All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
@ 2023-03-16 18:09 Zheng Wang
  2023-03-16 18:18 ` Shuah Khan
  2023-03-16 23:08 ` kernel test robot
  0 siblings, 2 replies; 5+ messages in thread
From: Zheng Wang @ 2023-03-16 18:09 UTC (permalink / raw)
  To: valentina.manea.m
  Cc: gregkh, linux-usb, linux-kernel, hackerzheng666, 1395428693sheep,
	alex000young, skhan, Zheng Wang

In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_timer.

When it calls usbip_sockfd_store, it will call v_start_timer to start the 
timer work.

When we call vudc_remove to remove the driver, theremay be a sequence as 
follows:

Fix it by shutdown the timer work before cleanup in vudc_remove.

Note that removing a driver is a root-only operation, and should never
happen.

CPU0                  CPU1

                     |v_timer
vudc_remove          |
kfree(udc);          |
//free shost         |
                     |udc->gadget
                     |//use

This bug was found by static analysis.

Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- add more details about how the bug was found suggested by Shuah
---
 drivers/usb/usbip/vudc_dev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index 2bc428f2e261..33d0991755bb 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *pdev)
 {
 	struct vudc *udc = platform_get_drvdata(pdev);
 
+	timer_shutdown_sync(&udc->timer);
 	usb_del_gadget_udc(&udc->gadget);
 	cleanup_vudc_hw(udc);
 	kfree(udc);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
  2023-03-16 18:09 [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Zheng Wang
@ 2023-03-16 18:18 ` Shuah Khan
       [not found]   ` <CAJedcCyb_XP=X=2XzjKJ-ay=mzPdEJEdRsAcU2KbeaQPjLaW3g@mail.gmail.com>
  2023-03-16 23:08 ` kernel test robot
  1 sibling, 1 reply; 5+ messages in thread
From: Shuah Khan @ 2023-03-16 18:18 UTC (permalink / raw)
  To: Zheng Wang, valentina.manea.m
  Cc: gregkh, linux-usb, linux-kernel, hackerzheng666, 1395428693sheep,
	alex000young, Shuah Khan

On 3/16/23 12:09, Zheng Wang wrote:
> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_timer.
> 
> When it calls usbip_sockfd_store, it will call v_start_timer to start the
> timer work.
> 
> When we call vudc_remove to remove the driver, theremay be a sequence as
> follows:
> 
> Fix it by shutdown the timer work before cleanup in vudc_remove.
> 
> Note that removing a driver is a root-only operation, and should never
> happen.
> 
> CPU0                  CPU1
> 
>                       |v_timer
> vudc_remove          |
> kfree(udc);          |
> //free shost         |
>                       |udc->gadget
>                       |//use
> 
> This bug was found by static analysis.

Tell me which static analysis tool did you use to find this and
the output from the tool.

> 
> Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v2:
> - add more details about how the bug was found suggested by Shuah
> ---
>   drivers/usb/usbip/vudc_dev.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
> index 2bc428f2e261..33d0991755bb 100644
> --- a/drivers/usb/usbip/vudc_dev.c
> +++ b/drivers/usb/usbip/vudc_dev.c
> @@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *pdev)
>   {
>   	struct vudc *udc = platform_get_drvdata(pdev);
>   
> +	timer_shutdown_sync(&udc->timer);
>   	usb_del_gadget_udc(&udc->gadget);
>   	cleanup_vudc_hw(udc);
>   	kfree(udc);

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
       [not found]   ` <CAJedcCyb_XP=X=2XzjKJ-ay=mzPdEJEdRsAcU2KbeaQPjLaW3g@mail.gmail.com>
@ 2023-03-16 19:09     ` gregkh
  2023-03-17  3:59       ` Zheng Hacker
  0 siblings, 1 reply; 5+ messages in thread
From: gregkh @ 2023-03-16 19:09 UTC (permalink / raw)
  To: Zheng Hacker
  Cc: Shuah Khan, Zheng Wang, valentina.manea.m, linux-usb,
	linux-kernel, 1395428693sheep, alex000young

On Fri, Mar 17, 2023 at 02:27:05AM +0800, Zheng Hacker wrote:
> 在 2023年3月17日星期五,Shuah Khan <skhan@linuxfoundation.org> 写道:
> 
> > On 3/16/23 12:09, Zheng Wang wrote:
> >
> >> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with
> >> v_timer.
> >>
> >> When it calls usbip_sockfd_store, it will call v_start_timer to start the
> >> timer work.
> >>
> >> When we call vudc_remove to remove the driver, theremay be a sequence as
> >> follows:
> >>
> >> Fix it by shutdown the timer work before cleanup in vudc_remove.
> >>
> >> Note that removing a driver is a root-only operation, and should never
> >> happen.
> >>
> >> CPU0                  CPU1
> >>
> >>                       |v_timer
> >> vudc_remove          |
> >> kfree(udc);          |
> >> //free shost         |
> >>                       |udc->gadget
> >>                       |//use
> >>
> >> This bug was found by static analysis.
> >>
> >
> > Tell me which static analysis tool did you use to find this and
> > the output from the tool.
> 
> 
>      This is found by codeql,the rule is complicated. It     finally found
> there is no timer stop behavior in remove function.

