From owner-svn-src-all@freebsd.org Wed Dec 12 10:08:16 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D7EE1336085; Wed, 12 Dec 2018 10:08:16 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3F9E983FA4; Wed, 12 Dec 2018 10:08:16 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 280436693; Wed, 12 Dec 2018 10:08:16 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wBCA8F7V002821; Wed, 12 Dec 2018 10:08:15 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wBCA8FvP002817; Wed, 12 Dec 2018 10:08:15 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201812121008.wBCA8FvP002817@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Wed, 12 Dec 2018 10:08:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r341849 - in stable/12/sys/compat/linuxkpi/common: include/linux src X-SVN-Group: stable-12 X-SVN-Commit-Author: hselasky X-SVN-Commit-Paths: in stable/12/sys/compat/linuxkpi/common: include/linux src X-SVN-Commit-Revision: 341849 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 3F9E983FA4 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-0.67 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.67)[-0.668,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Dec 2018 10:08:16 -0000 Author: hselasky Date: Wed Dec 12 10:08:15 2018 New Revision: 341849 URL: https://svnweb.freebsd.org/changeset/base/341849 Log: MFC r341518: linuxkpi: Fix for use-after-free when tearing down character devices. Make sure we hold a reference on the character device for every opened file to prevent the character device to be freed prematurely. Sponsored by: Mellanox Technologies Modified: stable/12/sys/compat/linuxkpi/common/include/linux/cdev.h stable/12/sys/compat/linuxkpi/common/include/linux/fs.h stable/12/sys/compat/linuxkpi/common/src/linux_compat.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/compat/linuxkpi/common/include/linux/cdev.h ============================================================================== --- stable/12/sys/compat/linuxkpi/common/include/linux/cdev.h Wed Dec 12 10:05:41 2018 (r341848) +++ stable/12/sys/compat/linuxkpi/common/include/linux/cdev.h Wed Dec 12 10:08:15 2018 (r341849) @@ -36,6 +36,8 @@ #include #include +#include + struct file_operations; struct inode; struct module; @@ -50,6 +52,7 @@ struct linux_cdev { struct cdev *cdev; dev_t dev; const struct file_operations *ops; + atomic_long_t refs; }; static inline void @@ -58,6 +61,7 @@ cdev_init(struct linux_cdev *cdev, const struct file_o kobject_init(&cdev->kobj, &linux_cdev_static_ktype); cdev->ops = ops; + atomic_long_set(&cdev->refs, 0); } static inline struct linux_cdev * @@ -130,13 +134,13 @@ cdev_add_ext(struct linux_cdev *cdev, dev_t dev, uid_t return (0); } +void linux_destroy_dev(struct linux_cdev *); + static inline void cdev_del(struct linux_cdev *cdev) { - if (cdev->cdev) { - destroy_dev(cdev->cdev); - cdev->cdev = NULL; - } + + linux_destroy_dev(cdev); kobject_put(&cdev->kobj); } Modified: stable/12/sys/compat/linuxkpi/common/include/linux/fs.h ============================================================================== --- stable/12/sys/compat/linuxkpi/common/include/linux/fs.h Wed Dec 12 10:05:41 2018 (r341848) +++ stable/12/sys/compat/linuxkpi/common/include/linux/fs.h Wed Dec 12 10:08:15 2018 (r341849) @@ -2,7 +2,7 @@ * Copyright (c) 2010 Isilon Systems, Inc. * Copyright (c) 2010 iX Systems, Inc. * Copyright (c) 2010 Panasas, Inc. - * Copyright (c) 2013-2017 Mellanox Technologies, Ltd. + * Copyright (c) 2013-2018 Mellanox Technologies, Ltd. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -55,6 +55,7 @@ struct vm_area_struct; struct poll_table_struct; struct files_struct; struct pfs_node; +struct linux_cdev; #define inode vnode #define i_cdev v_rdev @@ -105,6 +106,9 @@ struct linux_file { /* protects f_selinfo.si_note */ spinlock_t f_kqlock; struct linux_file_wait_queue f_wait_queue; + + /* pointer to associated character device, if any */ + struct linux_cdev *f_cdev; }; #define file linux_file Modified: stable/12/sys/compat/linuxkpi/common/src/linux_compat.c ============================================================================== --- stable/12/sys/compat/linuxkpi/common/src/linux_compat.c Wed Dec 12 10:05:41 2018 (r341848) +++ stable/12/sys/compat/linuxkpi/common/src/linux_compat.c Wed Dec 12 10:08:15 2018 (r341849) @@ -699,12 +699,20 @@ linux_dev_fdopen(struct cdev *dev, int fflags, struct filp->f_flags = file->f_flag; filp->f_vnode = file->f_vnode; filp->_file = file; + filp->f_cdev = ldev; linux_set_current(td); + /* get a reference on the Linux character device */ + if (atomic_long_add_unless(&ldev->refs, 1, -1L) == 0) { + kfree(filp); + return (EINVAL); + } + if (filp->f_op->open) { error = -filp->f_op->open(file->f_vnode, filp); if (error) { + atomic_long_dec(&ldev->refs); kfree(filp); return (error); } @@ -1396,6 +1404,10 @@ linux_file_close(struct file *file, struct thread *td) funsetown(&filp->f_sigio); if (filp->f_vnode != NULL) vdrop(filp->f_vnode); + if (filp->f_cdev != NULL) { + /* put a reference on the Linux character device */ + atomic_long_dec(&filp->f_cdev->refs); + } kfree(filp); return (error); @@ -1947,8 +1959,7 @@ linux_cdev_release(struct kobject *kobj) cdev = container_of(kobj, struct linux_cdev, kobj); parent = kobj->parent; - if (cdev->cdev) - destroy_dev(cdev->cdev); + linux_destroy_dev(cdev); kfree(cdev); kobject_put(parent); } @@ -1961,9 +1972,25 @@ linux_cdev_static_release(struct kobject *kobj) cdev = container_of(kobj, struct linux_cdev, kobj); parent = kobj->parent; - if (cdev->cdev) - destroy_dev(cdev->cdev); + linux_destroy_dev(cdev); kobject_put(parent); +} + +void +linux_destroy_dev(struct linux_cdev *cdev) +{ + + if (cdev->cdev == NULL) + return; + + atomic_long_dec(&cdev->refs); + + /* wait for all open files to be closed */ + while (atomic_long_read(&cdev->refs) != -1L) + pause("ldevdrn", hz); + + destroy_dev(cdev->cdev); + cdev->cdev = NULL; } const struct kobj_type linux_cdev_ktype = {