Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp2185771rwn; Fri, 16 Sep 2022 06:58:12 -0700 (PDT) X-Google-Smtp-Source: AMsMyM73Ixa1EF3aUUJ1XI3IvBJVUJHq0Ae1os3r823mXuBA9RgzBCWxhTZEyKJ5umvEPwZ8wRuA X-Received: by 2002:a17:907:1b0e:b0:72f:9b43:b98c with SMTP id mp14-20020a1709071b0e00b0072f9b43b98cmr3651483ejc.710.1663336691820; Fri, 16 Sep 2022 06:58:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663336691; cv=none; d=google.com; s=arc-20160816; b=iQSFLm1p8PD0wEu8CuCuI2XBYtuPKE9dR2BcRlKht3Pvuy7AZI3r+YHhwgpj5sW60u ER8xyoW3PEoYAn6jWO7HlMyFyWAsKrjaV+m9TK8PE4NaqpQaIWhhujE6U+8fhr2UdlRr CI013LnKb2BzxDo9nYD4gVBF7armMzYiGgKyb+CqO3OA6Wvn1gmNjwjTQydQk2dwPBt7 VBTH+08QsRGOjNNy6qd4XSFbmc2Yx6j3dQ2SPzqYBQtk43BGmvnoABk6j0Pa7QG1oDH8 oR5LXeKKEq7jL9b8JP62wFF/p8m1+PTWXG0KcmAF/C4lXzV4tedyrHYRk7hD4Aytwwym Wyzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=w3xcFXH0fspP1aXfpiR06tynCXWqviT3tIty9Sh0zLQ=; b=SH90R2Dty8z350pNkVMNEV+dHthPe4dGwllWdY+hM/XKJvYUp1qbvZSOcE5DtyPpKc 0lawxTrnC110R6KpaQ6/cWmQk+yyjvqgfmQvheDm3Uv8LwPyPt22h5K69ugBGTefDFGL XYlFAsNcHNhnFpyy/+vo9fC7GWV40NmQSV9Nl5GuqUiMtkX5l6Z1FnKPpQSHR25ufglv qiz1s3A6fnqMdjTABFtfSfX0kUfhlQVmIOXKgL1gKKn1wXnXRq41Yd0xjT2Y593/MKo6 51fq+AJmCwtaPpfh/zQsvtSdtG24mlO6sMGMCT8qM1wtA7hNZPUDjC0INSe4LglPoAuV 988A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VOqaP1sE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l21-20020a1709062a9500b007316ac034a1si14889938eje.831.2022.09.16.06.57.46; Fri, 16 Sep 2022 06:58:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VOqaP1sE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231770AbiIPNvU (ORCPT + 99 others); Fri, 16 Sep 2022 09:51:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231605AbiIPNvS (ORCPT ); Fri, 16 Sep 2022 09:51:18 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2416DA1D48 for ; Fri, 16 Sep 2022 06:51:18 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id w20so9433325ply.12 for ; Fri, 16 Sep 2022 06:51:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date; bh=w3xcFXH0fspP1aXfpiR06tynCXWqviT3tIty9Sh0zLQ=; b=VOqaP1sEVS5p2iR/KZhl5But403chD/JjUkwr9IH8rH8O9wh8Bkah2zFE1s4bdQvg1 x1cThoDWhUgRa6h9lvP0ZknOZnMrmYsMLNpWX0EHR3WoE1ju7pdlb969e/5dLlaIfoo6 lJVQeAn0elf6tcGBTkRL01GhGXzd/lgDBWN15fv6HeEE0TdQY0sO8xkouIcqUL3A84ZE kVVsUOgkogO/LXvC7TfvmfINkAWu8kXvlhsaeSmds641uFwSaGfUZILsUHvUaM44bisz Vpc93uzG+AUqeujPdgTHpnt5GcPGTtEDEPs4cjwukxLKDi4MAWmcDwf2ldaegkb/5y3B P5Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date; bh=w3xcFXH0fspP1aXfpiR06tynCXWqviT3tIty9Sh0zLQ=; b=Dv3SyuLZBsZQQZB0zuj3ABku+4+TH+RUDVF16fOjWF5Y7HLF3BnoKHLeRc62HTUoTQ z//w6SFr9ttAXnWPOtWx2impqRlpoAnl4e6dOOg0J/XBl7hDyIgRtCqIdoJdL1Z4Im0c dpOFUnza6zN4hNuD8OBqdxnUrsg+F6Eypf1BWD9pyX8IVgxzxBbU+z44u/elA9KqauQD EABObugAtVzAtylI36aFy6cGw0sgqHBw6LaiEk3NVRpyyy0ZXFq7nD7CrWMgmtFyWDhd 