From: Thomas Gleixner <tglx@linutronix.de>
To: "dicken.ding" <dicken.ding@mediatek.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Cc: wsd_upstream@mediatek.com, hanks.chen@mediatek.com,
ivan.tseng@mediatek.com, cheng-jui.wang@mediatek.com,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
"dicken.ding" <dicken.ding@mediatek.com>
Subject: Re: [PATCH 1/1] irq: Fix uaf issue in irq_find_at_or_after
Date: Thu, 23 May 2024 21:46:36 +0200 [thread overview]
Message-ID: <87cypcfh0j.ffs@tglx> (raw)
In-Reply-To: <20240523113949.10444-1-dicken.ding@mediatek.com>
On Thu, May 23 2024 at 19:39, dicken.ding wrote:
> The function "irq_find_at_or_after" is at the risk of use-after-free
> due to the race condition between the functions "delayer_free_desc"
> and "irq_desc_get_irq". The function "delayer_free_desc" could be
> called between "mt_find" and "irq_desc_get_irq" due to the absence
> of any locks to ensure atomic operations on the "irq_desc" structure.
>
> In this patch, we introduce a pair of locks, namely "rcu_read_lock"
> and "rcu_read_unlock" to prevent the occurrence of use-after-free in
> "irq_find_at_or_after".
Please read Documentation/process/maintainers-tip.rst and the general
documentation how changelogs should be written.
Something like this:
irq_find_at_or_after() dereferences the interrupt descriptor which is
returned by mt_find() while neither holding sparse_irq_lock nor RCU
read lock, which means the descriptor can be freed between mt_find()
and the dereference.
Guard the access with a RCU read lock section.
Hmm?
> --- a/kernel/irq/irqdesc.c
> +++ b/kernel/irq/irqdesc.c
> @@ -160,9 +160,15 @@ static int irq_find_free_area(unsigned int from, unsigned int cnt)
> static unsigned int irq_find_at_or_after(unsigned int offset)
> {
> unsigned long index = offset;
> + unsigned int irq = nr_irqs;
> +
> + rcu_read_lock();
> struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs);
> + if (desc)
> + irq = irq_desc_get_irq(desc);
> + rcu_read_unlock();
>
> - return desc ? irq_desc_get_irq(desc) : nr_irqs;
> + return irq;
I wrote guard above because that's what should be used for this:
unsigned long index = offset;
struct irq_desc *desc;
guard(rcu)();
desc = mt_find(&sparse_irqs, &index, nr_irqs);
return desc ? irq_desc_get_irq(desc) : nr_irqs;
Thanks,
tglx
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx@linutronix.de>
To: "dicken.ding" <dicken.ding@mediatek.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Cc: wsd_upstream@mediatek.com, hanks.chen@mediatek.com,
ivan.tseng@mediatek.com, cheng-jui.wang@mediatek.com,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
"dicken.ding" <dicken.ding@mediatek.com>
Subject: Re: [PATCH 1/1] irq: Fix uaf issue in irq_find_at_or_after
Date: Thu, 23 May 2024 21:46:36 +0200 [thread overview]
Message-ID: <87cypcfh0j.ffs@tglx> (raw)
In-Reply-To: <20240523113949.10444-1-dicken.ding@mediatek.com>
On Thu, May 23 2024 at 19:39, dicken.ding wrote:
> The function "irq_find_at_or_after" is at the risk of use-after-free
> due to the race condition between the functions "delayer_free_desc"
> and "irq_desc_get_irq". The function "delayer_free_desc" could be
> called between "mt_find" and "irq_desc_get_irq" due to the absence
> of any locks to ensure atomic operations on the "irq_desc" structure.
>
> In this patch, we introduce a pair of locks, namely "rcu_read_lock"
> and "rcu_read_unlock" to prevent the occurrence of use-after-free in
> "irq_find_at_or_after".
Please read Documentation/process/maintainers-tip.rst and the general
documentation how changelogs should be written.
Something like this:
irq_find_at_or_after() dereferences the interrupt descriptor which is
returned by mt_find() while neither holding sparse_irq_lock nor RCU
read lock, which means the descriptor can be freed between mt_find()
and the dereference.
Guard the access with a RCU read lock section.
Hmm?
> --- a/kernel/irq/irqdesc.c
> +++ b/kernel/irq/irqdesc.c
> @@ -160,9 +160,15 @@ static int irq_find_free_area(unsigned int from, unsigned int cnt)
> static unsigned int irq_find_at_or_after(unsigned int offset)
> {
> unsigned long index = offset;
> + unsigned int irq = nr_irqs;
> +
> + rcu_read_lock();
> struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs);
> + if (desc)
> + irq = irq_desc_get_irq(desc);
> + rcu_read_unlock();
>
> - return desc ? irq_desc_get_irq(desc) : nr_irqs;
> + return irq;
I wrote guard above because that's what should be used for this:
unsigned long index = offset;
struct irq_desc *desc;
guard(rcu)();
desc = mt_find(&sparse_irqs, &index, nr_irqs);
return desc ? irq_desc_get_irq(desc) : nr_irqs;
Thanks,
tglx
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-05-23 19:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-23 11:39 [PATCH 1/1] irq: Fix uaf issue in irq_find_at_or_after dicken.ding
2024-05-23 11:39 ` dicken.ding
2024-05-23 19:46 ` Thomas Gleixner [this message]
2024-05-23 19:46 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cypcfh0j.ffs@tglx \
--to=tglx@linutronix.de \
--cc=angelogioacchino.delregno@collabora.com \
--cc=cheng-jui.wang@mediatek.com \
--cc=dicken.ding@mediatek.com \
--cc=hanks.chen@mediatek.com \
--cc=ivan.tseng@mediatek.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.