[PATCH v3] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: Hyunwoo Kim --- drivers/video/fbdev/smscufx.c | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c index d7aa5511c361

Re: [PATCH v2] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

out of the lock. I will submit a v3 patch. Best Regards, Hyunwoo Kim.

Re: [PATCH] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

On Sun, Sep 25, 2022 at 01:57:46PM +0200, Helge Deller wrote: > On 9/25/22 13:03, Hyunwoo Kim wrote: > > A race condition may occur if the user physically removes the > > USB device while calling open() for this device node. > > > > This is a race condition between the

[PATCH v2] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: Hyunwoo Kim --- drivers/video/fbdev/smscufx.c | 18 -- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c index d7aa5511c361

[PATCH] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: Hyunwoo Kim --- drivers/video/fbdev/smscufx.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c index d7aa5511c361..a4378a7241f7 100644 --- a

Re: [PATCH v3] video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

Thank you for your review. Best Regards, Hyunwoo Kim.

Re: Question about patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"

ario I first suggested, but not the one you suggested. Any good ideas for this? Could it be solved by adding a global flag variable indicating disconnected? Regards, Hyunwoo Kim.

[PATCH] video: fbdev: smscufx: Fixed several use-after-free bugs

Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. Signed-off-by: Hyunwoo Kim Link: https://lore.kernel.org

Re: Question about patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"

Dear, An additional patch has been submitted for the disconnect->open race condition you reported: https://lore.kernel.org/linux-fbdev/20221020200113.GA320044@ubuntu/T/#u Thanks for reporting. Regards, Hyunwoo Kim.

[PATCH v2] video: fbdev: smscufx: Fixed several use-after-free bugs

Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. Signed-off-by: Hyunwoo Kim Link: https://lore.kernel.org