8HiuxK6eevmadeza2Lu0OMDnX83iC8CA/hVPAgYT7F81I4GNXGiIWblDVKZS4LXQ3c0y hvRg== X-Gm-Message-State: ACrzQf2ul5w1ii5t01FYyoUVLm46/rOwge37l9L57NbbHNjDL88VMhEL ypooz+jn7s5cqKAXRoOH194= X-Received: by 2002:a17:902:d890:b0:16c:abb4:94d0 with SMTP id b16-20020a170902d89000b0016cabb494d0mr5001340plz.50.1663336277717; Fri, 16 Sep 2022 06:51:17 -0700 (PDT) Received: from ubuntu ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id y75-20020a62644e000000b005365aee486bsm14432549pfb.192.2022.09.16.06.51.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Sep 2022 06:51:17 -0700 (PDT) Date: Fri, 16 Sep 2022 06:51:13 -0700 From: Hyunwoo Kim To: lkundrak@v3.sk Cc: linux-kernel@vger.kernel.org, imv4bel@gmail.com, gregkh@linuxfoundation.org, arnd@arndb.de Subject: [PATCH v2] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops Message-ID: <20220916135113.GA235070@ubuntu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A race condition may occur if the user physically removes the pcmcia device while calling open() for this char device node. This is a race condition between the scr24x_open() function and the scr24x_remove() function, which may eventually result in UAF. So, add a mutex to the scr24x_open() and scr24x_remove() functions to avoid race contidion of krefs. Signed-off-by: Hyunwoo Kim --- drivers/char/pcmcia/scr24x_cs.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/char/pcmcia/scr24x_cs.c b/drivers/char/pcmcia/scr24x_cs.c index 1bdce08fae3d..f630da554cc4 100644 --- a/drivers/char/pcmcia/scr24x_cs.c +++ b/drivers/char/pcmcia/scr24x_cs.c @@ -39,10 +39,12 @@ struct scr24x_dev { struct mutex lock; struct kref refcnt; u8 __iomem *regs; + int removed; }; #define SCR24X_DEVS 8 static DECLARE_BITMAP(scr24x_minors, SCR24X_DEVS); +static DEFINE_MUTEX(remove_mutex); static struct class *scr24x_class; static dev_t scr24x_devt; @@ -76,8 +78,15 @@ static int scr24x_open(struct inode *inode, struct file *filp) struct scr24x_dev *dev = container_of(inode->i_cdev, struct scr24x_dev, c_dev); + mutex_lock(&remove_mutex); + if (dev->removed == 1) { + mutex_unlock(&remove_mutex); + return -ENODEV; + } + kref_get(&dev->refcnt); filp->private_data = dev; + mutex_unlock(&remove_mutex); return stream_open(inode, filp); } @@ -292,6 +301,7 @@ static void scr24x_remove(struct pcmcia_device *link) { struct scr24x_dev *dev = (struct scr24x_dev *)link->priv; + mutex_lock(&remove_mutex); device_destroy(scr24x_class, MKDEV(MAJOR(scr24x_devt), dev->devno)); mutex_lock(&dev->lock); pcmcia_disable_device(link); @@ -301,6 +311,8 @@ static void scr24x_remove(struct pcmcia_device *link) mutex_unlock(&dev->lock); kref_put(&dev->refcnt, scr24x_delete); + dev->removed = 1; + mutex_unlock(&remove_mutex); } static const struct pcmcia_device_id scr24x_ids[] = { -- 2.25.1