From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock Date: Tue, 23 Apr 2019 12:06:12 +0100 Message-ID: <20190423110611.GL2217@ZenIV.linux.org.uk> References: <1554883176-24318-1-git-send-email-mojha@codeaurora.org> <7299a6db-38b7-75c7-633a-00d2257eba45@codeaurora.org> <20190418014321.dptin7tpxpldhsns@penguin> <20190419071152.x5ghvbybjhv76uxt@penguin> <20190423032839.xvbldglrmjxkdntj@penguin> <17f4a0be-ab04-8537-9197-32fbca807f3f@codeaurora.org> <20190423084944.gj2boxfcg7lp4zad@penguin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20190423084944.gj2boxfcg7lp4zad@penguin> Sender: linux-kernel-owner@vger.kernel.org To: "dmitry.torokhov@gmail.com" Cc: Mukesh Ojha , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Gaurav Kohli , Peter Hutterer , Martin Kepplinger , "Paul E. McKenney" List-Id: linux-input@vger.kernel.org On Tue, Apr 23, 2019 at 08:49:44AM +0000, dmitry.torokhov@gmail.com wrote: > On Tue, Apr 23, 2019 at 12:51:13PM +0530, Mukesh Ojha wrote: > > I have taken care this case from ioctl and release point of view. > > > > Even if the release gets called first it will make the > > file->private_data=NULL. > > and further call to ioctl will not be a problem as the check is already > > there. > > Al, do we have any protections in VFS layer from userspace hanging onto > a file descriptor and calling ioctl() on it even as another thread > calls close() on the same fd? > > Should the issue be solved by individual drivers, or more careful > accounting for currently running operations is needed at VFS layer? Neither. An overlap of ->release() and ->ioctl() is possible only if you've got memory corruption somewhere. close() overlapping ioctl() is certainly possible, and won't trigger that at all - sys_ioctl() holds onto reference to struct file, so its refcount won't reach zero until we are done with it.