linux-stable/drivers/uio
Guanghui Feng 17a8519cb3 uio: Fix use-after-free in uio_open
commit 0c9ae0b860 upstream.

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Fixes: 57c5f4df0a ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-20 11:50:10 +01:00
..
Kconfig uio: Remove leading spaces in Kconfig 2021-05-21 14:52:37 +02:00
Makefile uio: uio_dfl: add userspace i/o driver for DFL bus 2021-03-28 14:58:18 +02:00
uio_aec.c uio: uio_aec: Use pci_iounmap instead of iounmap 2021-05-14 13:39:47 +02:00
uio_cif.c uio: uio_cif: use devm_kzalloc() for uio_info object 2020-12-09 19:59:00 +01:00
uio_dfl.c uio: dfl: add IOPLL user-clock feature id 2022-09-01 17:00:33 +02:00
uio_dmem_genirq.c uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2022-12-31 13:32:38 +01:00
uio_fsl_elbc_gpcm.c uio: uio_fsl_elbc_gpcm: use device-managed allocators 2020-12-09 19:59:00 +01:00
uio_hv_generic.c Drivers: hv: vmbus: Mark vmbus ring buffer visible to host in Isolation VM 2021-10-28 11:22:23 +00:00
uio_mf624.c uio: uio_mf624: use devm_kzalloc() for uio_info object 2020-12-09 19:58:54 +01:00
uio_netx.c uio: uio_netx: use devm_kzalloc() for or uio_info object 2020-12-09 19:58:54 +01:00
uio_pci_generic.c Merge 50f09a3dd5 ("Merge tag 'char-misc-5.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc") into char-misc-next 2021-05-21 09:48:31 +02:00
uio_pdrv_genirq.c Merge branch 'char-misc-linus' into 'char-misc-next' 2020-07-10 13:42:33 +02:00
uio_pruss.c treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_30.RULE (part 2) 2022-06-10 14:51:35 +02:00
uio_sercos3.c uio: uio_sercos3: use device-managed functions for simple allocs 2020-12-09 19:58:54 +01:00
uio.c uio: Fix use-after-free in uio_open 2024-01-20 11:50:10 +01:00