From nobody Fri Apr 17 11:54:48 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13D67238C36 for ; Mon, 6 Apr 2026 01:50:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775440243; cv=none; b=C4GBW7kEtWlsn776TE5sPUHw4RbI8KCfUeRnIZ7gHg3QyVe4UR+0b0pZITYYN9xMh6nKwvSaEUNrniAvfZnXgKGMbHSZXPBkH67Ns2b55bfBC/54gWjuR44EfC8C5bITm8BDPpdkcHFWHoJok2MS3T1CKbSzSVcXDmPfAyK7PS8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775440243; c=relaxed/simple; bh=PEkiLmZOewX0MIHOsijuvpO9eg9fkKX5XYFhJLGYXMo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=oi5U1CJKt5RCBHgpsbF06lVEwlfdCqe/Dl3SVz+vHVxe24rjOhoUcXW1UTvNL0yO57WLWWvDnZRCpUbrfRKG4gs78fUoshJmBuafdRHLsB/7Byo/9gAO2ocLTPIjFmmXND3GJt1vFXWlpSfaFOt/euMqDaOSN9ZFJfevyQujKN0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Tm42Y1cq; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Tm42Y1cq" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-82a7ebc729dso1362545b3a.3 for ; Sun, 05 Apr 2026 18:50:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775440241; x=1776045041; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fhFGF4zefhHHaaw6dTIqLiXehYgo8vGHmaNux7TXW6Q=; b=Tm42Y1cqb1irFPa5q2WTsX/qhHC0m8OZntoI+orCT0Qz7KWCFBp02Aw0/BRQ/KIrQ9 bFFpx6cvHtSsaUC/3PWYh9Rgaa7UgB5xJ7LeVcGqW5jjgcHE29ztIG2T8MVF+VdVAZEd LXwbSqP89e/SGsApym+AsxLbcu2sxvwiXXsRWi4X525oQPp5pABLtnDOxQ9TCWMEJGEM R8P/KEkSfJnJRWtfzOudxCc3eKUyG87BxjHvT5otoT7w6mQHm18vMDUq1NEv2HCloJNE xaG0We3equAYzkWIsyVbkQJarxMYKu6o9p1jDYp2ZLIx0RKZbIKcg7LHoI+4fUaHlco0 vblw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775440241; x=1776045041; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fhFGF4zefhHHaaw6dTIqLiXehYgo8vGHmaNux7TXW6Q=; b=SwRYf2ujCCU3+1yR9ZGg/OYuoSW55ubkY+8E1GqBSwHu8WkJPGO8rz1mFA08kdmjzO fPAqVUuZMgvVKKBlkPNaMQ9V6bj5dFNy5tfM2Gm24HgVgGVQmyhkPguclYMyUBv66f5n KzOR07VApRtnvWKhOJH5dTNJJiyQ39Yb56XswYKJiOYMd5FO/OwLPl5fvc7Kb5CD6wp+ 6/tqTEEdte87ygwJwjutmeEGUOGjJGK7BpXQjUg24zL/IPHApHVFxIm3EcVslUPfL4AA oudQ62srC4NmEZJS78Ix6/ihDsUfBRn4SDyeAlXOcRIyvswQMuyhPS4IpKjr+PiFBDW2 9KFA== X-Gm-Message-State: AOJu0YzEfykWVnF6XHfJJbO3dllQp96tDCvXV7yW1quhzufKlvrb5op7 CtJVoNbPFZoW8UhcShwTgGvRykSdVrcHbxVbz3ZmDng7mszVaWQD1qYG8rZ2SQ== X-Gm-Gg: AeBDiess5fAMb/hw1SmffyCEoP/sKg8Yto7Lad9JxDBlhxC451lqsIKxbsITIYP2f2Z KxtdxIxxHPTnsZ+tkBqplQQzHjwkSg5+JbX2Vgus7GeVhokx1UQ42/uhhTZt2tNde6fB1gakxt7 KPpE8RLxGF1OBC3F6KUjtKnadxJ+W6QxpWOv2sfY/nw0oNyrfPTrAhLmHue/DUymEb0QSKe/hkr Si9g4ZeFj0UJfuS+dcfIP9V91RMGwR4zZHWCItYcpMmCLwyPZCuPNGvE+0LsK0Cqz578gDd0auq krFbczL41RSz5XSnp1up1v9CEzrJr4AiiTI+E2HwR9XUe2cCu+5MKWh1+hzecV8WXtWDpz7bHBm hAe5n+IslM/+2sKfa39ewVOvZ+HJEDtJgLv5+w6n92pOo0uELfxZeM1SvwRs267PRIc7unpWFJC CdmTZ6VysnnQn0Vs1QPIJ+TAg/BFgqJcdHmjYW7Q== X-Received: by 2002:a05:6a00:2d02:b0:82c:6cbe:7935 with SMTP id d2e1a72fcca58-82d0db53ea7mr10421920b3a.28.1775440241313; Sun, 05 Apr 2026 18:50:41 -0700 (PDT) Received: from localhost.localdomain ([119.204.109.83]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82cf9ca79basm14914068b3a.58.2026.04.05.18.50.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 18:50:40 -0700 (PDT) From: James Kim To: linux-kernel@vger.kernel.org Cc: mporter@kernel.crashing.org, alex.bou9@gmail.com, stable@vger.kernel.org, gregkh@linuxfoundation.org, James Kim Subject: [PATCH] rapidio: mport_cdev: fix sequential UAF in dma_req_free() Date: Mon, 6 Apr 2026 10:49:59 +0900 Message-Id: <20260406014959.186669-1-james010kim@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dma_req_free() drops the mapping reference under buf_mutex and then dereferences req->map again to unlock the mutex. If kref_put() drops the last reference, mport_release_mapping() frees the mapping, and the subsequent mutex_unlock() dereferences a freed object. This is a sequential (non-racy) use-after-free. Fix this by caching map and md before kref_put() and using the cached md for mutex unlocking. Fixes: 4b0986a36 ("rapidio: add mport character device support") Cc: stable@vger.kernel.org Signed-off-by: James Kim --- drivers/rapidio/devices/rio_mport_cdev.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) Resending this patch as it might have been missed due to the merge window. No changes since the previous submission. diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/dev= ices/rio_mport_cdev.c index 7df466e22282..5fb6ec439028 100644 --- a/drivers/rapidio/devices/rio_mport_cdev.c +++ b/drivers/rapidio/devices/rio_mport_cdev.c @@ -582,9 +582,14 @@ static void dma_req_free(struct kref *ref) } =20 if (req->map) { - mutex_lock(&req->map->md->buf_mutex); - kref_put(&req->map->ref, mport_release_mapping); - mutex_unlock(&req->map->md->buf_mutex); + struct rio_mport_mapping *map =3D req->map; + struct mport_dev *md =3D map->md; + + mutex_lock(&md->buf_mutex); + kref_put(&map->ref, mport_release_mapping); + mutex_unlock(&md->buf_mutex); + + req->map =3D NULL; } =20 kref_put(&priv->dma_ref, mport_release_dma); --=20 2.25.1