Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp5761415rwl; Wed, 22 Mar 2023 01:48:23 -0700 (PDT) X-Google-Smtp-Source: AK7set9y4PbhypGBM3ZYSUtaW/z4Ip7h9raEP1aLyt6cDs6vbSq16UXkKQP1U3cRXOi3W4DB3eYi X-Received: by 2002:a05:6402:281:b0:4fa:e8f3:968b with SMTP id l1-20020a056402028100b004fae8f3968bmr6264487edv.19.1679474903704; Wed, 22 Mar 2023 01:48:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679474903; cv=none; d=google.com; s=arc-20160816; b=ARBgmfmPg/ZY5aN6sqShXppvGUWr3UMaeWYIW2Ys71CaK4J5ylK97VVVRPgZ0LtiHt rbsKQvdZqqg62616im2mZMRb2AeFgh8X7Zy3SDxAKpOiU+mO7dB/3Grd0ISy5U+kNXib VrgZFwmi0XymK4FExrp+cUFnmm7XI1bSZ4V6Pp7lz1V5IsSv/BRfp4xdkJJVc7ZxA8e1 joD6ZxU5/w6v40SkMWmmDLlyt42P7AS9S2dbIZg2DOkpCImU+W1Pa1jnbIYNdzAlKNRN tYtFpxO4Iw1dWG19pKtlCPfvzn+UPuSmt6axuyDhqwQ11FR/sxyQaorTyAjghcX9ohyx 3G5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=VATGD7GI/K7nnbh24Aj4cpyFROPumfPlPU22BMb//fQ=; b=EEB/ii1YgyK7vxrkr7le060uF0EM0Wb/vj8dGBGv5YiboiiN5GFNqLLKHE5xtvATLL Dq9tNw+ZvTQDhgFtX6o/Ka1V6SIU96QOeBD9tkd8icNnNLiqHg1FSDLwTmN9vveld+eY Trsl71bju8Xf0Jdm7faZ0K8C9P1ajRUKI78YRGiImTXyxX+34sCFHpBMVbg3mVBZs7p1 cBrEb/7tcaJJ+viBypTHd3yFCkb1vP76cZGZXkUoUFQHXRbaX2vpOKenVTUKb9/LvFcw RuUhACMGEsTjds1oQ2l3kOw2T2RhVIcBJbOha0jy/kohJ4xwG85hmleN3+dW8EwyR4Pu I6ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qD646JnC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u2-20020aa7d542000000b004c49811c587si13681088edr.377.2023.03.22.01.47.59; Wed, 22 Mar 2023 01:48:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qD646JnC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229842AbjCVIkM (ORCPT + 99 others); Wed, 22 Mar 2023 04:40:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229843AbjCVIkK (ORCPT ); Wed, 22 Mar 2023 04:40:10 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED72A3B862 for ; Wed, 22 Mar 2023 01:40:07 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id ew6so6626730edb.7 for ; Wed, 22 Mar 2023 01:40:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1679474406; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=VATGD7GI/K7nnbh24Aj4cpyFROPumfPlPU22BMb//fQ=; b=qD646JnCokHor6uxt5eWJROhUtFxaG5ozyYi5OkUCXyitFXXrp6brgAKDzEm1tSN6w 0EdeQbL4Xi+ZPh1MVF4TqxbicDZNAz0Q8cBZIe4l55RfcoeR7lMwJ+B1L6aSJHsY2DpK yDwsuwVJIc6BQiqpsl1575W1Xm24x8q6o1Hxv6mkUjgsNW/W72QvVv6Aye+e8ckFAvpV kB4slvagx9tuwqBvp6aBJFcUaLeiEvMokMoV9zf0DrkEGjUkvuOb/h0SQ22PjW5XD9T1 PHbAmkjKNMGGeNZ1Ka+2ago7GJDgLIP1a6BG4/oeN7QCbmhyT7Wtq3Ir+8yuUH238QHF l3Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679474406; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VATGD7GI/K7nnbh24Aj4cpyFROPumfPlPU22BMb//fQ=; b=hiezc9Iz66ifBxi+C5o4bxiBqOzviXZ7JxCSjkR8nvylmLlkSD8hURyiYvCMpgYYR+ BBld3GjonEd3icmeusqp1fIrCqMXazZ18LZTL+Cji/Pk/LNP1AyfOcVqRoEWpZm8VjXx U78jBtGxI0VrW+J4nOXNuS4RQcfe5qtR8chO0w3YEQWHabOAYUh/+KyhHX8ZUyZD8N4l KbYvkcFL7tnhW4OJjg36axSwsDdAEaGNPdM1gMkIgM3qL6MEO1w/098c8rBqh20vYWBd ZT/tlrc9/87Zx1UHOTN7jzwvdXB19YhOqFlvQUcvLGUSLGH+XNUofTqB9cY8qd1hREN0 v2JA== X-Gm-Message-State: AO0yUKWzw8zaPoLKV3pNooODgUejd1RnBvrP7RbGmXiZhvM8XqdW/HKQ +0whHvAARmoxGY7FnE4x9HfQyCPduy432WunTzQ= X-Received: by 2002:a17:906:720f:b0:8f2:62a9:6159 with SMTP id m15-20020a170906720f00b008f262a96159mr5367862ejk.2.1679474406384; Wed, 22 Mar 2023 01:40:06 -0700 (PDT) Received: from [192.168.1.195] ([5.133.47.210]) by smtp.googlemail.com with ESMTPSA id k24-20020a50ce58000000b004fc9e462743sm7246922edj.91.2023.03.22.01.40.