Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp471229rwn; Thu, 15 Sep 2022 01:19:26 -0700 (PDT) X-Google-Smtp-Source: AA6agR4LdvpiXtbsmNTLbKSmO2Sia8KZUQjgEGYTySvyRUWM/81l+G9m91/jB9wYTqPS0Bb7cBDc X-Received: by 2002:a05:6402:2804:b0:439:83c2:8be2 with SMTP id h4-20020a056402280400b0043983c28be2mr34311354ede.292.1663229966197; Thu, 15 Sep 2022 01:19:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663229966; cv=none; d=google.com; s=arc-20160816; b=G4Cl4fmnuANi2ynlnq2BF9jIsOgsCW9vy3k6L0QIJ6Q/PR5rkURLL9KlQhpGpiobg7 5GnAO6J7GDvScmunYIo/zJW4P3vTd6sGO1HY9BPkuLikS/0ko6LyDWWZUa0kwwrZtXjn dy0Qc2h+zT8B/qvAYINLV2pnwlLAvgmrEc4WtGYPrH6J0KdOy/xdhtK5ZhU5xkVedvjT NtDqR/diyLrYBEFNIcyhRYz6MHB18eqRk498T/gvXlHvsWxcCTNuZBuw8lCQI2HOjYJu i4cEEARqwzlrNA17cofkO7XOaq0Wo15mNdftJB0x059CFcqIAfCBh14YODxGtbvYyHJ7 SAxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Cltw+L2Z1sCCQbubS1F3aQiFNNa21UGe5zX0d2ZjYBQ=; b=uycC61GkXhEXbj6rnDj0xJv1010SNBzf3A5L3XwUoUciz4a9yroIvtPfh+0ZwR1ZOF U3DwZClDgxqEsvcVpSIMdHgjyuVpqhEi026/F3Y9qMuVZk5EEqUVlzPDeECgRQm0gOgr fFghtXjchNh4IXSQAeyULbMQRMlZYDP0V3t+zHNLHST/LFMmQ99JoDcS5ycQhET30yZF /HnctZmiyRn6g0KX+7iZkBr1a1DUR1ZIXyhtF9Aof1gFswanBckKd4Xai99Av7corW0i Uh6zR59rufmWTHFDcg3Nqt0o97wtsJrLGdZCvYAcM5g2Gni53xFtEGazWJXNdGliutdh BFlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n13-20020a05640205cd00b0043d56e0c95asi16091891edx.585.2022.09.15.01.19.00; Thu, 15 Sep 2022 01:19:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229912AbiIOIDF (ORCPT + 99 others); Thu, 15 Sep 2022 04:03:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230174AbiIOIDB (ORCPT ); Thu, 15 Sep 2022 04:03:01 -0400 Received: from isilmar-4.linta.de (isilmar-4.linta.de [136.243.71.142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EB5F97504 for ; Thu, 15 Sep 2022 01:02:55 -0700 (PDT) X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id 9257E201390; Thu, 15 Sep 2022 08:02:52 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 7FDA78060E; Thu, 15 Sep 2022 10:02:35 +0200 (CEST) Date: Thu, 15 Sep 2022 10:02:35 +0200 From: Dominik Brodowski To: Arnd Bergmann Cc: Hyunwoo Kim , laforge@gnumonks.org, Greg Kroah-Hartman , Ilpo =?iso-8859-1?Q?J=E4rvinen?= , linux-kernel@vger.kernel.org, Paul Fulghum , akpm@osdl.org, Lubomir Rintel Subject: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl() Message-ID: References: <20220913052020.GA85241@ubuntu> <20220915020834.GA110086@ubuntu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Thu, Sep 15, 2022 at 09:35:51AM +0200 schrieb Arnd Bergmann: > On Thu, Sep 15, 2022, at 4:08 AM, Hyunwoo Kim wrote: > > There are 3 other pcmica drivers in the path > > "drivers/char/pcmcia/synclink_cs.c", > > the path of the "synclink_cs.c" driver I reported the UAF to. > > A similar UAF occurs in the "cm4000_cs.c" and "cm4040_cs.c" drivers. > > (this does not happen in scr24x_cs.c) > ... > > In the cm4000_cs.c driver, the race condition flow is tricky because of > > the start/stop_monitor() functions. > > > > The overall flow is similar to cm4040_cs.c. > > Added one race condition to bypass the "dev->monitor_running" check. > > > > > > So, should the above two drivers be removed from the kernel like the > > synclink_cs.c driver? > > > > Or should I submit a patch that fixes the UAF? > > There is a good chance that we can remove both now, along with the > synclink_cs. The scr24x driver is from 2016, but of course the > hardware is much older. The cm4040/cm4000 drivers are from 2005. > My guess is that the hardware still exists in actively used systems, > but none of them get upgraded to modern kernels any more. > > Let's just ask the driver authors (Lubomir and Harald) if they > think the drivers may still be needed. Actually, I'd prefer to apply a patch to fix this now-known problem first, even if we deactive / remove these drivers immediately afterwards. Thanks, Dominik