Hi,
I hit use-after-free issues in UIO in 4.14.x, and discovered that it's already fixed in later kernel versions:
commit a93e7b331568227500186a465fee3c2cb5dffd1f Author: Hamish Martin hamish.martin@alliedtelesis.co.nz Date: Mon May 14 13:32:23 2018 +1200
uio: Prevent device destruction while fds are open
Can we have this in 4.14.y? (good idea to older LTS kernels too) I picked and tested the following commits in 4.14.x:
# Temporarily revert "uio: Fix an Oops on load", # to avoid merge conflict later with "uio: use # request_threaded_irq instead" git revert f6a6ae4e0f345aa481535bfe2046cd33f4dc37b8
# "uio: Reduce return paths from uio_write()" git cherry-pick 81daa406c2cc97d85eef9409400404efc2a3f756
# "uio: Prevent device destruction while fds are open" # Also amend this, change __poll_t to plain unsigned int, # the former not found in 4.14. git cherry-pick a93e7b331568227500186a465fee3c2cb5dffd1f sed -i "s/__poll_t/unsigned int/" drivers/uio/uio.c git commit --amend drivers/uio/uio.c
# "uio: use request_threaded_irq instead" git cherry-pick 9421e45f5ff3d558cf8b75a8cc0824530caf3453
# "uio: change to use the mutex lock instead of the spin lock" # Resolve conflict due to __poll_t in patch context. git cherry-pick 543af5861f41af0a5d2432f6fb5976af50f9cee5 sed -i -e '/<<<<<<</,/=======/d' -e '/>>>>>>>/d' \ -e 's/__poll_t/unsigned int/' drivers/uio/uio.c git add drivers/uio/uio.c git cherry-pick --continue
# uio: fix crash after the device is unregistered git cherry-pick 57c5f4df0a5a0ee83df799991251e2ee93a5e4e9
# uio: fix wrong return value from uio_mmap() git cherry-pick e7de2590f18a272e63732b9d519250d1b522b2c4
# uio: fix possible circular locking dependency git cherry-pick b34e9a15b37b8ddbf06a4da142b0c39c74211eb4
# Revert "uio: use request_threaded_irq instead" git cherry-pick 3d27c4de8d4fb2d4099ff324671792aa2578c6f9
# re-apply: uio: Fix an Oops on load git cherry-pick 432798195bbce1f8cd33d1c0284d0538835e25fb
-Tommi
On Wed, Feb 06, 2019 at 11:27:27AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote:
Hi,
I hit use-after-free issues in UIO in 4.14.x, and discovered that it's already fixed in later kernel versions:
commit a93e7b331568227500186a465fee3c2cb5dffd1f Author: Hamish Martin hamish.martin@alliedtelesis.co.nz Date: Mon May 14 13:32:23 2018 +1200
uio: Prevent device destruction while fds are openCan we have this in 4.14.y? (good idea to older LTS kernels too) I picked and tested the following commits in 4.14.x:
# Temporarily revert "uio: Fix an Oops on load", # to avoid merge conflict later with "uio: use # request_threaded_irq instead" git revert f6a6ae4e0f345aa481535bfe2046cd33f4dc37b8
# "uio: Reduce return paths from uio_write()" git cherry-pick 81daa406c2cc97d85eef9409400404efc2a3f756
# "uio: Prevent device destruction while fds are open" # Also amend this, change __poll_t to plain unsigned int, # the former not found in 4.14. git cherry-pick a93e7b331568227500186a465fee3c2cb5dffd1f sed -i "s/__poll_t/unsigned int/" drivers/uio/uio.c git commit --amend drivers/uio/uio.c
# "uio: use request_threaded_irq instead" git cherry-pick 9421e45f5ff3d558cf8b75a8cc0824530caf3453
# "uio: change to use the mutex lock instead of the spin lock" # Resolve conflict due to __poll_t in patch context. git cherry-pick 543af5861f41af0a5d2432f6fb5976af50f9cee5 sed -i -e '/<<<<<<</,/=======/d' -e '/>>>>>>>/d' \ -e 's/__poll_t/unsigned int/' drivers/uio/uio.c git add drivers/uio/uio.c git cherry-pick --continue
# uio: fix crash after the device is unregistered git cherry-pick 57c5f4df0a5a0ee83df799991251e2ee93a5e4e9
# uio: fix wrong return value from uio_mmap() git cherry-pick e7de2590f18a272e63732b9d519250d1b522b2c4
# uio: fix possible circular locking dependency git cherry-pick b34e9a15b37b8ddbf06a4da142b0c39c74211eb4
# Revert "uio: use request_threaded_irq instead" git cherry-pick 3d27c4de8d4fb2d4099ff324671792aa2578c6f9
# re-apply: uio: Fix an Oops on load git cherry-pick 432798195bbce1f8cd33d1c0284d0538835e25fb
That's a lot of work for me here, can you just send the patches properly backported as a series so that I can apply them that way to ensure that I got this all correct?
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
greg@kroah.com -
Rantala, Tommi T. (Nokia - FI/Espoo)