Re: [PATCH] char: xillybus: Prevent use-after-free due to race condition
From: Alan Stern
Date: Wed Oct 26 2022 - 11:02:24 EST
On Wed, Oct 26, 2022 at 11:52:40AM +0300, Eli Billauer wrote:
> xillybus_find_inode() is called by xillybus_open() and xillyusb_open()
> to translate the inode's major and minor into a pointer to a relevant
> data structure and an index.
>
> But with xillyusb_open(), the data structure can be freed by
> xillyusb_disconnect() during an unintentional time gap between the
> release of the mutex that is taken by xillybus_find_inode() and the
> mutex that is subsequently taken by xillyusb_open().
>
> To fix this, xillybus_find_inode() supplies the pointer to the mutex that
> it has locked (when returning success), so xillyusb_open() releases this
> mutex only after obtaining the mutex that is specific to a device file.
> This ensures that xillyusb_disconnect() won't release anything that is in
> use.
The standard way of handling this problem is different from this. The
driver defines a private mutex, and it ensures that any routine calling
*_find_inode() holds the mutex. It also ensures that the mutex is held
while a new device is being registered and while a device is being
removed.
Even that won't fix all the synchronization problems. A process can
open a device, and then after the device has been removed the process
can still try to access the device. The driver needs to ensure that
such accesses are not allowed.
Alan Stern