Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2148611rwb; Sun, 18 Sep 2022 23:40:37 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4EG/lVS4TuC/LZYC/iC4MiJ9UFTDhFTDusF+I8IhBUydxTybehz7KZiJm2nIY4RfCSgWyI X-Received: by 2002:a63:da13:0:b0:438:e3cb:7a8c with SMTP id c19-20020a63da13000000b00438e3cb7a8cmr14621202pgh.31.1663569637062; Sun, 18 Sep 2022 23:40:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663569637; cv=none; d=google.com; s=arc-20160816; b=P9qKZp5UCS330mlLzlwA1BMXnVA8/jE8X2ZdfxXE+SKEs5u/WvT/RgNaGfNozYCqrl lJodZocVI5gZt1dsOIT5gHE+RgGTA5IypiVoqOxKs5IzmRcNDjv0Fs/hzABJL+5+clTM WnMdSf9LiclXtzcwyQuICSvID9B2zkcJ1cu5etbOeg7MPX/Esu/ol3MUTVkD/mSoSecz U8R3d7ruZo8+6P97w56JsbH47KnyvcaO8AIYSb75PcbvHyH8Yfdg3I2dKiWbHtKAgqFd G7LLBLNet7acZVcmqqpOX9XKJWKf67ht5XUbEfW0DSMG7aN1GcRWl6sYEF1rY8pN9abm V8pA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:feedback-id:dkim-signature :dkim-signature; bh=lh4UlmlwDyFH09vWCOuLpCQb6N9GcsA+rPlgsVFYYok=; b=skPll9OpiUudGIO9hcCbHnwrBV18LO2ujjrZyha4ICfk2pQ3tGTHQRKveyobSMVIYP y1pi1ED+9U/PiU/c7acbAU7OEen+ooY8CBtPn+3ubNFN2Nr77PIe6SSM9fQuyaHiV2zy cFR482eha6npOxzXqFLaCRV2tHzdCokExkTfXbtTmqJuE+zwoAh1QFGUlIo6P4pl3ZMe t/gv1R1XuYX8qIUYgiMdXeW7AO0Eg52u+QOx7rRwAWMahdK4UzGWK4iHx3NZfrP4H0iG rdnK7O9mweSD6OM434GxrS7juA5QQkWoi/GQzu6lMZvOYSvLn+cnn+PrwMNquePRShjr +Xgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arndb.de header.s=fm1 header.b="a/dN70qF"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=vmHHkWkC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d2-20020a170902654200b001755d722578si30206928pln.524.2022.09.18.23.40.24; Sun, 18 Sep 2022 23:40:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arndb.de header.s=fm1 header.b="a/dN70qF"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=vmHHkWkC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229633AbiISFw1 (ORCPT + 99 others); Mon, 19 Sep 2022 01:52:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbiISFwY (ORCPT ); Mon, 19 Sep 2022 01:52:24 -0400 Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 460A913F19 for ; Sun, 18 Sep 2022 22:52:23 -0700 (PDT) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailnew.nyi.internal (Postfix) with ESMTP id 2BECB580109; Mon, 19 Sep 2022 01:52:19 -0400 (EDT) Received: from imap51 ([10.202.2.101]) by compute3.internal (MEProxy); Mon, 19 Sep 2022 01:52:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arndb.de; h=cc :cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1663566739; x=1663570339; bh=lh4UlmlwDy FH09vWCOuLpCQb6N9GcsA+rPlgsVFYYok=; b=a/dN70qFxpEtFlFRN0lX6Pv89X oaVrpfIkSZAD6bOr9PL/2dDm++GXBESbiGv3cx5JYYhfPdWvlla7QRSO7Uw6jOgl udGoqqSs2HY3r7mR0fV+pT46m8rl7qc9xSe+RwHdDsjQZtgh9foDJsslUQUwSnyE VThmqUruREeCKtHdmc3THso1BZNh/wttdCszWhYAQ86sLqAYemrkE+AU9r/13t8n lKaRqsnp9flZ3TSVHPz3b/YFCxwNl9MMx/pVS3U9jjVZIkgKqKgZltzTqQs0VyvF oXNSVpkpdbkxeEd5t6ZtuaoYLV/WPsyf+hhrC5LYg/Q9seBheHO6BRHrgJow== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1663566739; x=1663570339; bh=lh4UlmlwDyFH09vWCOuLpCQb6N9G csA+rPlgsVFYYok=; b=vmHHkWkCFL/SXvQAw0jlJZXOj3DY15eYb8k4Zz87BJvD gE6lWPMhCUNnbcXn0s7W/Li35ajTadiTgRS9EI0RsF9RmMn7QGhM2SKKkgbr4Jda Uuq6An+/nUH/7Cap6y+zcljEJpUWPEyPtODbTrnp1SQGGQFJuviK45hQka5pWqfh ya+fYjjHic4LhN0szEh7We3SowOZjGm5wqJIUTUYx5f64LGPmqpiSFujGU/teSbV LduK+U4ZbsdIhq4IbyxS8BQ50zm33LYAG+PWoaUXUP9Ymq2+FHD+390zqexlwpBp qHwpb6VtH1hsNPcVHL70awvU0tUi13v2tSCK605gKw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfedviedguddtudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdet rhhnugcuuegvrhhgmhgrnhhnfdcuoegrrhhnugesrghrnhgusgdruggvqeenucggtffrrg htthgvrhhnpeffheeugeetiefhgeethfejgfdtuefggeejleehjeeutefhfeeggefhkedt keetffenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe grrhhnugesrghrnhgusgdruggv X-ME-Proxy: Feedback-ID: i56a14606:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5CDD1B60086; Mon, 19 Sep 2022 01:52:18 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.7.0-alpha0-935-ge4ccd4c47b-fm-20220914.001-ge4ccd4c4 Mime-Version: 1.0 Message-Id: <95e9c01a-1523-4187-9d1c-3c84eb875af1@www.fastmail.com> In-Reply-To: <20220919040251.GA302541@ubuntu> References: <20220919040251.GA302541@ubuntu> Date: Mon, 19 Sep 2022 07:51:58 +0200 From: "Arnd Bergmann" To: "Hyunwoo Kim" , "Greg Kroah-Hartman" Cc: linux-kernel@vger.kernel.org, =?UTF-8?Q?Ilpo_J=C3=A4rvinen?= , "Paul Fulghum" , "Dominik Brodowski" Subject: Re: [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops Content-Type: text/plain X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 19, 2022, at 6:02 AM, Hyunwoo Kim wrote: > A race condition may occur if the user physically removes > the pcmcia device while calling ioctl() for this tty device node. > > This is a race condition between the mgslpc_ioctl() function and > the mgslpc_detach() function, which may eventually result in UAF. > > So, add a refcount check to mgslpc_detach() to free the structure > after the tty device node is close()d. > > Signed-off-by: Hyunwoo Kim Reviewed-by: Arnd Bergmann