Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4229239pxu; Mon, 30 Nov 2020 22:44:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJynje032G5eSyX+E4NQlfg/vTcqI1jNYJr0v1XnsXeYlcVwoHXQsqxy5laIk2MacohJ+Up+ X-Received: by 2002:a17:906:f949:: with SMTP id ld9mr1631000ejb.401.1606805078940; Mon, 30 Nov 2020 22:44:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606805078; cv=none; d=google.com; s=arc-20160816; b=PiHQAS2IN9XyodPEzFrbwEWJchqEYt5LKhFuMt9pcogMA9DXV0LbjgH883C8Hyv43q 0vhSCYMQmXs513ix2nElNLDwmoen699W6wAoQxKNhrqrbvAmJRzhA9Yvw3lebBRvjirK dDaEUAm6C7PYmp8H8RMr/XPfvsXKgLK9YUtxvcYmGg3JuUoYzFnmMUA8BliRrEmGY+Xw tkNTaCO9UJgrFfvOp+mNGSdelLZy1cxLB7NpXX6ZGk+cWCxE6P6S9uWE9K00MnufUX0P SKDZJLjYB6qB+vZV5OqK3AIYNRrnSplXl0s3Pgk+Fqn6xkEOaq+VLkQRMNlGoKBc5nj7 lgwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=zv/9zZJaO6ILzetvVsV5yg0MvHmonVWRj+wu25w2xFQ=; b=fHtdoo0k8yFnxHIiSD2hv3F/XVjqyn5YgxxvMYW/vQ12CvIp7Tae+dwvRq/22prJkg SJd/p2zIHrK93Z3yCS40yPYX8EK5IgcMuZlaFhreREIgGposCf6kkPHSneJE/wYrN1Xk kk3pr0xoMsiKjX9SWMMD8/Xi5k77O3LLcHNY/iocZg8ve+8PztPo4thw+hcG8Lty7G4D yGaJiS3+yYrZWOHRCREz72xTqbd/E34fY6JEkb0ghoKxR/iFK4d9RJaOOuWaQmf5WJlv sO5dvvH4h8xpkygjWG560MYywJFmEdZIBJmuwYmVUwMZ8vF/RiYLykEjQOnyEAtpCORV vK2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id df12si559324edb.5.2020.11.30.22.44.16; Mon, 30 Nov 2020 22:44:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726861AbgLAGcm (ORCPT + 99 others); Tue, 1 Dec 2020 01:32:42 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:8540 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725859AbgLAGcl (ORCPT ); Tue, 1 Dec 2020 01:32:41 -0500 Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4ClXLW74sDzhl8L; Tue, 1 Dec 2020 14:31:31 +0800 (CST) Received: from [10.174.177.149] (10.174.177.149) by DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id 14.3.487.0; Tue, 1 Dec 2020 14:31:52 +0800 Subject: Re: [PATCH] s390: cio: fix two use-after-free bugs in device.c To: Cornelia Huck CC: Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , , References: <20201120074849.31557-1-miaoqinglang@huawei.com> <20201120085526.257a5596.cohuck@redhat.com> From: Qinglang Miao Message-ID: Date: Tue, 1 Dec 2020 14:31:52 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20201120085526.257a5596.cohuck@redhat.com> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.177.149] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2020/11/20 15:55, Cornelia Huck ะด??: > On Fri, 20 Nov 2020 15:48:49 +0800 > Qinglang Miao wrote: > >> put_device calls release function which do kfree() inside. >> So following use of sch&cdev would cause use-after-free bugs. >> >> Fix these by simply adjusting the position of put_device. >> >> Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support") >> Fixes: 74bd0d859dc3 ("s390/cio: fix unlocked access of online member") >> Reported-by: Hulk Robot >> Signed-off-by: Qinglang Miao >> --- >> drivers/s390/cio/device.c | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c >> index b29fe8d50..69492417b 100644 >> --- a/drivers/s390/cio/device.c >> +++ b/drivers/s390/cio/device.c >> @@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev) >> struct io_subchannel_private *io_priv = to_io_private(sch); >> >> set_io_private(sch, NULL); >> - put_device(&sch->dev); >> - put_device(&cdev->dev); >> dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area), >> io_priv->dma_area, io_priv->dma_area_dma); >> + put_device(&sch->dev); >> + put_device(&cdev->dev); > > That change looks reasonable. > >> kfree(io_priv); >> } >> >> @@ -1774,8 +1774,8 @@ static int ccw_device_remove(struct device *dev) >> ret, cdev->private->dev_id.ssid, >> cdev->private->dev_id.devno); >> /* Give up reference obtained in ccw_device_set_online(). */ >> - put_device(&cdev->dev); >> spin_lock_irq(cdev->ccwlock); >> + put_device(&cdev->dev); > > As the comment above states, the put_device() gives up the reference > obtained in ccw_device_set_online(). There's at least one more > reference remaining (held by the caller of the remove function). Moving > the put_device() does not fix anything here. Hi, Cornelia Sorry for the delayed reply. Your suggestion is reasonable, there is a mistake in this patch for I didn't notice that there would be at least one more reference remaining. So I sent a new patch only to move put_device after dma_free_coherent. I put the link as below: https://lore.kernel.org/lkml/20201201063150.82128-1-miaoqinglang@huawei.com/ Thanks! > >> } >> ccw_device_set_timeout(cdev, 0); >> cdev->drv = NULL; > > . >