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Mar 2023 01:40:05 -0700 (PDT) Message-ID: <1853ef42-7d04-be93-a728-5092a734275f@linaro.org> Date: Wed, 22 Mar 2023 08:40:02 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH] misc: fastrpc: Fix a Use after-free-bug by race condition Content-Language: en-US To: sangsup lee Cc: Amol Maheshwari , Arnd Bergmann , Greg Kroah-Hartman , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org References: <20230216014120.3110-1-k1rh4.lee@gmail.com> <9bfef283-e2ac-b2ba-386c-6833e9cb1283@linaro.org> From: Srinivas Kandagatla In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22/03/2023 01:59, sangsup lee wrote: > Sounds great. > > Thank you for your recommendation. > The patch code that you recommend is clear and simple. > Please patch this. > > Signed-off-by: Sangsup lee > --- Please follow kernel patch submission guidelines, any changes to code should be send as new version of patch. Have a look at Documentation/process/submitting-patches.rst for more information. thanks, Srini > drivers/misc/fastrpc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 93ebd174d848..aa1cf0e9f4ed 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -1901,7 +1901,9 @@ static long fastrpc_device_ioctl(struct file > *file, unsigned int cmd, > err = fastrpc_req_mmap(fl, argp); > break; > case FASTRPC_IOCTL_MUNMAP: > + mutex_lock(&fl->mutex); > err = fastrpc_req_munmap(fl, argp); > + mutex_unlock(&fl->mutex); > break; > case FASTRPC_IOCTL_MEM_MAP: > err = fastrpc_req_mem_map(fl, argp); > -- > 2.25.1 > > > 2023년 3월 21일 (화) 오후 6:27, Srinivas Kandagatla > 님이 작성: >> >> Thanks Sangsup for reporting the issue and sharing the patch, >> >> Sorry, for some reason I missed this patch. >> >> On 16/02/2023 01:41, Sangsup Lee wrote: >>> This patch adds mutex_lock for fixing an Use-after-free bug. >>> fastrpc_req_munmap_impl can be called concurrently in multi-threded environments. >>> The buf which is allocated by list_for_each_safe can be used after another thread frees it. >>> >> Commit log can be improved here to something like: >> >> fastrcp_munmap takes two steps to unmap the memory, first to find a >> matching fastrpc buf in the list and second is to send request to DSP to >> unmap it. >> There is a potentially window of race between these two operations, >> which can lead to user-after-free. >> >> Fix this by adding locking around this two operations. >> >>> Signed-off-by: Sangsup Lee >>> --- >>> drivers/misc/fastrpc.c | 7 ++++++- >>> 1 file changed, 6 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c >>> index 5310606113fe..c4b5fa4a50a6 100644 >>> --- a/drivers/misc/fastrpc.c >>> +++ b/drivers/misc/fastrpc.c >>> @@ -1806,10 +1806,12 @@ static int fastrpc_req_munmap(struct fastrpc_user *fl, char __user *argp) >>> struct fastrpc_buf *buf = NULL, *iter, *b; >>> struct fastrpc_req_munmap req; >>> struct device *dev = fl->sctx->dev; >>> + int err; >>> >>> if (copy_from_user(&req, argp, sizeof(req))) >>> return -EFAULT; >>> >>> + mutex_lock(&fl->mutex); >>> spin_lock(&fl->lock); >>> list_for_each_entry_safe(iter, b, &fl->mmaps, node) { >>> if ((iter->raddr == req.vaddrout) && (iter->size == req.size)) { >>> @@ -1822,10 +1824,13 @@ static int fastrpc_req_munmap(struct fastrpc_user *fl, char __user *argp) >>> if (!buf) { >>> dev_err(dev, "mmap\t\tpt 0x%09llx [len 0x%08llx] not in list\n", >>> req.vaddrout, req.size); >>> + mutex_unlock(&fl->mutex); >>> return -EINVAL; >>> } >>> >>> - return fastrpc_req_munmap_impl(fl, buf); >>> + err = fastrpc_req_munmap_impl(fl, buf); >>> + mutex_unlock(&fl->mutex); >>> + return err; >> >> How about moving the locking to ioctl: >> >> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c >> index a701132638cf..2f217071a6c3 100644 >> --- a/drivers/misc/fastrpc.c >> +++ b/drivers/misc/fastrpc.c >> @@ -2087,7 +2087,9 @@ static long fastrpc_device_ioctl(struct file >> *file, unsigned int cmd, >> err = fastrpc_req_mmap(fl, argp); >> break; >> case FASTRPC_IOCTL_MUNMAP: >> + mutex_lock(&fl->mutex); >> err = fastrpc_req_munmap(fl, argp); >> + mutex_unlock(&fl->mutex); >> break; >> case FASTRPC_IOCTL_MEM_MAP: >> err = fastrpc_req_mem_map(fl, argp); >> >> >> thanks, >> srini >>> } >>> >>> static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)