From patchwork Thu Jul 27 14:57:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Usyskin, Alexander" X-Patchwork-Id: 1813818 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=5Fdckvpa; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256 header.s=Intel header.b=OapRWINr; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RBZ2C6Bk7z1yYl for ; Fri, 28 Jul 2023 01:10:11 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=qpLpEInNzRvP9wO+hdmGqot7HpPI6tpAlAqyOZ5uAg8=; b=5FdckvpawP3cN1 9vKsTacZoKTwKanzsz5TLSY1YgJszWh8Nnq0r26fOk+6VAaXHyP748xAIxRrMBkxh7qdnWvt4vvP2 ZVNHrsyJAlyhVoMGrjqzwUfMSlET4FK76cdSTfEKUgFCRP3jB0qTEF1YSYJsNWKyfATsUryKFZgv8 eanJe5lY/fsHTdtFIIk8FtPZKZXzOm3WYZpPEVaGRYYB6VEj+T3atK0TnXT7Begae63vkyGGK4HcN iXwfk2RObY9HQN6NUKtGYuhGGp6rfoI4rWTBxte2dSFUXlqv2WNynXMt0X+2PQZRkOZe2SldrkPs0 z2jHKe19IlgsI31T2PVA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qP2cW-00Ffdq-1z; Thu, 27 Jul 2023 15:09:40 +0000 Received: from [134.134.136.126] (helo=mgamail.intel.com) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qP2cS-00FfaJ-2N for linux-mtd@lists.infradead.org; Thu, 27 Jul 2023 15:09:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1690470576; x=1722006576; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=cZOumbvz7d5c3xoly7L/DH5QKt5aCye/K29l+UqNRao=; b=OapRWINrDR5OwVGdIhh33Smf4PycsAI/1224qfcCHHJFQzuHMNGINDMU pMv4O282qqM5OVNRWzNDYvnbgWurbpOaOPds+H4D6bo51t5VxHzMlowr4 tpVml5ln1XV307wSeSUnV1AzhRruEy4+WdikPnDtxPxSDQiWlbV7uy6Mw LecviQkSEMX7PjVfQA0ib6iUfAaZp5mVzlv2kScuWW36EJHnTu1NPmIux RBusQ77dt/hViGHdZ2HdSMbwe2z2gr+rhi0pKkpK71YH+Qn8o251Azhb2 bXPV5m0GQLEok29TvlQSe7GcY49FFScrIkxTeW0rsDTufRMnn6LyrxIvI Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10784"; a="353246760" X-IronPort-AV: E=Sophos;i="6.01,235,1684825200"; d="scan'208";a="353246760" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2023 08:01:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10784"; a="792404744" X-IronPort-AV: E=Sophos;i="6.01,235,1684825200"; d="scan'208";a="792404744" Received: from sannilnx-dsk.jer.intel.com ([10.12.231.107]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2023 08:01:39 -0700 From: Alexander Usyskin To: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Tomas Winkler , Alexander Usyskin , Vitaly Lubart , Andy Shevchenko , Zhang Xiaoxu Subject: [PATCH] mtd: fix use-after-free in mtd release Date: Thu, 27 Jul 2023 17:57:58 +0300 Message-Id: <20230727145758.3880967-1-alexander.usyskin@intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230727_080936_879754_F6511458 X-CRM114-Status: GOOD ( 13.10 ) X-Spam-Score: 0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I case of partition device_unregister in mtd_device_release calls mtd_release which frees mtd_info structure for partition. All code after device_unregister in mtd_device_release thus works already fr [...] Content analysis details: (0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org I case of partition device_unregister in mtd_device_release calls mtd_release which frees mtd_info structure for partition. All code after device_unregister in mtd_device_release thus works already freed memory. Move part of code to mtd_release and restict mtd->dev cleanup to non-partion object. For partition object such cleanup have no sense as partition mtd_info is removed. Cc: Miquel Raynal Cc: Zhang Xiaoxu Fixes: 19bfa9ebebb5 ("mtd: use refcount to prevent corruption") Reviewed-by: Tomas Winkler Signed-off-by: Alexander Usyskin --- drivers/mtd/mtdcore.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index 2466ea466466..46f15f676491 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c @@ -93,6 +93,9 @@ static void mtd_release(struct device *dev) struct mtd_info *mtd = dev_get_drvdata(dev); dev_t index = MTD_DEVT(mtd->index); + idr_remove(&mtd_idr, mtd->index); + of_node_put(mtd_get_of_node(mtd)); + if (mtd_is_partition(mtd)) release_mtd_partition(mtd); @@ -103,6 +106,7 @@ static void mtd_release(struct device *dev) static void mtd_device_release(struct kref *kref) { struct mtd_info *mtd = container_of(kref, struct mtd_info, refcnt); + bool is_partition = mtd_is_partition(mtd); debugfs_remove_recursive(mtd->dbg.dfs_dir); @@ -111,11 +115,13 @@ static void mtd_device_release(struct kref *kref) device_unregister(&mtd->dev); - /* Clear dev so mtd can be safely re-registered later if desired */ - memset(&mtd->dev, 0, sizeof(mtd->dev)); - - idr_remove(&mtd_idr, mtd->index); - of_node_put(mtd_get_of_node(mtd)); + /* + * Clear dev so mtd can be safely re-registered later if desired. + * Should not be done for partition, + * as it was already destroyed in device_unregister(). + */ + if (!is_partition) + memset(&mtd->dev, 0, sizeof(mtd->dev)); module_put(THIS_MODULE); }