All of lore.kernel.org
 help / color / mirror / Atom feed
* 4.14 "uio: Prevent device destruction while fds are open"
@ 2019-02-06 11:27 Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-11 13:40 ` greg
  0 siblings, 1 reply; 2+ messages in thread
From: Rantala, Tommi T. (Nokia - FI/Espoo) @ 2019-02-06 11:27 UTC (permalink / raw)
  To: stable, greg; +Cc: linux-kernel

Hi,

I hit use-after-free issues in UIO in 4.14.x, and discovered that it's
already fixed in later kernel versions:

commit a93e7b331568227500186a465fee3c2cb5dffd1f
Author: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
Date:   Mon May 14 13:32:23 2018 +1200

    uio: Prevent device destruction while fds are open

Can we have this in 4.14.y?
(good idea to older LTS kernels too)
I picked and tested the following commits in 4.14.x:


# Temporarily revert "uio: Fix an Oops on load",
# to avoid merge conflict later with "uio: use
# request_threaded_irq instead"
git revert f6a6ae4e0f345aa481535bfe2046cd33f4dc37b8

# "uio: Reduce return paths from uio_write()"
git cherry-pick 81daa406c2cc97d85eef9409400404efc2a3f756

# "uio: Prevent device destruction while fds are open"
# Also amend this, change __poll_t to plain unsigned int,
# the former not found in 4.14.
git cherry-pick a93e7b331568227500186a465fee3c2cb5dffd1f
sed -i "s/__poll_t/unsigned int/" drivers/uio/uio.c
git commit --amend drivers/uio/uio.c

# "uio: use request_threaded_irq instead"
git cherry-pick 9421e45f5ff3d558cf8b75a8cc0824530caf3453

# "uio: change to use the mutex lock instead of the spin lock"
# Resolve conflict due to __poll_t in patch context.
git cherry-pick 543af5861f41af0a5d2432f6fb5976af50f9cee5
sed -i -e '/<<<<<<</,/=======/d' -e '/>>>>>>>/d' \
-e 's/__poll_t/unsigned int/' drivers/uio/uio.c
git add drivers/uio/uio.c
git cherry-pick --continue

# uio: fix crash after the device is unregistered
git cherry-pick 57c5f4df0a5a0ee83df799991251e2ee93a5e4e9

# uio: fix wrong return value from uio_mmap()
git cherry-pick e7de2590f18a272e63732b9d519250d1b522b2c4

# uio: fix possible circular locking dependency
git cherry-pick b34e9a15b37b8ddbf06a4da142b0c39c74211eb4

# Revert "uio: use request_threaded_irq instead"
git cherry-pick 3d27c4de8d4fb2d4099ff324671792aa2578c6f9

# re-apply: uio: Fix an Oops on load
git cherry-pick 432798195bbce1f8cd33d1c0284d0538835e25fb

-Tommi


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: 4.14 "uio: Prevent device destruction while fds are open"
  2019-02-06 11:27 4.14 "uio: Prevent device destruction while fds are open" Rantala, Tommi T. (Nokia - FI/Espoo)
@ 2019-02-11 13:40 ` greg
  0 siblings, 0 replies; 2+ messages in thread
From: greg @ 2019-02-11 13:40 UTC (permalink / raw)
  To: Rantala, Tommi T. (Nokia - FI/Espoo); +Cc: stable, linux-kernel

On Wed, Feb 06, 2019 at 11:27:27AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote:
> Hi,
> 
> I hit use-after-free issues in UIO in 4.14.x, and discovered that it's
> already fixed in later kernel versions:
> 
> commit a93e7b331568227500186a465fee3c2cb5dffd1f
> Author: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
> Date:   Mon May 14 13:32:23 2018 +1200
> 
>     uio: Prevent device destruction while fds are open
> 
> Can we have this in 4.14.y?
> (good idea to older LTS kernels too)
> I picked and tested the following commits in 4.14.x:
> 
> 
> # Temporarily revert "uio: Fix an Oops on load",
> # to avoid merge conflict later with "uio: use
> # request_threaded_irq instead"
> git revert f6a6ae4e0f345aa481535bfe2046cd33f4dc37b8
> 
> # "uio: Reduce return paths from uio_write()"
> git cherry-pick 81daa406c2cc97d85eef9409400404efc2a3f756
> 
> # "uio: Prevent device destruction while fds are open"
> # Also amend this, change __poll_t to plain unsigned int,
> # the former not found in 4.14.
> git cherry-pick a93e7b331568227500186a465fee3c2cb5dffd1f
> sed -i "s/__poll_t/unsigned int/" drivers/uio/uio.c
> git commit --amend drivers/uio/uio.c
> 
> # "uio: use request_threaded_irq instead"
> git cherry-pick 9421e45f5ff3d558cf8b75a8cc0824530caf3453
> 
> # "uio: change to use the mutex lock instead of the spin lock"
> # Resolve conflict due to __poll_t in patch context.
> git cherry-pick 543af5861f41af0a5d2432f6fb5976af50f9cee5
> sed -i -e '/<<<<<<</,/=======/d' -e '/>>>>>>>/d' \
> -e 's/__poll_t/unsigned int/' drivers/uio/uio.c
> git add drivers/uio/uio.c
> git cherry-pick --continue
> 
> # uio: fix crash after the device is unregistered
> git cherry-pick 57c5f4df0a5a0ee83df799991251e2ee93a5e4e9
> 
> # uio: fix wrong return value from uio_mmap()
> git cherry-pick e7de2590f18a272e63732b9d519250d1b522b2c4
> 
> # uio: fix possible circular locking dependency
> git cherry-pick b34e9a15b37b8ddbf06a4da142b0c39c74211eb4
> 
> # Revert "uio: use request_threaded_irq instead"
> git cherry-pick 3d27c4de8d4fb2d4099ff324671792aa2578c6f9
> 
> # re-apply: uio: Fix an Oops on load
> git cherry-pick 432798195bbce1f8cd33d1c0284d0538835e25fb

That's a lot of work for me here, can you just send the patches properly
backported as a series so that I can apply them that way to ensure that
I got this all correct?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-11 13:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-06 11:27 4.14 "uio: Prevent device destruction while fds are open" Rantala, Tommi T. (Nokia - FI/Espoo)
2019-02-11 13:40 ` greg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.