linux/drivers
Lars-Peter Clausen 953b956a2e gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak
When allocating a new line handle or event a file is allocated that it is
associated to. The file is attached to a file descriptor of the current
process and the file descriptor is returned to userspace using
copy_to_user(). If this copy operation fails the line handle or event
allocation is aborted, all acquired resources are freed and an error is
returned.

But the file struct is not freed and left attached to the userspace
application and even though the file descriptor number was not copied it is
trivial to guess. If a userspace application performs a IOCTL on such a
left over file descriptor it will trigger a use-after-free and if the file
descriptor is closed (latest when the application exits) a double-free is
triggered.

anon_inode_getfd() performs 3 tasks, allocate a file struct, allocate a
file descriptor for the current process and install the file struct in the
file descriptor. As soon as the file struct is installed in the file
descriptor it is accessible by userspace (even if the IOCTL itself hasn't
completed yet), this means uninstalling the fd on the error path is not an
option, since userspace might already got a reference to the file.

Instead anon_inode_getfd() needs to be broken into its individual steps.
The allocation of the file struct and file descriptor is done first, then
the copy_to_user() is executed and only if it succeeds the file is
installed.

Since the file struct is reference counted it can not be just freed, but
its reference needs to be dropped, which will also call the release()
callback, which will free the state attached to the file. So in this case
the normal error cleanup path should not be taken.

