Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3513874yba; Tue, 23 Apr 2019 05:16:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqwaRTROv8JZmQj8OMNPcaK0JuN5ItfVab3zJuW+0MmidJNK2ZPuTm86hDrAcNjtdQzLptQD X-Received: by 2002:a63:f315:: with SMTP id l21mr11559513pgh.417.1556021816130; Tue, 23 Apr 2019 05:16:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556021816; cv=none; d=google.com; s=arc-20160816; b=lrHR5q0KyW3Y/2kmDOZp3x75DwxTJIyYKA8wGm2XT9ffiacbeZMidP3lnwKBNHidui icxcIZWQo8OuCzZoVuiBMMMTrSnsxEJ6toBLPK1aWYjKtLgqKyklN+8DkcS3geRkMnD5 OwKPCdkc7YPp+gE+ozcpIZeJYIYbEupE9XpLbvJXegSXksevh2Vd3a7ESQYgqr8dfdXw GMnV5VxW5Cg+qOGif0Suw/wn8G6dCbQ3uUS6o5HFcM3XZYe3/wkhuj/+jtGGcs32WmM9 wupILT2M/dytfNuNEPX4+/25Kzc8QHx20jv54I2FQO4G7jJ80OUU1xoGhujhXU+KHtgk ZaNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Zp1b7dAYuyoDQ79WVtlM5YG7iswflR95W7D4PwVSPeE=; b=dWkP4OA/drjC5xuaQsn41Ogo2wKwRhwdeIoQWMM+aZwrpYwF2CCvuziAsZYAF+Fwal rdZtrefakVtpn8HSFdeLYCtgz7eTw6KqOzofbBOX1fA4c0rk9npOaLrR5dYNR+I8FSZa xUB0OcRie/NiXHlCM8MRU+3XLwDZ8bBIqhdO8BwqwWvDNPBpZ94M3Y9nt2Basz21Cevk SBEfQgO1j2KKUIerNPVUWzuksVGKOghymDgyayC1ZiUS4CLjvs6EQ9Fbb81YpXUVPXBu l9YwqyvLHF/K6nEL+DZTsSgkwrKKJQqd4tbZNmogsb43zIN6mgvVWkmuvNiWEJAlO/PW Mkjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a62si12999252pla.107.2019.04.23.05.16.39; Tue, 23 Apr 2019 05:16:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727467AbfDWMPp (ORCPT + 99 others); Tue, 23 Apr 2019 08:15:45 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:34150 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726033AbfDWMPo (ORCPT ); Tue, 23 Apr 2019 08:15:44 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux)) id 1hIuKq-0007mp-58; Tue, 23 Apr 2019 12:15:40 +0000 Date: Tue, 23 Apr 2019 13:15:40 +0100 From: Al Viro To: "dmitry.torokhov@gmail.com" Cc: Mukesh Ojha , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Gaurav Kohli , Peter Hutterer , Martin Kepplinger , "Paul E. McKenney" Subject: Re: [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock Message-ID: <20190423121539.GM2217@ZenIV.linux.org.uk> References: <7299a6db-38b7-75c7-633a-00d2257eba45@codeaurora.org> <20190418014321.dptin7tpxpldhsns@penguin> <20190419071152.x5ghvbybjhv76uxt@penguin> <20190423032839.xvbldglrmjxkdntj@penguin> <17f4a0be-ab04-8537-9197-32fbca807f3f@codeaurora.org> <20190423084944.gj2boxfcg7lp4zad@penguin> <20190423110611.GL2217@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190423110611.GL2217@ZenIV.linux.org.uk> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 23, 2019 at 12:06:12PM +0100, Al Viro wrote: > On Tue, Apr 23, 2019 at 08:49:44AM +0000, dmitry.torokhov@gmail.com wrote: > > On Tue, Apr 23, 2019 at 12:51:13PM +0530, Mukesh Ojha wrote: > > > > I have taken care this case from ioctl and release point of view. > > > > > > Even if the release gets called first it will make the > > > file->private_data=NULL. > > > and further call to ioctl will not be a problem as the check is already > > > there. > > > > Al, do we have any protections in VFS layer from userspace hanging onto > > a file descriptor and calling ioctl() on it even as another thread > > calls close() on the same fd? > > > > Should the issue be solved by individual drivers, or more careful > > accounting for currently running operations is needed at VFS layer? > > Neither. An overlap of ->release() and ->ioctl() is possible only > if you've got memory corruption somewhere. > > close() overlapping ioctl() is certainly possible, and won't trigger > that at all - sys_ioctl() holds onto reference to struct file, so > its refcount won't reach zero until we are done with it. I'd like to see a reproducer; _if_ we are really getting such overlaps, we have something buggering struct file refcounts (e.g. stray fput() eventually leading to dangling pointer in descriptor table) or an outright memory corruption mangling descriptor table/kernel stack/ refcount/->private_data/etc. Details, please - I tried to google some context for that, but hadn't found anything useful ;-/