From: Yoochan Lee <yoochan1026@gmail.com>
To: davem@davemloft.net
Cc: sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org,
Yoochan Lee <yoochan1026@gmail.com>
Subject: [PATCH] \sbus: char: uctrl: Fix use-after-free in uctrl_open
Date: Sat, 31 Dec 2022 13:58:44 +0900 [thread overview]
Message-ID: <20221231045844.2038042-1-yoochan1026@gmail.com> (raw)
A race condition may occur if the user physically removes the
uctrl device while calling open().
This is a race condition between uctrl_open() function and
the uctrl_remove() function, which may lead to Use-After-Free.
Therefore, add a kref when open() uctrl driver and decrement
the kref when close() and uctrl_remove() so that the race
condition is not occured.
---------------CPU 0--------------------CPU 1-----------------
| p = dev_get_drvdata(&op->dev);
| ...
| kfree(p); -- (1)
uctrl_get_event_status(global
_driver); — (2)
Signed-off-by: Yoochan Lee <yoochan1026@gmail.com>
---
drivers/sbus/char/uctrl.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/drivers/sbus/char/uctrl.c b/drivers/sbus/char/uctrl.c
index 05de0ce79cb9..17a8acdfc03a 100644
--- a/drivers/sbus/char/uctrl.c
+++ b/drivers/sbus/char/uctrl.c
@@ -189,6 +189,7 @@ static struct uctrl_driver {
int irq;
int pending;
struct uctrl_status status;
+ struct kref *refcnt;
} *global_driver;
static void uctrl_get_event_status(struct uctrl_driver *);
@@ -204,12 +205,28 @@ uctrl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
return 0;
}
+static void uctrl_delete(struct kref *kref)
+{
+ struct uctrl_driver *p = container_of(kref, struct uctrl_driver, refcnt);
+
+ misc_deregister(&uctrl_dev);
+ free_irq(p->irq, p);
+ of_iounmap(&op->resource[0], p->regs, resource_size(&op->resource[0]));
+ kfree(p);
+}
+
+static int uctrl_close(struct inode *inode, struct file *file)
+{
+ kref_put(&global_driver->refcnt, uctrl_delete);
+}
+
static int
uctrl_open(struct inode *inode, struct file *file)
{
mutex_lock(&uctrl_mutex);
uctrl_get_event_status(global_driver);
uctrl_get_external_status(global_driver);
+ kref_get(&global_driver->refcnt);
mutex_unlock(&uctrl_mutex);
return 0;
}
@@ -224,6 +241,7 @@ static const struct file_operations uctrl_fops = {
.llseek = no_llseek,
.unlocked_ioctl = uctrl_ioctl,
.open = uctrl_open,
+ .release = uctrl_close,
};
static struct miscdevice uctrl_dev = {
@@ -404,10 +422,7 @@ static int uctrl_remove(struct platform_device *op)
struct uctrl_driver *p = dev_get_drvdata(&op->dev);
if (p) {
- misc_deregister(&uctrl_dev);
- free_irq(p->irq, p);
- of_iounmap(&op->resource[0], p->regs, resource_size(&op->resource[0]));
- kfree(p);
+ kref_put(&p->refcnt, uctrl_delete);
}
return 0;
}
--
2.39.0
reply other threads:[~2022-12-31 4:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221231045844.2038042-1-yoochan1026@gmail.com \
--to=yoochan1026@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sparclinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).