Re: [PATCH] fsi:fsi-sbefifo: Fix possible concurrency use-after-free bugs in sbefifo_user_release

[Benjamin Herrenschmidt]

On Thu, 2019-01-03 at 14:27 +1100, Benjamin Herrenschmidt wrote:
> On Wed, 2019-01-02 at 09:34 +0000, David Howells wrote:
> > Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote:
> > 
> > > +	mutex_lock(&user->file_lock);
> > >  	sbefifo_release_command(user);
> > >  	free_page((unsigned long)user->cmd_page);
> > > +	mutex_unlock(&user->file_lock);
> > 
> > It shouldn't be necessary to do the free_page() call inside the locked
> > section.
> 
> True. However, I didn't realize read/write could be concurrent with
> release so we have another problem.
> 
> I assume when release is called, no new read/write can be issued, I am
> correct ? So all we have to protect against is a read/write that has
> started prior to release being called, right ?

Hrm... looking briefly at the vfs, read/write are wrapped in
fdget/fdput, so release shouldn't happen concurrently or am I missing
something here ?

Cheers,
Ben.