[PATCH] fsi:fsi-sbefifo: Fix possible concurrency use-after-free bugs in sbefifo_user_release

Jia-Ju Bai Wed, 26 Dec 2018 05:57:26 -0800

In drivers/fsi/fsi-sbefifo.c, the functions sbefifo_user_release(), 
sbefifo_user_read() and sbefifo_user_write() may be concurrently executed.


sbefifo_user_release()
  sbefifo_release_command()
    vfree(user->pending_cmd);

sbefifo_user_read()
  mutex_lock();
  rc = __sbefifo_submit(sbefifo, user->pending_cmd, ...);

sbefifo_user_write()
  mutex_lock();
  user->pending_cmd = user->cmd_page;
  user->pending_cmd = vmalloc(len);

Thus, possible concurrency use-after-free bugs may occur in
sbefifo_user_release().

To fix these bugs, the calls to mutex_lock() and mutex_unlock() are
added in sbefifo_user_release().


Signed-off-by: Jia-Ju Bai <[email protected]>
---
 drivers/fsi/fsi-sbefifo.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
index d92f5b87c251..e278a9014b8f 100644
--- a/drivers/fsi/fsi-sbefifo.c
+++ b/drivers/fsi/fsi-sbefifo.c
@@ -900,8 +900,10 @@ static int sbefifo_user_release(struct inode *inode, 
struct file *file)
        if (!user)
                return -EINVAL;
 
+       mutex_lock(&user->file_lock);
        sbefifo_release_command(user);
        free_page((unsigned long)user->cmd_page);
+       mutex_unlock(&user->file_lock);
        kfree(user);
 
        return 0;
-- 
2.17.0

[PATCH] fsi:fsi-sbefifo: Fix possible concurrency use-after-free bugs in sbefifo_user_release

Reply via email to