Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp361004lqh;
        Tue, 7 May 2024 01:00:49 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUildIFUbaebHNaefy0ewlIjX8UjRkhcWoXToo1k+HBXSjmsanz4MzUsp0UVEvCW2e8WVajpnP5g960lCEGbeLc2EQdk1TB4HKJ+cpgnQ==
X-Google-Smtp-Source: AGHT+IGisfD+x1j7uvOtRIQlN0qw98t7+xTH+/CMRBVpzndXpyLfR9TphZyvbKKRQdIAMyHHDIiP
X-Received: by 2002:a05:6358:2917:b0:18f:8613:12b8 with SMTP id y23-20020a056358291700b0018f861312b8mr16323103rwb.5.1715068848782;
        Tue, 07 May 2024 01:00:48 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715068848; cv=pass;
        d=google.com; s=arc-20160816;
        b=fyztPrxMJvX7SKr0jOOgcq5h5CyaMoHL8lGyWlkiynZM3I1yUL5XALgLnJrOw474vO
         R/6XWJPZajt8qoNUL2eHDGBUaO2y04WCEaplGFOOrBJlTQaXElgeaKVuNmgozWqeyORi
         h271I/Ipnv5+/xjWMXmTXLMH1VECIDQ0V2YFVVhG+sOeusTdVCRDfjfVIE+XGnBepNiw
         J9aRHCuhdcGoq40MUSdbFfbEznU+ZEZk/WHfGlPjb6DB7HHqzfvICS2rI53smWiS5Weu
         7OyWDCtjVJt2T9IOBiYTC0prISrjdUfD61avy/9ThRU8jgxx5X+2MgAMXOgK7Ugt5/zp
         mf8w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=oPMzg+hqVpMnTKbLeT3z8nihOwZGBSuxBb1mszthdMc=;
        fh=17S60FLxdqHl6IJ9KnIAi43ArY7MAxKPRkWOkUObfs8=;
        b=nF9ezylnSawGDFJ1WX2pzTL/xkH7dz2rL4clkeqHPjBoZuaYSkAlzG9UzYFqv6pq8R
         v6eUz5WnHrH5y/+FWTFFVO3u7YakvxVXgKqsxygfnEidcgD3PWkiPLhHgX0tbYPuGaMl
         +AV7nAEPBe1Q+zz1jIHN71EaLuja2Ys8JtQa6FqswrDlE8Cm3G3OoX53lrf2ZEN+7Hco
         lmOpQPFa22yv6gWiQCzYLnu+4dQV6i7GcJL+ppmpYkxRb1uI1uxcrWGGloVjCsfOqOBQ
         S4lc1u8rsRcfN6obfGjt4Lsa9VKWfgQSxBWCpVqDTpOv9dsLGY4rB8W8auhz1NG6RwwU
         FSMQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@bgdev-pl.20230601.gappssmtp.com header.s=20230601 header.b=vylrPXx6;
       arc=pass (i=1 dkim=pass dkdomain=bgdev-pl.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id x5-20020a636305000000b0061ac9a330ecsi9697390pgb.819.2024.05.07.01.00.48
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 May 2024 01:00:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bgdev-pl.20230601.gappssmtp.com header.s=20230601 header.b=vylrPXx6;
       arc=pass (i=1 dkim=pass dkdomain=bgdev-pl.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170844-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 5AECD282FBB
	for <linux.lists.archive@gmail.com>; Tue,  7 May 2024 08:00:48 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1894013C826;
	Tue,  7 May 2024 08:00:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com header.i=@bgdev-pl.20230601.gappssmtp.com header.b="vylrPXx6"
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B00613C3FA
	for <linux-kernel@vger.kernel.org>; Tue,  7 May 2024 08:00:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715068841; cv=none; b=YIYfniwsDOsqOYEoq8ZchtqKn3i4AGZm+VCweg2loRfsZLI/MnELgORJ9IbtyU+YfP8Touof8cZ8jG21/YCNA961PXgXhh4Uqk48NbKMPA7tQUjxwO9irYW1RawA3FGe56rf+6Kn/nnMsdGMUuDazLEKXMMA2g+bD8l4P7hGmZw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715068841; c=relaxed/simple;
