linux-stable/drivers/uio
Guanghui Feng 0c9ae0b860 uio: Fix use-after-free in uio_open
core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Fixes: 57c5f4df0a ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-04 17:03:47 +01:00
..
Kconfig uio: Remove leading spaces in Kconfig 2021-05-21 14:52:37 +02:00
Makefile uio: uio_dfl: add userspace i/o driver for DFL bus 2021-03-28 14:58:18 +02:00
uio.c uio: Fix use-after-free in uio_open 2024-01-04 17:03:47 +01:00
uio_aec.c uio: uio_aec: Use pci_iounmap instead of iounmap 2021-05-14 13:39:47 +02:00
uio_cif.c uio: uio_cif: use devm_kzalloc() for uio_info object 2020-12-09 19:59:00 +01:00
uio_dfl.c uio: dfl: add vendor-specific feature id 2023-05-31 19:00:37 +01:00
uio_dmem_genirq.c uio: uio_dmem_genirq: Use non-atomic bit operations in irq config and handling 2022-11-10 18:54:29 +01:00
uio_fsl_elbc_gpcm.c uio: uio_fsl_elbc_gpcm: Replace NO_IRQ by 0 2022-11-10 18:39:19 +01:00
uio_hv_generic.c Drivers: hv: Make remove callback of hyperv driver void returned 2023-01-17 13:41:27 +00:00
uio_mf624.c uio: uio_mf624: use devm_kzalloc() for uio_info object 2020-12-09 19:58:54 +01:00
uio_netx.c uio: uio_netx: use devm_kzalloc() for or uio_info object 2020-12-09 19:58:54 +01:00
uio_pci_generic.c Merge 50f09a3dd5 ("Merge tag 'char-misc-5.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc") into char-misc-next 2021-05-21 09:48:31 +02:00
uio_pdrv_genirq.c Merge branch 'char-misc-linus' into 'char-misc-next' 2020-07-10 13:42:33 +02:00
uio_pruss.c uio: pruss: fix missing iounmap() in pruss_probe() 2023-08-22 13:41:55 +02:00
uio_sercos3.c uio: uio_sercos3: use device-managed functions for simple allocs 2020-12-09 19:58:54 +01:00