From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable <stable@kernel.org>,
Guanghui Feng <guanghuifeng@linux.alibaba.com>,
Baolin Wang <baolin.wang@linux.alibaba.com>
Subject: [PATCH 6.7 20/28] uio: Fix use-after-free in uio_open
Date: Thu, 18 Jan 2024 11:49:10 +0100 [thread overview]
Message-ID: <20240118104301.930766266@linuxfoundation.org> (raw)
In-Reply-To: <20240118104301.249503558@linuxfoundation.org>
6.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream.
core-1 core-2
-------------------------------------------------------
uio_unregister_device uio_open
idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
uio_release
put_device(&idev->dev)
kfree(idev)
-------------------------------------------------------
In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
freed.
To address this issue, we can get idev atomic & inc idev reference with
minor_lock.
Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/uio/uio.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -466,13 +466,13 @@ static int uio_open(struct inode *inode,
mutex_lock(&minor_lock);
idev = idr_find(&uio_idr, iminor(inode));
- mutex_unlock(&minor_lock);
if (!idev) {
ret = -ENODEV;
+ mutex_unlock(&minor_lock);
goto out;
}
-
get_device(&idev->dev);
+ mutex_unlock(&minor_lock);
if (!try_module_get(idev->owner)) {
ret = -ENODEV;
@@ -1064,9 +1064,8 @@ void uio_unregister_device(struct uio_in
wake_up_interruptible(&idev->wait);
kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);
- device_unregister(&idev->dev);
-
uio_free_minor(minor);
+ device_unregister(&idev->dev);
return;
}
next prev parent reply other threads:[~2024-01-18 10:51 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 10:48 [PATCH 6.7 00/28] 6.7.1-rc1 review Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 01/28] f2fs: explicitly null-terminate the xattr list Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 02/28] ALSA: hda/realtek: Add quirks for Dell models Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 03/28] ALSA: hda: cs35l41: Support additional Dell models without _DSD Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 04/28] ALSA: hda: cs35l41: Prevent firmware load if SPI speed too low Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 05/28] ALSA: hda: Add driver properties for cs35l41 for Lenovo Legion Slim 7 Gen 8 serie Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 06/28] ALSA: hda/realtek: enable SND_PCI_QUIRK for Lenovo Legion Slim 7 Gen 8 (2023) serie Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 07/28] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 08/28] ALSA: hda: cs35l41: Support more HP models without _DSD Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 09/28] ACPI: resource: Add another DMI match for the TongFang GMxXGxx Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 10/28] bus: moxtet: Mark the irq as shared Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 11/28] bus: moxtet: Add spi device table Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 12/28] drm/amd/display: Pass pwrseq inst for backlight and ABM Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 13/28] ksmbd: dont allow O_TRUNC open on read-only share Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 14/28] ksmbd: free ppace array on error in parse_dacl Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 15/28] Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 16/28] binder: use EPOLLERR from eventpoll.h Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 17/28] binder: fix use-after-free in shinkers callback Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 18/28] binder: fix trivial typo of binder_free_buf_locked() Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 19/28] binder: fix comment on binder_alloc_new_buf() return value Greg Kroah-Hartman
2024-01-18 10:49 ` Greg Kroah-Hartman [this message]
2024-01-18 10:49 ` [PATCH 6.7 21/28] parport: parport_serial: Add Brainboxes BAR details Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 22/28] parport: parport_serial: Add Brainboxes device IDs and geometry Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 23/28] leds: ledtrig-tty: Free allocated ttyname buffer on deactivate Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 24/28] PCI: Add ACS quirk for more Zhaoxin Root Ports Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 25/28] coresight: etm4x: Fix width of CCITMIN field Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 26/28] scripts/decode_stacktrace.sh: optionally use LLVM utilities Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 27/28] docs: kernel_feat.py: fix potential command injection Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 28/28] mm/memory_hotplug: fix memmap_on_memory sysfs value retrieval Greg Kroah-Hartman
2024-01-18 16:35 ` [PATCH 6.7 00/28] 6.7.1-rc1 review Allen
2024-01-18 19:51 ` Florian Fainelli
2024-01-18 20:17 ` SeongJae Park
2024-01-19 0:43 ` Shuah Khan
2024-01-19 4:30 ` Ron Economos
2024-01-19 6:45 ` Bagas Sanjaya
2024-01-19 13:49 ` Ricardo B. Marliere
2024-01-19 14:14 ` Jon Hunter
2024-01-19 15:48 ` Naresh Kamboju
2024-01-19 16:01 ` Greg Kroah-Hartman
2024-01-19 17:35 ` Naresh Kamboju
2024-01-19 17:53 ` Luna Jernberg
2024-01-20 3:31 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240118104301.930766266@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=guanghuifeng@linux.alibaba.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).