	bh=9z8qkYCt734Wk64SXvM0Q3JE7RXJ/y4qVPiSWdenxAk=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=lIYAcn4MwVWFNsJBBz6HXi9X2nMf0wh6JU5wLsoqDMP4mov3AP1xsU7EUdtL/EbDmt/vcH8+OXW3g8x6+i0fxMSkzkYmQdcCP8L9H4qpihT5t6unhQVeDjSC5vAjV/4xsy21gW8Y2V6oJMun1VcNF5BM4A8KMiB4LQmQTuzxV84=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=bgdev.pl; spf=none smtp.mailfrom=bgdev.pl; dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com header.i=@bgdev-pl.20230601.gappssmtp.com header.b=vylrPXx6; arc=none smtp.client-ip=209.85.167.51
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=bgdev.pl
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=bgdev.pl
Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-51ab4ee9df8so3435711e87.1
        for <linux-kernel@vger.kernel.org>; Tue, 07 May 2024 01:00:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bgdev-pl.20230601.gappssmtp.com; s=20230601; t=1715068838; x=1715673638; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oPMzg+hqVpMnTKbLeT3z8nihOwZGBSuxBb1mszthdMc=;
        b=vylrPXx62NZctszrwnpBuiYNXdwhyJgLKbTGgZKbb+F4D9VpOyZ1lwCAzEJp54lZFL
         5o9XUZ3AQxkeOEffl1iTKWRdu2+PsfBURo9YFFQdScUL1kS2Y1e3ewJQ4TjruoQIAD4c
         gM1kWLoBTpd5SDKEgqqABqiZIxHRzb0lk5ZyiL3CI7Dt3imH4oIhr8eEuk5E5qJhFzQ2
         GzPUAsRNKQv5EzfvCJqokik3h7MGccWa72qRAw3eUfT8lFP7uCNAH/zAs+7UCgVXCjfN
         zQ+pdjtCDJmM7S+fIXM6o8RNDjPB66Mhiykmv6ttLCCcLBeswBgF7yUUR2h7NplMIDc6
         Aiaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715068838; x=1715673638;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oPMzg+hqVpMnTKbLeT3z8nihOwZGBSuxBb1mszthdMc=;
        b=OLLi6bY4VrfLj5c/UJ1DW1NPNFf2u04KlIsyKrDHs8rTkDi22t+Yu0Vm5RHgKof6kY
         hITzVbR+6MSuROxsUO/3Ub+fNRsAOdnn/brB1SNmM59LdCw5OsjacP63/6R0FJdIYJl/
         GkoKISWeUEoJIyEu4Sc6qzEtrxuao6SOr2YzoFjy2oNF7hCFNCNLUJv+yjRGTKBlraQb
         7jf6kTvNKvhThHzAFLu3VzZISbVbdeAfzDt2H1stWlYwFeGIydMvi1bY5njfiSR/WR35
         d9cpYvFlBNtBYIZmRkD88mZPXk/JJZnT/DU4Yra47Z2426S0TQfo44SGVQuYmkq7u95G
         wwZw==
X-Forwarded-Encrypted: i=1; AJvYcCWRuj9KinABQNaPT3o3BMlG6H0mm7JsksAaEHU0q+IUIxhTtkdMELrFO2D7AHUDkiXdrujBR1AGHJZXVZiaO2p5CT8eG8iH5+qnKieF
X-Gm-Message-State: AOJu0Yyr1rbpyRlUYvUcMMUgOLfOivG0kDE4xQHnJsFx6UIWOJXLDYzp
	TI5Y/M3TNOj82PSDFydAJD7ozadm9JJK3xeubRsRoJCB5ggKgGXX58Im7QFoPfy+fPvDfTdGVYk
	uWManucrk9xck5IsCM6ccEmsBW5CUW9QL5hbjRQ==
X-Received: by 2002:a05:6512:472:b0:51f:5853:14e3 with SMTP id
 x18-20020a056512047200b0051f585314e3mr9087924lfd.25.1715068837789; Tue, 07
 May 2024 01:00:37 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240505141156.2944912-1-quic_zhonhan@quicinc.com>
In-Reply-To: <20240505141156.2944912-1-quic_zhonhan@quicinc.com>
From: Bartosz Golaszewski <brgl@bgdev.pl>
Date: Tue, 7 May 2024 10:00:25 +0200
Message-ID: <CAMRc=MdmOg6pJ7hvKSpkoTKjQny8xL5BFT2HNzgKgnjsCuwhwQ@mail.gmail.com>
Subject: Re: [PATCH v2] gpiolib: cdev: Fix use after free in lineinfo_changed_notify
To: Zhongqiu Han <quic_zhonhan@quicinc.com>
Cc: warthog618@gmail.com, linus.walleij@linaro.org, linux-gpio@vger.kernel.org, 
	linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, May 5, 2024 at 4:12=E2=80=AFPM Zhongqiu Han <quic_zhonhan@quicinc.c=
om> wrote:
>
> The use-after-free issue occurs as follows: when the GPIO chip device fil=
