Re: [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mukesh Ojha <mojha@codeaurora.org>
To: "dmitry.torokhov@gmail.com" <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	Gaurav Kohli <gkohli@codeaurora.org>,
	Peter Hutterer <peter.hutterer@who-t.net>,
	Martin Kepplinger <martink@posteo.de>,
	"Paul E. McKenney" <paulmck@linux.ibm.com>
Subject: Re: [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock
Date: Fri, 19 Apr 2019 14:13:48 +0530	[thread overview]
Message-ID: <f3cd46fb-2bb1-0422-b2be-3f7625ec9c4e@codeaurora.org> (raw)
In-Reply-To: <20190419071152.x5ghvbybjhv76uxt@penguin>


On 4/19/2019 12:41 PM, dmitry.torokhov@gmail.com wrote:
> Hi Mukesh,
>
> On Fri, Apr 19, 2019 at 12:17:44PM +0530, Mukesh Ojha wrote:
>> For some reason my last mail did not get delivered,  sending it again.
>>
>>
>> On 4/18/2019 11:55 AM, Mukesh Ojha wrote:
>>>
>>> On 4/18/2019 7:13 AM, dmitry.torokhov@gmail.com wrote:
>>>> Hi Mukesh,
>>>>
>>>> On Mon, Apr 15, 2019 at 03:35:51PM +0530, Mukesh Ojha wrote:
>>>>> Hi Dmitry,
>>>>>
>>>>> Can you please have a look at this patch ? as this seems to reproducing
>>>>> quite frequently
>>>>>
>>>>> Thanks,
>>>>> Mukesh
>>>>>
>>>>> On 4/10/2019 1:29 PM, Mukesh Ojha wrote:
>>>>>> uinput_destroy_device() gets called from two places. In one place,
>>>>>> uinput_ioctl_handler() where it is protected under a lock
>>>>>> udev->mutex but there is no protection on udev device from freeing
>>>>>> inside uinput_release().
>>>> uinput_release() should be called when last file handle to the uinput
>>>> instance is being dropped, so there should be no other users and thus we
>>>> can't be racing with anyone.
>>> Lets say an example where i am creating input device quite frequently
>>>
>>> [   97.836603] input: syz0 as /devices/virtual/input/input262
>>> [   97.845589] input: syz0 as /devices/virtual/input/input261
>>> [   97.849415] input: syz0 as /devices/virtual/input/input263
>>> [   97.856479] input: syz0 as /devices/virtual/input/input264
>>> [   97.936128] input: syz0 as /devices/virtual/input/input265
>>>
>>> e.g input265
>>>
>>> while input265 gets created [1] and handlers are getting registered on
>>> that device*fput* gets called on
>>> that device as user space got to know that input265 is created and its
>>> reference is still 1(rare but possible).
> Are you saying that there are 2 threads sharing the same file
> descriptor, one issuing the registration ioctl while the other closing
> the same fd?

Dmitry,

I don't have a the exact look inside the app here, but this looks like 
the same as it is able to do
fput on the uinput device.

FYI
Syskaller app is running in userspace (which is for syscall fuzzing) on 
kernel which is enabled
with various config fault injection, FAULT_INJECTION,FAIL_SLAB, 
FAIL_PAGEALLOC, KASAN etc.

Thanks,
Mukesh

>
> Thanks.
>

next prev parent reply	other threads:[~2019-04-19  8:43 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-10  7:59 [PATCH v2] Input: uinput: Avoid Object-Already-Free with a global lock Mukesh Ojha
2019-04-15 10:05 ` Mukesh Ojha
2019-04-18  1:43   ` dmitry.torokhov
     [not found]     ` <bb92c3f2-faf1-04ec-4c67-3aba56c507a9@codeaurora.org>
     [not found]       ` <a4d1a2f3-1db7-e300-9569-7b7a2fadd64e@codeaurora.org>
2019-04-19  7:11         ` dmitry.torokhov
2019-04-19  8:43           ` Mukesh Ojha [this message]
2019-04-23  3:28             ` dmitry.torokhov
     [not found]               ` <17f4a0be-ab04-8537-9197-32fbca807f3f@codeaurora.org>
2019-04-23  8:49                 ` dmitry.torokhov
2019-04-23 11:06                   ` Al Viro
2019-04-23 12:15                     ` Al Viro
2019-04-24 12:10                     ` Mukesh Ojha
2019-04-24 13:07                       ` Al Viro
2019-04-24 14:09                         ` Mukesh Ojha
2019-04-24 22:56                           ` Al Viro
2019-05-01  7:50                             ` Mukesh Ojha

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f3cd46fb-2bb1-0422-b2be-3f7625ec9c4e@codeaurora.org \
    --to=mojha@codeaurora.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=gkohli@codeaurora.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martink@posteo.de \
    --cc=paulmck@linux.ibm.com \
    --cc=peter.hutterer@who-t.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).