From: Eddie James <eajames@linux.ibm.com>
To: linux-fsi@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org, joel@jms.id.au,
alistair@popple.id.au, jk@ozlabs.org,
Eddie James <eajames@linux.ibm.com>
Subject: [PATCH] fsi: occ: Prevent use after free
Date: Thu, 12 May 2022 16:00:34 -0500 [thread overview]
Message-ID: <20220512210034.59907-1-eajames@linux.ibm.com> (raw)
Use get_device and put_device in the open and close functions to
make sure the device doesn't get freed while a file descriptor is
open.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
---
drivers/fsi/fsi-occ.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c
index c9cc75fbdfb9..9e48dc62b1c5 100644
--- a/drivers/fsi/fsi-occ.c
+++ b/drivers/fsi/fsi-occ.c
@@ -82,6 +82,9 @@ static int occ_open(struct inode *inode, struct file *file)
struct miscdevice *mdev = file->private_data;
struct occ *occ = to_occ(mdev);
+ if (!occ->buffer)
+ return -ENOENT;
+
if (!client)
return -ENOMEM;
@@ -94,6 +97,7 @@ static int occ_open(struct inode *inode, struct file *file)
client->occ = occ;
mutex_init(&client->lock);
file->private_data = client;
+ get_device(occ->dev);
/* We allocate a 1-page buffer, make sure it all fits */
BUILD_BUG_ON((OCC_CMD_DATA_BYTES + 3) > PAGE_SIZE);
@@ -143,7 +147,7 @@ static ssize_t occ_write(struct file *file, const char __user *buf,
ssize_t rc;
u8 *cmd;
- if (!client)
+ if (!client || !client->occ->buffer)
return -ENODEV;
if (len > (OCC_CMD_DATA_BYTES + 3) || len < 3)
@@ -197,6 +201,7 @@ static int occ_release(struct inode *inode, struct file *file)
{
struct occ_client *client = file->private_data;
+ put_device(client->occ->dev);
free_page((unsigned long)client->buffer);
kfree(client);
@@ -672,6 +677,7 @@ static int occ_remove(struct platform_device *pdev)
struct occ *occ = platform_get_drvdata(pdev);
kvfree(occ->buffer);
+ occ->buffer = NULL;
misc_deregister(&occ->mdev);
--
2.27.0
next reply other threads:[~2022-05-12 21:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 21:00 Eddie James [this message]
2022-05-12 23:10 ` [PATCH] fsi: occ: Prevent use after free Guenter Roeck
2022-05-13 15:54 ` Eddie James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220512210034.59907-1-eajames@linux.ibm.com \
--to=eajames@linux.ibm.com \
--cc=alistair@popple.id.au \
--cc=jk@ozlabs.org \
--cc=joel@jms.id.au \
--cc=linux-fsi@lists.ozlabs.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.