Z6CrLeAJO3W1xg8uMUtUMWsZMtC0lr/1LIafwdG/FJxSOQCMpTFYS8u3ca/2w
X-Received: by 2002:a63:ef47:: with SMTP id c7mr16416976pgk.386.1546503181027;
        Thu, 03 Jan 2019 00:13:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546503180; cv=none;
        d=google.com; s=arc-20160816;
        b=gMOdMN6d3UCtFYtuwEmJfD91QCAbBOIJQNqdbH57UHOhLb6FTkTUEyfRhcfUjsIL06
         NyehdAorWh775dmsP7f8/HioGhPBOpgKd+kjjXrRZ++Ir+YyrRXrRp0MkqiigBKQI3Zy
         28jqLT0h8z5zkB6/siz14VCh9xmDe3j5xK98ygiW4KkgdcD8JnV4wUd4SsFKQSCGCnQZ
         skLhglUBrAZv+IDosyZhoubzY/RjBy62SZHsqQ4DNNkR91vcb09JhECiSjoTiSO5Ctxv
         QDqOClZFbp0aSDgYVRrmbt+DEiz5edwZHwcUvIRP5iMxLpuV/AtK3voxgq9xn8maNRkP
         mZKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=Wz2XArtS8EZTVvS4DHfovSCU3iuImaas6Cb3sISlT30=;
        b=m6eibRaX/A0ZKw0nfgBgWkE9I74bFZHS58JruXFabdPhWkPHEw2vCAfeLXXizqWXmX
         SVAroJB2XRP0ya9yDzm+SCropVhNVMSeolCNuHkbYC1cl1rKB9cWPC/7UOZnfHQt1Xm+
         zaMxOwbTpmZahuOdTaDCZDrAZweb2IPBP/oMvBasszIrte6on0Zh8FaBC1HQHpPPP6ss
         MFpcxzdjiCaMQ52gjJgy/5Py+sOrqxbXZ+lU4xYN9g704/dh3Y3K4Jzrn+Je5IdSj6zD
         BnNuP2DePf+/GBPgMSlSchl+GAMM8+nOzL5GRjjlYQge/jf5asnbkxWsQIhx1txRq2pg
         5Fkg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k186si53477548pgc.576.2019.01.03.00.12.45;
        Thu, 03 Jan 2019 00:13:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728736AbfACD2c (ORCPT <rfc822;dacohen@gmail.com> + 99 others);
        Wed, 2 Jan 2019 22:28:32 -0500
Received: from gate.crashing.org ([63.228.1.57]:47082 "EHLO gate.crashing.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726036AbfACD2c (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jan 2019 22:28:32 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
        by gate.crashing.org (8.14.1/8.14.1) with ESMTP id x033RuaP009503;
        Wed, 2 Jan 2019 21:28:01 -0600
Message-ID: <fd0a4a0da544908204d8558895d469c6d87b6743.camel@kernel.crashing.org>
Subject: Re: [PATCH] fsi:fsi-sbefifo: Fix possible concurrency
 use-after-free bugs in sbefifo_user_release
From:   Benjamin Herrenschmidt <benh@kernel.crashing.org>
To:     David Howells <dhowells@redhat.com>,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Cc:     joel@jms.id.au, eajames@linux.vnet.ibm.com, andrew@aj.id.au,
        linux-kernel@vger.kernel.org
Date:   Thu, 03 Jan 2019 14:27:56 +1100
In-Reply-To: <26864.1546421693@warthog.procyon.org.uk>
References: <20181226135618.12784-1-baijiaju1990@gmail.com>
         <26864.1546421693@warthog.procyon.org.uk>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.2 (3.30.2-2.fc29) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2019-01-02 at 09:34 +0000, David Howells wrote:
> Jia-Ju Bai <baijiaju1990@gmail.com> wrote:
> 
> > +	mutex_lock(&user->file_lock);
> >  	sbefifo_release_command(user);
> >  	free_page((unsigned long)user->cmd_page);
> > +	mutex_unlock(&user->file_lock);
> 
> It shouldn't be necessary to do the free_page() call inside the locked
> section.

True. However, I didn't realize read/write could be concurrent with
release so we have another problem.

I assume when release is called, no new read/write can be issued, I am
correct ? So all we have to protect against is a read/write that has
started prior to release being called, right ?

In that case, what can happen is that release() wins the race on the
mutex, frees everything, then read or write starts using feed stuff.

This is nasty to fix because the mutex is in the user structure,
so even looking at the mutex is racy if release is called.

The right fix, would be, I think, for "user" (pointed to by file-
>private_data) to be protected by a kref. That doesn't close it
completely as the free in release() can still lead to the structure
becoming re-used before read/write tries to get the kref but after it
has NULL checked the private data.

So to make that solid, I would also RCU-defer the actual freeing and
use RCU around dereferencing file->private_data

Now, I yet have to see other chardevs do any of the above, do that mean
they are all hopelessly racy ?

Cheers,
Ben.