Whenever pi433_open and pi433_remove execute concurrently, a race
condition potentially resulting in use-after-free might happen.
Let T1 and T2 be two kernel threads.
1. T1 executes pi433_open and stops before "device->users++".
2. The pi433 device was removed inbetween, so T2 executes pi433_remove
and frees device because the user count has not been incremented yet.
3. T1 executes "device->users++" (use-after-free).
This race condition happens because the check of minor number and
user count increment does not happen atomically.
Fix: Extend scope of minor_lock in pi433_open().
Signed-off-by: Hugo Lefeuvre <hle@xxxxxxxxxx>
---
drivers/staging/pi433/pi433_if.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c
index 94e0bfcec991..73c511249f7f 100644
--- a/drivers/staging/pi433/pi433_if.c
+++ b/drivers/staging/pi433/pi433_if.c
@@ -957,11 +957,13 @@ static int pi433_open(struct inode *inode, struct file *filp)
mutex_lock(&minor_lock);
device = idr_find(&pi433_idr, iminor(inode));
- mutex_unlock(&minor_lock);
if (!device) {
+ mutex_unlock(&minor_lock);
pr_debug("device: minor %d unknown.\n", iminor(inode));
return -ENODEV;
}
+ device->users++;
+ mutex_unlock(&minor_lock);
if (!device->rx_buffer) {
device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL);
@@ -969,7 +971,6 @@ static int pi433_open(struct inode *inode, struct file *filp)
return -ENOMEM;
}
- device->users++;
instance = kzalloc(sizeof(*instance), GFP_KERNEL);
if (!instance) {
kfree(device->rx_buffer);
--
2.17.1
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
