Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp41898rdb; Thu, 21 Dec 2023 02:09:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IFnFx3a9f7m0XDTnPnHR1PM48I7O1lVlPY7eQXDenYvK6sGtQFDr69OSijhQ7x8gmIgF9Cz X-Received: by 2002:a05:6830:2086:b0:6d9:d8b1:dc4a with SMTP id y6-20020a056830208600b006d9d8b1dc4amr22362325otq.5.1703153366892; Thu, 21 Dec 2023 02:09:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703153366; cv=none; d=google.com; s=arc-20160816; b=exXbIsfvVTrdGXkqRBpJlxJq9M9+PCxiENtn8pExPXWnuDYD/adKrAfOzpy2C8ssuD vKfdRSvFD/QQJnSsWGgvkCclGo0iMCUqMvOf1HNgelYcusLrIif8Nbex+IAW7V3RUhCx V7a39NEme5zkU69ZsgZSgeqoAl9ls0i9kIUjvZtzJ1w3Ohtxq/m+riBSFtInKscdLAWw 6Rm1XFP8KTK2okxQrxWcwZll0RTtCQKR6lb+flQS+Yh5eD/etqLEuvNV9qsb7gtq+T8h tLr5kBg4jV+fJwWHa53NntBkuGDXrrxV+/YNmpqEGzgFkpPA3sfC2P5laA1MAJpInzB4 RWdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:references :in-reply-to:message-id:date:subject:cc:to:from; bh=PjQrvLsvbfuYzs9Io2UP6WojPBhE0BddtbEuVeTylnc=; fh=8joLGPS3lu+LGVy1sMiew81nlZb24+CBDTzdb/P5/T4=; b=lZl8abq8vF2LAkzq93AURU2ZOCN8Wtz40Dhr8t3OnHnYvZ0wI0Jt+8ZqR/Yp4sy+cV yeaBB1XtiIWo79wEmFH9J6+oYc1PoFoXaEz3V30CAMw+Lvqf5TThRi2qcVeQ/u5x0Uyf iqaTDkk5Pc2ncgQDYdjhkz5kvziyWFG1FuBIY8P5epFoePbCnoa8skniWw8yjZG2U2wg Xy3puWV+NC76yzQmtI+4igA2x9C/e3eQRqV7vP4g6vjPrrhec5w4/vcVxy4sqYL2qCTB KOuGPMn69GEb3jC3gQK6kYWlV3G8qm/DXs07iQjCU/ugECNkipGmf0RnvM2TbWVoWuLv GTOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-8168-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-8168-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id g5-20020a056a0023c500b006d284a50c10si1346063pfc.176.2023.12.21.02.09.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Dec 2023 02:09:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-8168-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-8168-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-8168-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id A5DC6B25B1F for ; Thu, 21 Dec 2023 09:58:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4D3A05026B; Thu, 21 Dec 2023 09:58:03 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from out30-101.freemail.mail.aliyun.com (out30-101.freemail.mail.aliyun.com [115.124.30.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 983D64F5E8 for ; Thu, 21 Dec 2023 09:58:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R101e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045176;MF=guanghuifeng@linux.alibaba.com;NM=1;PH=DS;RN=4;SR=0;TI=SMTPD_---0VyxGrK9_1703152663; Received: from VM20190228-102.tbsite.net(mailfrom:guanghuifeng@linux.alibaba.com fp:SMTPD_---0VyxGrK9_1703152663) by smtp.aliyun-inc.com; Thu, 21 Dec 2023 17:57:51 +0800 From: Guanghui Feng To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, baolin.wang@linux.alibaba.com, alikernel-developer@linux.alibaba.com Subject: [PATCH v2] uio: Fix use-after-free in uio_open Date: Thu, 21 Dec 2023 17:57:43 +0800 Message-Id: <1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1703132808-14322-1-git-send-email-guanghuifeng@linux.alibaba.com> References: <1703132808-14322-1-git-send-email-guanghuifeng@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered") Signed-off-by: Guanghui Feng Reviewed-by: Baolin Wang --- drivers/uio/uio.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c index 62082d6..2d572f6 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -466,13 +466,13 @@ static int uio_open(struct inode *inode, struct file *filep) mutex_lock(&minor_lock); idev = idr_find(&uio_idr, iminor(inode)); - mutex_unlock(&minor_lock); if (!idev) { ret = -ENODEV; + mutex_unlock(&minor_lock); goto out; } - get_device(&idev->dev); + mutex_unlock(&minor_lock); if (!try_module_get(idev->owner)) { ret = -ENODEV; @@ -1064,9 +1064,8 @@ void uio_unregister_device(struct uio_info *info) wake_up_interruptible(&idev->wait); kill_fasync(&idev->async_queue, SIGIO, POLL_HUP); - device_unregister(&idev->dev); - uio_free_minor(minor); + device_unregister(&idev->dev); return; } -- 1.8.3.1