Cc: stable@vger.kernel.org
Fixes: d932cd4918 ("gpio: free handles in fringe cases")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2016-10-31 21:23:44 +01:00
..
accessibility
acpi Merge branches 'acpica-fixes', 'acpi-pci-fixes' and 'acpi-apei-fixes' 2016-10-29 01:58:03 +02:00
amba
android ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct 2016-10-24 19:37:48 +02:00
ata ahci: fix the single MSI-X case in ahci_init_one 2016-10-25 11:43:07 -04:00
atm
auxdisplay auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays 2016-10-06 17:03:41 +02:00
base driver core: Make Kconfig text for DEBUG_TEST_DRIVER_REMOVE stronger 2016-10-27 17:47:12 +02:00
bcma
block block: DAC960: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
bluetooth Bluetooth: btusb: Fix atheros firmware download error 2016-10-07 09:46:56 +02:00
bus bus: qcom-ebi2: depend on ARCH_QCOM or COMPILE_TEST 2016-10-17 13:46:09 -07:00
cdrom
char Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-10-24 21:34:13 -07:00
clk clk: at91: Fix a return value in case of error 2016-10-20 16:37:56 -07:00
clocksource Revert "clocksource/drivers/timer_sun5i: Replace code by clocksource_mmio_init" 2016-10-20 21:58:58 +02:00
connector
cpufreq Merge branches 'pm-cpufreq-fixes' and 'pm-sleep-fixes' 2016-10-29 01:29:17 +02:00
cpuidle Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-10-15 09:26:12 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-10-10 14:04:16 -07:00
dax device-dax: fix percpu_ref_exit ordering 2016-10-27 17:04:05 -07:00
dca
devfreq PM / devfreq: Skip status update on uninitialized previous_freq 2016-10-11 00:01:20 +02:00
dio
dma dmaengine updates for 4.8-rc1 2016-10-06 17:13:54 -07:00
dma-buf Merge tag 'drm-for-v4.9' of git://people.freedesktop.org/~airlied/linux 2016-10-11 18:12:22 -07:00
edac * Altera Arria10 enablement of NAND, DMA, USB, QSPI and SD-MMC FIFO 2016-10-04 12:06:26 -07:00
eisa
extcon extcon: qcom-spmi-misc: Sync the extcon state on interrupt 2016-10-26 16:04:29 +09:00
firewire firewire: nosy: do not ignore errors in ioremap_nocache() 2016-10-09 11:38:11 +02:00
firmware efi/arm: Fix absolute relocation detection for older toolchains 2016-10-19 14:49:44 +02:00
fmc
fpga
gpio gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak 2016-10-31 21:23:44 +01:00
gpu drm/drivers: add support for using the arch wc mapping API. 2016-10-26 16:48:01 +10:00
hid HID: add quirk for Akai MIDImix. 2016-10-10 10:58:22 +02:00
hsi
hv hv: do not lose pending heartbeat vmbus packets 2016-10-25 08:52:10 +02:00
hwmon hwmon: (max31790) potential ERR_PTR dereference 2016-10-17 10:16:20 -07:00
hwspinlock
hwtracing
i2c i2c: imx: defer probe if bus recovery GPIOs are not ready 2016-10-25 12:15:00 +02:00
ide
idle nmi_backtrace: generate one-line reports for idle cpus 2016-10-07 18:46:30 -07:00
iio First set of IIO fixes for the 4.9 cycle. 2016-10-24 10:50:13 +02:00
infiniband Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-10-14 13:19:30 -07:00
iommu IOMMU Updates for Linux v4.9 2016-10-11 12:52:41 -07:00
ipack ipack: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
irqchip GIC updates for Linux 4.9-rc2 2016-10-21 21:40:29 +02:00
isdn
leds
lguest
lightnvm Merge branch 'for-4.9/block' of git://git.kernel.dk/linux-block 2016-10-07 14:42:05 -07:00
macintosh
mailbox Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2016-10-06 17:36:53 -07:00
mcb mcb: Add a dma_device to mcb_device 2016-09-27 12:33:47 +02:00
md - A couple DM raid and DM mirror fixes 2016-10-28 09:27:58 -07:00
media Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
memory ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-17 15:43:05 +02:00
message
mfd - Core Frameworks 2016-10-07 08:35:35 -07:00
misc Char/Misc driver fixes for 4.9-rc3 2016-10-29 11:19:02 -07:00
mmc mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led 2016-10-17 15:43:03 +02:00
mtd ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap() 2016-10-28 14:48:18 +02:00
net Merge of the qedr RoCE driver 2016-10-14 13:43:08 -07:00
nfc
ntb
nubus
nvdimm nvdimm: make CONFIG_NVDIMM_DAX 'bool' 2016-10-27 16:16:21 -07:00
nvme Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2016-10-21 10:54:01 -07:00
nvmem ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
of Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-10-15 09:26:12 -07:00
oprofile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
parisc
parport
pci doc: Add missing parameter for msi_setup 2016-10-26 12:05:34 +02:00
pcmcia
perf perf: xgene: Remove bogus IS_ERR() check 2016-10-17 15:50:07 +01:00
phy
pinctrl pinctrl: intel: Only restore pins that are used by the driver 2016-10-18 14:38:16 +02:00
platform platform-drivers-x86 for 4.9-2 2016-10-19 11:45:06 -07:00
pnp
power power supply and reset changes for the v4.9 series 2016-10-06 18:21:15 -07:00
powercap
pps pps: kc: fix non-tickless system config dependency 2016-10-11 15:06:32 -07:00
ps3
ptp drivers/ptp: Fix kernel memory disclosure 2016-10-13 10:20:06 -04:00
pwm
rapidio mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
ras
regulator Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-10-12 11:05:23 -07:00
remoteproc rpmsg updates for v4.9 2016-10-06 17:03:49 -07:00
reset reset: uniphier: rename MIO reset to SD reset for Pro5, PXs2, LD20 SoCs 2016-10-22 18:31:42 +09:00
rpmsg
rtc RTC for 4.9 2016-10-14 13:13:44 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-10-27 14:16:30 -07:00
sbus
scsi SCSI fixes on 20161027 2016-10-27 10:08:58 -07:00
sfi
sh
sn
soc powerpc updates for 4.9 #2 2016-10-14 11:07:42 -07:00
spi kthread: kthread worker API cleanup 2016-10-11 15:06:33 -07:00
spmi spmi: pmic-arb: Return an error code if sanity check fails 2016-09-27 12:43:34 +02:00
ssb
staging Staging/IIO driver fixes for 4.9-rc3 2016-10-29 10:20:59 -07:00
target target/tcm_fc: use CPU affinity for responses 2016-10-21 01:19:44 -07:00
tc
thermal thermal/powerclamp: correct cpu support check 2016-10-20 14:15:44 +08:00
thunderbolt
tty tty: serial_core: fix NULL struct tty pointer access in uart_write_wakeup 2016-10-28 08:13:07 -04:00
uio
usb usb: chipidea: host: fix NULL ptr dereference during shutdown 2016-10-25 16:14:32 +08:00
uwb
vfio vfio_pci: use pci_alloc_irq_vectors 2016-09-29 13:36:38 -06:00
vhost
video Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
virt mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
virtio
vlynq
vme vme: vme_get_size potentially returning incorrect value on failure 2016-10-28 08:25:18 -04:00
w1
watchdog Merge branches 'acpi-wdat' and 'acpi-cppc' 2016-10-21 22:24:23 +02:00
xen xen: fixes for 4.9-rc2 2016-10-24 19:52:24 -07:00
zorro
Kconfig
Makefile A small bug fix and a new driver for acting as an IPMI device. 2016-10-23 15:56:23 -07:00