When using tools like this, you are required to follow the rules in
Documentation/process/researcher-guidelines.rst

Please do so here.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
  2023-03-16 18:09 [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Zheng Wang
  2023-03-16 18:18 ` Shuah Khan
@ 2023-03-16 23:08 ` kernel test robot
  1 sibling, 0 replies; 5+ messages in thread
From: kernel test robot @ 2023-03-16 23:08 UTC (permalink / raw)
  To: Zheng Wang, valentina.manea.m
  Cc: llvm, oe-kbuild-all, gregkh, linux-usb, linux-kernel,
	hackerzheng666, 1395428693sheep, alex000young, skhan, Zheng Wang

Hi Zheng,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on usb/usb-testing]
[also build test ERROR on usb/usb-next usb/usb-linus linus/master v6.3-rc2 next-20230316]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Zheng-Wang/usbip-vudc-Fix-use-after-free-bug-in-vudc_remove-due-to-race-condition/20230317-021228
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
patch link:    https://lore.kernel.org/r/20230316180940.1601515-1-zyytlz.wz%40163.com
patch subject: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
config: i386-randconfig-a015-20230313 (https://download.01.org/0day-ci/archive/20230317/202303170604.MoMGMPvW-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/46cc0947344ed93f7f1f4639209c5c6cce16fad3
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Zheng-Wang/usbip-vudc-Fix-use-after-free-bug-in-vudc_remove-due-to-race-condition/20230317-021228
        git checkout 46cc0947344ed93f7f1f4639209c5c6cce16fad3
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash drivers/usb/usbip/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303170604.MoMGMPvW-lkp@intel.com/

All errors (new ones prefixed by >>):

>> drivers/usb/usbip/vudc_dev.c:636:28: error: no member named 'timer' in 'struct vudc'
           timer_shutdown_sync(&udc->timer);
                                ~~~  ^
   1 error generated.


vim +636 drivers/usb/usbip/vudc_dev.c

   631	
   632	int vudc_remove(struct platform_device *pdev)
   633	{
   634		struct vudc *udc = platform_get_drvdata(pdev);
   635	
 > 636		timer_shutdown_sync(&udc->timer);

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
  2023-03-16 19:09     ` gregkh
@ 2023-03-17  3:59       ` Zheng Hacker
  0 siblings, 0 replies; 5+ messages in thread
From: Zheng Hacker @ 2023-03-17  3:59 UTC (permalink / raw)
  To: gregkh
  Cc: Shuah Khan, Zheng Wang, valentina.manea.m, linux-usb,
	linux-kernel, 1395428693sheep, alex000young

gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> 于2023年3月17日周五 03:09写道:
>
> On Fri, Mar 17, 2023 at 02:27:05AM +0800, Zheng Hacker wrote:
> > 在 2023年3月17日星期五,Shuah Khan <skhan@linuxfoundation.org> 写道:
> >
> > > On 3/16/23 12:09, Zheng Wang wrote:
> > >
> > >> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with
> > >> v_timer.
> > >>
> > >> When it calls usbip_sockfd_store, it will call v_start_timer to start the
> > >> timer work.
> > >>
> > >> When we call vudc_remove to remove the driver, theremay be a sequence as
> > >> follows:
> > >>
> > >> Fix it by shutdown the timer work before cleanup in vudc_remove.
> > >>
> > >> Note that removing a driver is a root-only operation, and should never
> > >> happen.
> > >>
> > >> CPU0                  CPU1
> > >>
> > >>                       |v_timer
> > >> vudc_remove          |
> > >> kfree(udc);          |
> > >> //free shost         |
> > >>                       |udc->gadget
> > >>                       |//use
> > >>
> > >> This bug was found by static analysis.
> > >>
> > >
> > > Tell me which static analysis tool did you use to find this and
> > > the output from the tool.
> >
> >
> >      This is found by codeql,the rule is complicated. It     finally found
> > there is no timer stop behavior in remove function.
>
> When using tools like this, you are required to follow the rules in
> Documentation/process/researcher-guidelines.rst
>
> Please do so here.
>

Thanks for your assistance. I'll read it carefully and keep that in mind.
And I'll append more information in the next version of patch.

Best regards,
Zheng

> thanks,
>
> greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-03-17  3:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 18:09 [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Zheng Wang
2023-03-16 18:18 ` Shuah Khan
     [not found]   ` <CAJedcCyb_XP=X=2XzjKJ-ay=mzPdEJEdRsAcU2KbeaQPjLaW3g@mail.gmail.com>
2023-03-16 19:09     ` gregkh
2023-03-17  3:59       ` Zheng Hacker
2023-03-16 23:08 ` kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.