Received: by 2002:a05:7412:a9a3:b0:f9:93eb:408e with SMTP id o35csp8175rdh; Wed, 20 Dec 2023 20:27:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IHlsjkSD8W/7p7ms+HPSUoh1vvvlkPyR+gRq3/K1wr74bwdUcMoWViHMKyJOQYXRp38x2+8 X-Received: by 2002:a05:622a:347:b0:423:86cc:8c85 with SMTP id r7-20020a05622a034700b0042386cc8c85mr23645033qtw.35.1703132845779; Wed, 20 Dec 2023 20:27:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703132845; cv=none; d=google.com; s=arc-20160816; b=LwjHb2EOigav2SUZuWLMO6BZ9G/3Y7As93F+UqaUgreOXM2bBqp6Bm+SLV0ZqSodIi W/8C6x4v9423XRflQxzb6shxVtKIPPvpKb7jU/FhiHO9QZ8pGM/pAinfrYRZ6dV2hefR 1YIUz3BbAT3V6XQjEnp1w6ke/yMgifukCygAB5qy9ynj3czUYDgu/n4TyHnWEd3MvRoT hwnOXVItgLJicR5A+j/ZTWMxXZYmlTqUNoNgsgbPCzKfL0eeUHp79Jlchs6BJM/yrtgC n+GbE4e26HazO0vUb+QEmVd/fYWw0UCUTe4NWbvx0gsQLbh/QWJCMM9erlG6lOe2Uloe Y2dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date :subject:cc:to:from; bh=BSvxzvLDaQtCuLLvX8u6fc8aWZuHr9Q9y51gy0p3De0=; fh=sHylmABRgbfJ4MyKKX1x3Gdvkolih/ug8SCsW+LIgc4=; b=xXIoPyfOJdtt16cqjeL009HXfZoBNtzoeuMDbAaYqiHFF6xZCDn8D0wSMzOMUuJj6w 7t4bKDnxhXN5zxKimxokifHLUlWp8s0o76Fm1atzv8iDH7ADK/+T5Whs7WDmD+K7P6w9 LBxOsFlqU1HUIA5i7gXipHwqss/y4lvpTA4o/AJpYLpAQwSLXqLaGdx6NKOaJr53BaRn m0yzlr0SuUeGaWp1evnAx4jLDTsypkWLP8P4tbfVPoZfte9Izd13zMD5lqPleaT158nB vVa6WfqQsnV/MA7jQYcn4cIfO1jerNqSsiIn1/oRsRCjuyprk2kyOz6Mbn9EM1LAJSOa iNhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-7834-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7834-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id ay31-20020a05622a229f00b004254fa689desi1266657qtb.26.2023.12.20.20.27.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Dec 2023 20:27:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-7834-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-7834-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7834-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3835A1C22ED2 for ; Thu, 21 Dec 2023 04:27:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6CB4F8C1A; Thu, 21 Dec 2023 04:27:19 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from out30-111.freemail.mail.aliyun.com (out30-111.freemail.mail.aliyun.com [115.124.30.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46802846B for ; Thu, 21 Dec 2023 04:27:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R331e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045192;MF=guanghuifeng@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0VywPfvR_1703132808; Received: from VM20190228-102.tbsite.net(mailfrom:guanghuifeng@linux.alibaba.com fp:SMTPD_---0VywPfvR_1703132808) by smtp.aliyun-inc.com; Thu, 21 Dec 2023 12:27:08 +0800 From: Guanghui Feng To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org Cc: baolin.wang@linux.alibaba.com Subject: [PATCH] uio: Fix use-after-free in uio_open Date: Thu, 21 Dec 2023 12:26:48 +0800 Message-Id: <1703132808-14322-1-git-send-email-guanghuifeng@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: core-1 core-2 ------------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is one. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. Signed-off-by: Guanghui Feng --- drivers/uio/uio.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c index 62082d6..2d572f6 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -466,13 +466,13 @@ static int uio_open(struct inode *inode, struct file *filep) mutex_lock(&minor_lock); idev = idr_find(&uio_idr, iminor(inode)); - mutex_unlock(&minor_lock); if (!idev) { ret = -ENODEV; + mutex_unlock(&minor_lock); goto out; } - get_device(&idev->dev); + mutex_unlock(&minor_lock); if (!try_module_get(idev->owner)) { ret = -ENODEV; @@ -1064,9 +1064,8 @@ void uio_unregister_device(struct uio_info *info) wake_up_interruptible(&idev->wait); kill_fasync(&idev->async_queue, SIGIO, POLL_HUP); - device_unregister(&idev->dev); - uio_free_minor(minor); + device_unregister(&idev->dev); return; } -- 1.8.3.1