Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3893559pxf; Mon, 22 Mar 2021 19:08:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEhUKNy5zNK0cxS2mTfCJ1NOsB9ANQNifWyhRuXXGvTwRHo27Ydiam5Fo8QclgqhhDk+mZ X-Received: by 2002:a17:906:405b:: with SMTP id y27mr2637300ejj.332.1616465287951; Mon, 22 Mar 2021 19:08:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616465287; cv=none; d=google.com; s=arc-20160816; b=k/gILKAveu4VbHe/xQzj0KsxeJn0+teA4vGcOVZDErXtgUKNEnY+1jgJCMIc9DlGZQ oq/knjIv/PEoB2sykcjLQHiz1yc/AqIqA9YDZe8/XcuZna0mIkA1Me5MNeuSVCXP68/R 9Ppsi6/iD76D5TEd+uLrw8kq65eCD3nYpg3QToxLwuRcPA/RMAgxJ5gB8nDNsj4EGZn6 R82/TdrutvLOAkDbv1fkzDjOXQnXooaQ7ujZsOOUR+z8FPRSnJtTZ1cfxlkWj3vs68JY 631C8HM0nwpTD+FJh6jtDtmt057xWxvTi5WabY0vYX0lRRESo/qMMcl6T7JckfwwwZni PAaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ik3OqhDezFC9M+OCWgTtlChENh9DRHtu5niN+Cwe6q0=; b=HqTwJM6eR0ROBZUcNQweOME2o0pawOgxZzBDMo9S7EBnm9QGptj0Zfm+GwXeoZ9LPi 5RvxSt1MauSEkV3gfNoU92pgDRFxWsSQfDdA9GEE/Ng65X8WT9IwstJ1ZpWB4i4Xwfsx sRVVJD5sb6/ll1y26EJIUxx6q3A2Fl90uXSxjEUOi4WHGVCDjVDPk5r5b9ogOvdtgkSY tCypDxAjFRm2RUP269fxF6ZbOOSXYyFcFymBxDwEl5XgWnBV06eS3K7uZd3lbD58hEXB sH1z1ib1eIsHLPeG3dSKsmsfsgB/GpvcE5frueR3KQ4snJfquzn++7+hrcb0ECy+AwhQ yQ/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=TJnCZ5RD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si12410337ejg.251.2021.03.22.19.07.42; Mon, 22 Mar 2021 19:08:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=TJnCZ5RD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230100AbhCWCG4 (ORCPT + 99 others); Mon, 22 Mar 2021 22:06:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229893AbhCWCG2 (ORCPT ); Mon, 22 Mar 2021 22:06:28 -0400 Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 99D2DC061574 for ; Mon, 22 Mar 2021 19:06:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.ustc.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=ik3OqhDezF C9M+OCWgTtlChENh9DRHtu5niN+Cwe6q0=; b=TJnCZ5RDXYh7VHGz5Lqhwm3y70 Zkjq2fXdRHPsJryrgCrxNkxO2Kaxc87VpQ/aHvsrD3X0UUgLIKMozkpvJGFYWm1T lFFoXkH/cgSURJD3DZwqJ1ocboWpmUQJoJ14AR5KV4FJQRZ83SH3gjeUUtRNfMiP OvdlZ6GfZ8ZQB4r30= Received: from ubuntu.localdomain (unknown [202.38.69.14]) by newmailweb.ustc.edu.cn (Coremail) with SMTP id LkAmygBXXEghTVlgSyoYAA--.0S4; Tue, 23 Mar 2021 10:06:25 +0800 (CST) From: Lv Yunlong To: mporter@kernel.crashing.org, alex.bou9@gmail.com Cc: linux-kernel@vger.kernel.org, Lv Yunlong Subject: [PATCH] rapidio: Fix a use after free in mport_mm_close Date: Mon, 22 Mar 2021 19:06:22 -0700 Message-Id: <20210323020622.10604-1-lyl2019@mail.ustc.edu.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: LkAmygBXXEghTVlgSyoYAA--.0S4 X-Coremail-Antispam: 1UD129KBjvdXoW7JF1fKF4kGF4DCFy5GF4UArb_yoWkKwb_Cw 1kGrn7XrWkAa1kJr4aqw1fu3yS9Fnavr4Fkr40vFyrG3sxAFnxXr1DZw40qw4jqw45XFn5 J34rZr15Cr48WjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbVxFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC 0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr 1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE rcIFxwCY02Avz4vE14v_Gr1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr 1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE 14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7 IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY 6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa 73UjIFyTuYvjfU55l8UUUUU X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In mport_mm_close, map is freed by kref_put(&map->ref,). But mutex_unlock(&map->md->buf_mutex) uses map later. Other thread could allocate the freed chunk and cause an unexpected result. My patch adds a variable buf_mutex to store the mutex before map is freed. Signed-off-by: Lv Yunlong --- drivers/rapidio/devices/rio_mport_cdev.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c index 94331d999d27..836bcb4ab50a 100644 --- a/drivers/rapidio/devices/rio_mport_cdev.c +++ b/drivers/rapidio/devices/rio_mport_cdev.c @@ -2179,9 +2179,11 @@ static void mport_mm_close(struct vm_area_struct *vma) struct rio_mport_mapping *map = vma->vm_private_data; rmcd_debug(MMAP, "%pad", &map->phys_addr); - mutex_lock(&map->md->buf_mutex); + struct mutex buf_mutex = map->md->buf_mutex; + + mutex_lock(&buf_mutex); kref_put(&map->ref, mport_release_mapping); - mutex_unlock(&map->md->buf_mutex); + mutex_unlock(&buf_mutex); } static const struct vm_operations_struct vm_ops = { -- 2.25.1