From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F08EC4727E for ; Tue, 22 Sep 2020 22:04:03 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C3AC2206B5 for ; Tue, 22 Sep 2020 22:04:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="EITEgpF4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C3AC2206B5 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E01246B0003; Tue, 22 Sep 2020 18:04:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DB3E96B0055; Tue, 22 Sep 2020 18:04:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CA0856B005A; Tue, 22 Sep 2020 18:04:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0218.hostedemail.com [216.40.44.218]) by kanga.kvack.org (Postfix) with ESMTP id B181D6B0003 for ; Tue, 22 Sep 2020 18:04:01 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 70A2B1EE6 for ; Tue, 22 Sep 2020 22:04:01 +0000 (UTC) X-FDA: 77292075882.20.train78_4d1274127151 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin20.hostedemail.com (Postfix) with ESMTP id 4BE7E180C07A3 for ; Tue, 22 Sep 2020 22:04:01 +0000 (UTC) X-HE-Tag: train78_4d1274127151 X-Filterd-Recvd-Size: 4120 Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) by imf29.hostedemail.com (Postfix) with ESMTP for ; Tue, 22 Sep 2020 22:04:00 +0000 (UTC) Received: by mail-ed1-f52.google.com with SMTP id w1so17755491edr.3 for ; Tue, 22 Sep 2020 15:04:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=gWapH+G9nYjlIO4hGELdVklKpsq8sACoI1gVBeSVnu4=; b=EITEgpF4ntktPf1T80SDT1pfY0hIUCg5rNxP+/V7+Qs4C/vIRyUSqCJNAD7rGrVo8R wa/Hz2OdcjU+Ex+h9jHzh+hDHc7moghyv+quzQunrZ0k0rkYXmUe/L9rLoHCFNXYZxj0 gSym1XxRWJ/TNhYdC653fnU+aaH1N4ovNW0ZuRfA+6FxOX3XZ0w7mIkTLpBR6TEMW1RB OyrbTQxwWUyNZgak3n2GVEf3GyJBbmrc76wfmuf0qQv4XQXSuDQd/CWIqD8m1GbVX+fH WA53YoMMhVOMulz6xm3PF4+wmQwq2eY7FxxfojsEBGPE/+62r0cnlZpwqXDq/3Lw7eeH fGFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=gWapH+G9nYjlIO4hGELdVklKpsq8sACoI1gVBeSVnu4=; b=ni8OV3o2yBvrwI0JUirTCmGxwUotP/f5AuO9XmgPBvSqtaNBsD6aBIBTPH1yvAOef8 quLyNgn+tt7K67unfdRAvBEERo2HGSisKVQC7pq5C/5R7EzRBjAtxZXqONGrhyzArbIR oUb8UlIWsGUbUtvwFt2jQtQEg2sTiv76OTPYMomvucLzX8rCrNFRqqcGJ58s+CtLUxx8 wr8l5jeIReRmEYBDz6FFoWb5axyQX4YhItSGHVVwmuZbzzr0kba0XpzTJssq9rsfMiZ3 R+b7dtETLAwHklKh2yXUy2oQG1qBRUKARr7LHgRC7S9cmm6KrsER0S0j8sKPRF/8FJTk QNMg== X-Gm-Message-State: AOAM532ajOVoWz8Qc9y13aEzUjiTpyX6TsKCslqJVTds8yr/BPczR6ZV 3dR7f7+IUnAIWo87wB5FFs/9Tmp88F3zK7I5NKapxQ== X-Google-Smtp-Source: ABdhPJxOjj738nogRJo0/8+S11mLmjZ9RROKTTWqJgufMAjwv/PuRW560hU7CbGoKgbjldqG04qMMZK6zliXeHN5wrk= X-Received: by 2002:a50:fe98:: with SMTP id d24mr6208341edt.223.1600812239432; Tue, 22 Sep 2020 15:03:59 -0700 (PDT) MIME-Version: 1.0 From: Jann Horn Date: Wed, 23 Sep 2020 00:03:32 +0200 Message-ID: Subject: mmap locking in atomisp staging driver looks bogus To: Mauro Carvalho Chehab , Sakari Ailus Cc: Linux Media Mailing List , kernel list , Linux-MM Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: I noticed this code in alloc_user_pages() in drivers/staging/media/atomisp/pci/hmm/hmm_bo.c: /* * Convert user space virtual address into pages list */ static int alloc_user_pages(struct hmm_buffer_object *bo, const void __user *userptr, bool cached) { int page_nr; int i; struct vm_area_struct *vma; struct page **pages; pages = [...] [...] mmap_read_lock(current->mm); vma = find_vma(current->mm, (unsigned long)userptr); mmap_read_unlock(current->mm); if (!vma) { [...] return -EFAULT; } [...] /* * Handle frame buffer allocated in other kerenl space driver * and map to user space */ [...] if (vma->vm_flags & (VM_IO | VM_PFNMAP)) { page_nr = pin_user_pages((unsigned long)userptr, bo->pgnr, FOLL_LONGTERM | FOLL_WRITE, pages, NULL); bo->mem_type = HMM_BO_MEM_TYPE_PFN; } else { /*Handle frame buffer allocated in user space*/ [...] page_nr = get_user_pages_fast((unsigned long)userptr, (int)(bo->pgnr), 1, pages); [...] } [...] } This code looks extremely dodgy to me. After mmap_read_unlock(current->mm), the vma can be freed, and the following access to vma->vm_flags can be a use-after-free. Also, pin_user_pages() must be called with the mmap lock held, and you're calling it without holding that lock.