All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
@ 2023-09-25  9:17 Jia-Ju Bai
  2023-09-25  9:38 ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Jia-Ju Bai @ 2023-09-25  9:17 UTC (permalink / raw)
  To: hminas, gregkh; +Cc: linux-usb, linux-kernel, Jia-Ju Bai

In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without 
holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():

    spin_lock_irqsave(&hsotg->lock, flags);
    ...
	if (!urb->hcpriv) {
		dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n");
		goto out;
	}
    rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
    ...
out:
    spin_unlock_irqrestore(&hsotg->lock, flags);

When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are 
concurrently executed, the NULL check of "urb->hcpriv" can be executed
before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used 
in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL 
pointer dereference. 

To fix this possible bug, "urb->hcpriv = NULL" should be executed with
holding the lock "hsotg->lock".

Signed-off-by: Jia-Ju Bai <baijiaju@buaa.edu.cn>
---
 drivers/usb/dwc2/hcd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index 657f1f659ffa..35c7a4df8e71 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4769,8 +4769,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
 	if (qh_allocated && qh->channel && qh->channel->qh == qh)
 		qh->channel->qh = NULL;
 fail2:
-	spin_unlock_irqrestore(&hsotg->lock, flags);
 	urb->hcpriv = NULL;
+	spin_unlock_irqrestore(&hsotg->lock, flags);
 	kfree(qtd);
 fail1:
 	if (qh_allocated) {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
  2023-09-25  9:17 [PATCH] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Jia-Ju Bai
@ 2023-09-25  9:38 ` Greg KH
  2023-09-25 10:11   ` Jia-Ju Bai
  0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2023-09-25  9:38 UTC (permalink / raw)
  To: Jia-Ju Bai; +Cc: hminas, linux-usb, linux-kernel

On Mon, Sep 25, 2023 at 05:17:41PM +0800, Jia-Ju Bai wrote:
> In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without 
> holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():
> 
>     spin_lock_irqsave(&hsotg->lock, flags);
>     ...
> 	if (!urb->hcpriv) {
> 		dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n");
> 		goto out;
> 	}
>     rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
>     ...
> out:
>     spin_unlock_irqrestore(&hsotg->lock, flags);
> 
> When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are 
> concurrently executed, the NULL check of "urb->hcpriv" can be executed
> before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used 
> in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL 
> pointer dereference. 

Odd trailing spaces in your changelog text, is that intentional?

> 
> To fix this possible bug, "urb->hcpriv = NULL" should be executed with
> holding the lock "hsotg->lock".
> 
> Signed-off-by: Jia-Ju Bai <baijiaju@buaa.edu.cn>
> ---
>  drivers/usb/dwc2/hcd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
> index 657f1f659ffa..35c7a4df8e71 100644
> --- a/drivers/usb/dwc2/hcd.c
> +++ b/drivers/usb/dwc2/hcd.c
> @@ -4769,8 +4769,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
>  	if (qh_allocated && qh->channel && qh->channel->qh == qh)
>  		qh->channel->qh = NULL;
>  fail2:
> -	spin_unlock_irqrestore(&hsotg->lock, flags);
>  	urb->hcpriv = NULL;
> +	spin_unlock_irqrestore(&hsotg->lock, flags);
>  	kfree(qtd);
>  fail1:
>  	if (qh_allocated) {
> -- 
> 2.34.1
> 

What commit id does this fix?

And how did you test this to verify it works properly?

And how was it found?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
  2023-09-25  9:38 ` Greg KH
@ 2023-09-25 10:11   ` Jia-Ju Bai
  0 siblings, 0 replies; 3+ messages in thread
From: Jia-Ju Bai @ 2023-09-25 10:11 UTC (permalink / raw)
  To: Greg KH; +Cc: hminas, linux-usb, linux-kernel

Thanks for the reply :)

On 2023/9/25 17:38, Greg KH wrote:
> On Mon, Sep 25, 2023 at 05:17:41PM +0800, Jia-Ju Bai wrote:
>> In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without
>> holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():
>>
>>      spin_lock_irqsave(&hsotg->lock, flags);
>>      ...
>> 	if (!urb->hcpriv) {
>> 		dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n");
>> 		goto out;
>> 	}
>>      rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
>>      ...
>> out:
>>      spin_unlock_irqrestore(&hsotg->lock, flags);
>>
>> When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are
>> concurrently executed, the NULL check of "urb->hcpriv" can be executed
>> before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used
>> in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL
>> pointer dereference.
> Odd trailing spaces in your changelog text, is that intentional?

They are caused by the configuration of my file editor, and I changed it 
just now.

>
>> To fix this possible bug, "urb->hcpriv = NULL" should be executed with
>> holding the lock "hsotg->lock".
>>
>> Signed-off-by: Jia-Ju Bai <baijiaju@buaa.edu.cn>
>> ---
>>   drivers/usb/dwc2/hcd.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
>> index 657f1f659ffa..35c7a4df8e71 100644
>> --- a/drivers/usb/dwc2/hcd.c
>> +++ b/drivers/usb/dwc2/hcd.c
>> @@ -4769,8 +4769,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
>>   	if (qh_allocated && qh->channel && qh->channel->qh == qh)
>>   		qh->channel->qh = NULL;
>>   fail2:
>> -	spin_unlock_irqrestore(&hsotg->lock, flags);
>>   	urb->hcpriv = NULL;
>> +	spin_unlock_irqrestore(&hsotg->lock, flags);
>>   	kfree(qtd);
>>   fail1:
>>   	if (qh_allocated) {
>> -- 
>> 2.34.1
>>
> What commit id does this fix?
>
> And how did you test this to verify it works properly?
>
> And how was it found?

I sent a v2 patch to add these details and fix the mistakes about 
trailing spaces.


Thanks,
Jia-Ju Bai


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-25 10:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-25  9:17 [PATCH] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Jia-Ju Bai
2023-09-25  9:38 ` Greg KH
2023-09-25 10:11   ` Jia-Ju Bai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.