e
> is being closed by invoking gpio_chrdev_release(), watched_lines is freed
> by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
> chain failed due to waiting write rwsem. Additionally, one of the GPIO
> chip's lines is also in the release process and holds the notifier chain'=
s
> read rwsem. Consequently, a race condition leads to the use-after-free of
> watched_lines.
>
> Here is the typical stack when issue happened:
>
> [free]
> gpio_chrdev_release()
>   --> bitmap_free(cdev->watched_lines)                  <-- freed
>   --> blocking_notifier_chain_unregister()
>     --> down_write(&nh->rwsem)                          <-- waiting rwsem
>           --> __down_write_common()
>             --> rwsem_down_write_slowpath()
>                   --> schedule_preempt_disabled()
>                     --> schedule()
>

The rwsem has been removed in v6.9-rc1. I assume you're targeting
stable branches with this change? Or does it still occur with the
recent SRCU rework? This is important to know before I send it
upstream.

Bart

> [use]
> st54spi_gpio_dev_release()
>   --> gpio_free()
>     --> gpiod_free()
>       --> gpiod_free_commit()
>         --> gpiod_line_state_notify()
>           --> blocking_notifier_call_chain()
>             --> down_read(&nh->rwsem);                  <-- held rwsem
>             --> notifier_call_chain()
>               --> lineinfo_changed_notify()
>                 --> test_bit(xxxx, cdev->watched_lines) <-- use after fre=
e
>
> The side effect of the use-after-free issue is that a GPIO line event is
> being generated for userspace where it shouldn't. However, since the chrd=
ev
> is being closed, userspace won't have the chance to read that event anywa=
y.
>
> To fix the issue, call the bitmap_free() function after the unregistratio=
n
> of lineinfo_changed_nb notifier chain.
>
> Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in =
line info")
> Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
> ---
> v1 -> v2:
> - Drop the excessive stack log from commit message to make it more readab=
le.
> - Add a note regarding the side effects of the use-after-free on commit m=
essage.
> - Link to v1: https://lore.kernel.org/lkml/20240501022612.1787143-1-quic_=
zhonhan@quicinc.com/
>
>  drivers/gpio/gpiolib-cdev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
> index d09c7d728365..6b3a43e3ba47 100644
> --- a/drivers/gpio/gpiolib-cdev.c
> +++ b/drivers/gpio/gpiolib-cdev.c
> @@ -2799,11 +2799,11 @@ static int gpio_chrdev_release(struct inode *inod=
e, struct file *file)
>         struct gpio_chardev_data *cdev =3D file->private_data;
>         struct gpio_device *gdev =3D cdev->gdev;
>
> -       bitmap_free(cdev->watched_lines);
>         blocking_notifier_chain_unregister(&gdev->device_notifier,
>                                            &cdev->device_unregistered_nb)=
;
>         blocking_notifier_chain_unregister(&gdev->line_state_notifier,
>                                            &cdev->lineinfo_changed_nb);
> +       bitmap_free(cdev->watched_lines);
>         gpio_device_put(gdev);
>         kfree(cdev);
>
> --
> 2.25.1
>