Re: [PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

From: Arnd Bergmann
Date: Fri Sep 16 2022 - 03:00:31 EST

Next message: guanjun: "Re: [PATCH RESEND v1 0/9] Drivers for Alibaba YCC (Yitian Cryptography Complex) cryptographic accelerator"
Previous message: Conor.Dooley: "Re: [PATCH v2] riscv: ztso: disallow elf binaries needing TSO"
In reply to: Hyunwoo Kim: "[PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops"
Next in thread: Hyunwoo Kim: "Re: [PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 16, 2022, at 7:00 AM, Hyunwoo Kim wrote:
> @@ -298,9 +300,10 @@ static void scr24x_remove(struct pcmcia_device *link)
> cdev_del(&dev->c_dev);
> clear_bit(dev->devno, scr24x_minors);
> dev->dev = NULL;
> - mutex_unlock(&dev->lock);
>
> kref_put(&dev->refcnt, scr24x_delete);
> +
> + mutex_unlock(&dev->lock);
> }

This appears to introduce a new use-after-free, when the kref_put()
frees the 'dev' structure and you unlock the mutex in that structure
afterwards.

Arnd

Next message: guanjun: "Re: [PATCH RESEND v1 0/9] Drivers for Alibaba YCC (Yitian Cryptography Complex) cryptographic accelerator"
Previous message: Conor.Dooley: "Re: [PATCH v2] riscv: ztso: disallow elf binaries needing TSO"
In reply to: Hyunwoo Kim: "[PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops"
Next in thread: Hyunwoo Kim: "Re: [PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]