Received: by 2002:a05:7413:20a6:b0:f7:18da:975a with SMTP id oo38csp255674rdb; Thu, 21 Dec 2023 00:09:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IFKQNnXz8Baj73rHvW1EhqyjUuyRad6Gsu3rcwVYgTmgbaiWf6UeijZc6EpVX40irn23aTF X-Received: by 2002:a05:620a:13d8:b0:781:173b:c6e with SMTP id g24-20020a05620a13d800b00781173b0c6emr1986620qkl.54.1703146145309; Thu, 21 Dec 2023 00:09:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703146145; cv=none; d=google.com; s=arc-20160816; b=ohgsR+eqRp9mfyxsuVbD/MW3oNstoOX4gEepXD6UmdEl8x10nnH/472ekS6NjGYjzg MgyvqDaYQvpnNMG7nYXwkQXviIZiwUo/OQ3mcFq76ertkfHC9ftWYbVZmUwlGtlQ/fTP GwhfpcA2fnMXr5N6VDUQY3h8TEdmEOElVNR5S9blk6lNb5rxsYwXydLayOB7dOthp7Y3 wOGLqNklRIOSzwYc9dUAayB4q9mPov+heXVpv8u8GvHe0BgmWjheZhK3oH8Gr/ha7VKM 4DsVddXWkTuruQDEMhROppMRkWG4HIbATY5vXbccUY5JafQmmJ+h97JgsqImT5yGixEB pBIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=+sgKA3eaNK0v7sBpb/+3ds/JsanT66SxUXrHH4AhCIY=; fh=+RFnObchWqVM2zh+PJ9S7Cd40JEoKMg+LqrUyV4WzVo=; b=S+lPA0gWEUbZNHpbnUKKeRTKvmIXN+Cknj358owxN8fMbCWo/9L6Dp6+DmE67JAspE HMn6Hymb7u5kscfpoSZEnuaRxaG/IA41k8fC+4hZ7u8tzWSfSK4dPam/JdTiEbw2zqXC ewur58CKN81tyRZQuwcCmk9d9K8FKwjQnXmw/LEFAW25OHPxFnQ0NeQUTZz7PwibfNXz pMiCb72pkpo2wHxZQ5c0kfYWVR+SjxeaKF3qnGOTgFZsiixHMCf0sKo8yEmsuMAPD8SA g32RBDQsxg9Hqh3juAPN7ieohKqpQI3dSjm4kUxKxbSXBv7auZ5frpR34cpiK4dZuFdI s4FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OAS8tZni; spf=pass (google.com: domain of linux-kernel+bounces-7977-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7977-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id h1-20020a05620a244100b0077a1cc06e3asi1779634qkn.180.2023.12.21.00.09.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Dec 2023 00:09:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-7977-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OAS8tZni; spf=pass (google.com: domain of linux-kernel+bounces-7977-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7977-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D157B1C2309C for ; Thu, 21 Dec 2023 08:09:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 592BE15AD5; Thu, 21 Dec 2023 08:08:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="OAS8tZni" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D6C7156DA for ; Thu, 21 Dec 2023 08:08:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F36DC433C7; Thu, 21 Dec 2023 08:08:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1703146137; bh=rFoRj/pk6FCKS0+gZZHfdCuP2ih2ZQ5SGrIVftTQQ5c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OAS8tZnikDKTIuPQcCkaijxQFPEQKVlHNzAG0euK80hZEI0yksfAm+2n+8jSlo2Bd 31UwHVY9Y6eT8+3V68L/hKEBmy6J/bhEapDSBAke2J1OpSsuxGHjJBoC+Hjl0VNZzY +3EMVCFLEqx7L1zZWjYJM8tlos74D4Simtw+bmJU= Date: Thu, 21 Dec 2023 09:08:54 +0100 From: Greg KH To: Guanghui Feng Cc: linux-kernel@vger.kernel.org, baolin.wang@linux.alibaba.com Subject: Re: [PATCH] uio: Fix use-after-free in uio_open Message-ID: <2023122115-strewn-unsigned-b3e5@gregkh> References: <1703132808-14322-1-git-send-email-guanghuifeng@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1703132808-14322-1-git-send-email-guanghuifeng@linux.alibaba.com> On Thu, Dec 21, 2023 at 12:26:48PM +0800, Guanghui Feng wrote: > core-1 core-2 > ------------------------------------------------------------- > uio_unregister_device uio_open > idev = idr_find() > device_unregister(&idev->dev) > put_device(&idev->dev) > uio_device_release > get_device(&idev->dev) > kfree(idev) > uio_free_minor(minor) > uio_release > put_device(&idev->dev) > kfree(idev) > ------------------------------------------------------------- > > In the core-1 uio_unregister_device(), the device_unregister will kfree idev > when the idev->dev kobject ref is one. But after core-1 device_unregister, > put_device and before doing kfree, the core-2 may get_device. Then: > 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. > 2. When core-2 do uio_release and put_device, the idev will be double freed. > > To address this issue, we can get idev atomic & inc idev reference with minor_lock. Nit, can you wrap your lines at 72 columns? Anyway, nice fix, how did you find this? > Signed-off-by: Guanghui Feng What commit id does this fix? thanks, greg k-h