Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2112935yba; Fri, 19 Apr 2019 12:22:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqzM0chrwXVzdbMP53nvDUsyOIqSCWYGhFcSqx3YFPNncPt3JelmNN6F2Lj3FbQWO1z/5RrJ X-Received: by 2002:a17:902:4681:: with SMTP id p1mr5375417pld.42.1555701728293; Fri, 19 Apr 2019 12:22:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555701728; cv=none; d=google.com; s=arc-20160816; b=NAcEJRrFo9KhEgsKOkZPc93aQIEx7joa9PzQTQzEX5yD2tcgwHKmYm+ajK5MzzmLZN fWcu9r1aeOl3x12IQmhvI9KJ2PtwtfkuDsD8l24rvic+TA6/fb21//i0ETlpGgHeEPmp 5yPD22ldOD4XgLj7DQH38RDoTg1lFJ9p0VBXzK/DNIHOceEu1z7OW9IcgTTqch9denqz LO+CxJD5W6P+gv+Oz446i29p8szkRoaE7E/pARby7bP3NHrDOi5VEiozYsFAeUK3qIXR Dt4CUMLmSe4RPO/TH2MdqSvxGmzVAGrYeWhi7JDVnncEhMl+KyRsIACOabqWaMYoVDsn +JUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dmarc-filter :dkim-signature:dkim-signature; bh=VbigWt0CPszlk81PBelAKeF7/GeniAbxArxPY/rybdA=; b=1C8bh64bROO9xdVWqw9UlvLIWNAnhmZtZSb1HxAdML2EYQ1UWQcsSdjXihjibfMCG4 HxYJFfijLN/2bmtOIRoYi+ezXjma9D3PhczWUtb6bY1ffQlI5rtGoEgndx2ds7/M1SgW NsZxTTLLFa8nlQkembZnWaM7kMvFWzBqdl0hpLtDD4teXbz1FjPkvyhVqaAaGTXc3sdb oVCEIdRiBLN/dYQrCXpgvdEUubEHAPzis1C/elMx/d4X9w6d6Aol9PNJgGCt9Kd7cjhL TW3HULjo0vzpMNnI8NQ1f2jQkZsUIoX+iM70+scDZxigQCzr/t12Og2FFJ4TRjsBfzS6 ONYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=lGT7esVt; dkim=pass header.i=@codeaurora.org header.s=default header.b=lGT7esVt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z2si5386686pgp.239.2019.04.19.12.21.53; Fri, 19 Apr 2019 12:22:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=lGT7esVt; dkim=pass header.i=@codeaurora.org header.s=default header.b=lGT7esVt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727659AbfDSTUq (ORCPT + 99 others); Fri, 19 Apr 2019 15:20:46 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:45888 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726336AbfDSTUm (ORCPT ); Fri, 19 Apr 2019 15:20:42 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id B79B060F3D; Fri, 19 Apr 2019 08:43:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1555663435; bh=wqCLB/J1DcRgEHYdQbSvkebWAN/iaxdHIIVRRnbOPZc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=lGT7esVt1Df+LgU7l6DnCGVHS9y3Ptj5DrlRGsT6Oirkp2sD95vv71PRW2yn1vABS kNAHV/ZLw+q8Sy/QcL6O0XSP7pgs4xCHXSYMLyonm3FlglZ5bZRAoi1w2unO0ETnM0 nPUEZBGwiJfMc+SwzWgI+cEmguDU9G8LFEzu9NVE= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from [10.204.79.15] (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mojha@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id A4FDF6115C; Fri, 19 Apr 2019 08:43:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1555663435; bh=wqCLB/J1DcRgEHYdQbSvkebWAN/iaxdHIIVRRnbOPZc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=lGT7esVt1Df+LgU7l6DnCGVHS9y3Ptj5DrlRGsT6Oirkp2sD95vv71PRW2yn1vABS kNAHV/ZLw+q8Sy/QcL6O0XSP7pgs4xCHXSYMLyonm3FlglZ5bZRAoi1w2unO0ETnM0 nPUEZBGwiJfMc+SwzWgI+cEmguDU9G8LFEzu9NVE= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A4FDF6115C Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=mojha@codeaurora.org Subject: Re: [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock To: "dmitry.torokhov@gmail.com" Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Gaurav Kohli , Peter Hutterer , Martin Kepplinger , "Paul E. McKenney" References: <1554883176-24318-1-git-send-email-mojha@codeaurora.org> <7299a6db-38b7-75c7-633a-00d2257eba45@codeaurora.org> <20190418014321.dptin7tpxpldhsns@penguin> <20190419071152.x5ghvbybjhv76uxt@penguin> From: Mukesh Ojha Message-ID: Date: Fri, 19 Apr 2019 14:13:48 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190419071152.x5ghvbybjhv76uxt@penguin> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/19/2019 12:41 PM, dmitry.torokhov@gmail.com wrote: > Hi Mukesh, > > On Fri, Apr 19, 2019 at 12:17:44PM +0530, Mukesh Ojha wrote: >> For some reason my last mail did not get delivered,  sending it again. >> >> >> On 4/18/2019 11:55 AM, Mukesh Ojha wrote: >>> >>> On 4/18/2019 7:13 AM, dmitry.torokhov@gmail.com wrote: >>>> Hi Mukesh, >>>> >>>> On Mon, Apr 15, 2019 at 03:35:51PM +0530, Mukesh Ojha wrote: >>>>> Hi Dmitry, >>>>> >>>>> Can you please have a look at this patch ? as this seems to reproducing >>>>> quite frequently >>>>> >>>>> Thanks, >>>>> Mukesh >>>>> >>>>> On 4/10/2019 1:29 PM, Mukesh Ojha wrote: >>>>>> uinput_destroy_device() gets called from two places. In one place, >>>>>> uinput_ioctl_handler() where it is protected under a lock >>>>>> udev->mutex but there is no protection on udev device from freeing >>>>>> inside uinput_release(). >>>> uinput_release() should be called when last file handle to the uinput >>>> instance is being dropped, so there should be no other users and thus we >>>> can't be racing with anyone. >>> Lets say an example where i am creating input device quite frequently >>> >>> [   97.836603] input: syz0 as /devices/virtual/input/input262 >>> [   97.845589] input: syz0 as /devices/virtual/input/input261 >>> [   97.849415] input: syz0 as /devices/virtual/input/input263 >>> [   97.856479] input: syz0 as /devices/virtual/input/input264 >>> [   97.936128] input: syz0 as /devices/virtual/input/input265 >>> >>> e.g input265 >>> >>> while input265 gets created [1] and handlers are getting registered on >>> that device*fput* gets called on >>> that device as user space got to know that input265 is created and its >>> reference is still 1(rare but possible). > Are you saying that there are 2 threads sharing the same file > descriptor, one issuing the registration ioctl while the other closing > the same fd? Dmitry, I don't have a the exact look inside the app here, but this looks like the same as it is able to do fput on the uinput device. FYI Syskaller app is running in userspace (which is for syscall fuzzing) on kernel which is enabled with various config fault injection, FAULT_INJECTION,FAIL_SLAB, FAIL_PAGEALLOC, KASAN etc. Thanks, Mukesh > > Thanks. >