From nobody Fri Apr 17 11:54:05 2026
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com
 [209.85.214.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA4CE1C84BD
	for <linux-kernel@vger.kernel.org>; Fri, 20 Feb 2026 04:08:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771560520; cv=none;
 b=uSNQdBcjaxUDZ7VvmX6eh11RG6+VT0WeKOnXzPWwp5dnhTD8lhyEJp4ZIRG+PODdAcBDDU6Z1GJbkcf/gSPYCdwiBMyplTW3zgFg0ecM3ajVdAFaz5stCKyU5+DmvYsiVPQSsEaZ4VuYT6JxUHfzEeIOJV/vv1H5/RD7kM4rWpA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771560520; c=relaxed/simple;
	bh=X9nyxuKKNdw/f2Cr0gglwQVAdwQkdbyMaqw0ma20qqk=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=RcYyEzYNz3ETlXLUu66gA6vnP9ipNhxpdPRjCfegsEF6SJ1vjXNBgPpcAQFluQu0FRgPUhFvNjMtTX9QFh5rjJ4W0eLNEm28oQI3qLJRxdiP81RsKHTfS/HcTmx2jDYrCtGAhrG5umI9RiRJhwEZJiJ+Xy1xb5eSX3XiVnFmznI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kVmm7e5E; arc=none smtp.client-ip=209.85.214.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kVmm7e5E"
Received: by mail-pl1-f169.google.com with SMTP id
 d9443c01a7336-2a7a9b8ed69so15427635ad.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 19 Feb 2026 20:08:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771560518; x=1772165318;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=VLPEN8v/3SiiZJuSZOW+zFOJFkwusotrMcDYEPJXEGE=;
        b=kVmm7e5EzcBKE7c5vddoIYdOsd3ZZcZoa0i0a+pgR51oLQe0ljSlHPEmB4DqKZzpYC
         AHwCFVESCll38sYlg7FAtscIvj69yOdXI5Qd4tBKySWQ8rgbTLnP/NfJZ+YYz0LGwmnx
         SQFDjZzr5rpsnUuv1QyPHHl7VkzN3/8iwHyYr5T7TO53U0Fpu/8IpnitdkGhTb5LO4LG
         8KatONmFFmqsYQPa/B8QNA9bqphe8UiI7ve0f8+/f2/8/oMl8VKQGgZfZDLxTz11nzFx
         KTmcdS2Y2OgxQccd0XNO/O0huiS9vSYA/N2tDXUm/Rv6DlIT0qkhXGUH0k4y/nQFpXtd
         upzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771560518; x=1772165318;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VLPEN8v/3SiiZJuSZOW+zFOJFkwusotrMcDYEPJXEGE=;
        b=jwCEYFNi1smXoVC10JklxKXqIvv50QmTghh/ptmiePBshdQkEr8Dlmqa5z9y39sWe8
         2sQHq1EEnYNL3fkHd7dYFp09w917GKSl3zMDubkW4GYM6wB/FpeIRlZxGhBqItUT1Fr6
         qXMrPjA6q3/88GiFpBj/eKKA92T66WyN7Y7mL1nrT2/QWTgVdIxmtn0PYWPUc/ytNL6T
         tYxXVHn9Mnoxvk8evnxFPDe0q41KYuSwoixLCNKiFyIRhBwJj8OengxvjuBgblffVlw5
         q+6y8h5BnhUeMVx0+e9Bge7H1+fQ1c9MGGyYidMDlyBAHL3yf8+r+500eJO3V48aQEKw
         t/UQ==
X-Gm-Message-State: AOJu0YxBv2+RCJBhFBCUEbezzXnmtpjG+5m8UaRZteqSSvXltHOuVGul
	yIfmhMa5gselb+qBZL0xWEmHKJef4dV3IjhIYz5PMhg+awlSVeOAZOwJwR5uq69A
X-Gm-Gg: AZuq6aI2MfIvSPLyDLM0QhKsSvthfgJIREKnbw+GCELNIL1RJVqGEmrXog3neyRqTjV
	cjW7IadHj5y+0jKj+fuNc4ywTA5XolfHhKSl1Z+q8ArGy8ceO6z+7n0YJ72ssG9BUvWv6xYX4db
	ZUKbhX660HdP+H+DGw28Naua8kFKhDf6f0NBTyxlzvb3ylAut/GesVg4mB+KdQTneTVK1k85mZg
	WX/DaLiKqMrmDCu5m0q3ax+PjSeoa8etJ/5rAXs/s7TiA6gvF7y2ShsJA2VGRasosKZ2JIDhBev
	x7Np3NpfjbymqwMJ7sC0WOraEdyW4r++Eif30mIPT9xqeqMIXJpiqDghE3z22j4evVP8I/Lj4JV
	TD6yPIbnJ8cYtl1OigzwEbWTXZevFWQiV4jC7I7saqeG8MOnNUqR4YorGxSdNUVTDSoLjCGXIgv
	GWP/YqAGprL3ky5Ii7HPuRWpYRsiT22TVWwISMGA==
X-Received: by 2002:a17:903:1248:b0:2a9:db7:446d with SMTP id
 d9443c01a7336-2ad50ebb1abmr74415515ad.22.1771560518094;
        Thu, 19 Feb 2026 20:08:38 -0800 (PST)
Received: from localhost.localdomain ([119.204.109.83])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ad1a9d5bbcsm179223655ad.56.2026.02.19.20.08.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Feb 2026 20:08:37 -0800 (PST)
From: James Kim <james010kim@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: mporter@kernel.crashing.org,
	alex.bou9@gmail.com,
	stable@vger.kernel.org,
	gregkh@linuxfoundation.org,
	James Kim <james010kim@gmail.com>
Subject: [PATCH] rapidio: mport_cdev: fix sequential UAF in dma_req_free()
Date: Fri, 20 Feb 2026 13:08:22 +0900
Message-Id: <20260220040821.3511683-1-james010kim@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Hi,

Resending this patch to the proper list(s). No changes since the original s=
ubmission.

dma_req_free() drops the mapping reference under buf_mutex and then
dereferences req->map again to unlock the mutex.

If kref_put() drops the last reference, mport_release_mapping() frees
the mapping, and the subsequent mutex_unlock() dereferences a freed
object. This is a sequential (non-racy) use-after-free.

Fix this by caching map and md before kref_put() and using the cached
md for mutex unlocking.

Fixes: 4b0986a36 ("rapidio: add mport character device support")
Cc: stable@vger.kernel.org
Signed-off-by: James Kim <james010kim@gmail.com>
---
 drivers/rapidio/devices/rio_mport_cdev.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/dev=
ices/rio_mport_cdev.c
index 7df466e22282..5fb6ec439028 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -582,9 +582,14 @@ static void dma_req_free(struct kref *ref)
 	}
=20
 	if (req->map) {
-		mutex_lock(&req->map->md->buf_mutex);
-		kref_put(&req->map->ref, mport_release_mapping);
-		mutex_unlock(&req->map->md->buf_mutex);
+		struct rio_mport_mapping *map =3D req->map;
+		struct mport_dev *md =3D map->md;
+
+		mutex_lock(&md->buf_mutex);
+		kref_put(&map->ref, mport_release_mapping);
+		mutex_unlock(&md->buf_mutex);
+
+		req->map =3D NULL;
 	}
=20
 	kref_put(&priv->dma_ref, mport_release_dma);
--=20
2.25.1