From: Hans de Goede <hdegoede@redhat.com>
To: "Schmid, Carsten" <Carsten_Schmid@mentor.com>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>
Subject: Re: AW: [PATCH] usb: xhci-pci: reorder removal to avoid use-after-free
Date: Wed, 14 Aug 2019 15:36:16 +0200 [thread overview]
Message-ID: <662c2014-f52c-a4a7-cbf0-78d43c3a4f22@redhat.com> (raw)
In-Reply-To: <29aadcf136bb4d5285afb4fc5b500b49@SVR-IES-MBX-03.mgc.mentorg.com>
Hi,
On 14-08-19 15:32, Schmid, Carsten wrote:
>>> On driver removal, the platform_device_unregister call
>>> attached through devm_add_action_or_reset was executed
>>> after usb_hcd_pci_remove.
>>> This lead to a use-after-free for the iomem resorce of
>>> the xhci-ext-caps driver in the platform removal
>>> because the parent of the resource was freed earlier.
>>>
>>> Fix this by reordering of the removal sequence.
>>>
>>> Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
>>
>> Assuming this has been tested, overal this looks good to me.
>
> Tested on 4.14.129, ported to v5.2.7, compiled there.
>
>>
>> But there are 2 things to fix:
>>
>> 1) Maybe pick a more descriptive struct member name then pdev.
>> pdev with pci-devices often points to a pci_device ...
>> How about: role_switch_pdev ?
>
> Ok, good point. Had platform dev pdev in mind ...
>
>>
>> 2) xhci_ext_cap_init() is not the last call which can fail in
>> xhci_pci_probe(), since you now no longer use
>> devm_add_action_or_reset
>> for auto-cleanup, you must now manually cleanup by calling
>> xhci_ext_cap_remove() when later steps of xhci_pci_probe() fail.
>> it looks like you will need a new ext_cap_remove error-exit label
>> for this put above the put_usb3_hcd label and goto this new label
>> instead of to put_usb3_hcd in all error paths after a successful call
>> to xhci_ext_cap_init()
>
> Right. Will review this path and correct accordingly.
>
> Maybe an additional label isn't required because pdev is only set when
> xhci_ext_cap_init created the platform device, and xhci_ext_cap_remove
> checks for pdev being set.
> So a call to xhci_ext_cap_remove doesn't harm if pdev is not set up yet.
> But for readability it might be better to create a label.
Right, when taking a quick look myself I realized that an extra label would
not be necessary, but not having the extra label will confuse the reader
of the code, since now we are undoing something which we did not do,
so I would prefer if you use the extra label.
Regards,
Hans
next prev parent reply other threads:[~2019-08-14 13:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 11:39 [PATCH] usb: xhci-pci: reorder removal to avoid use-after-free Schmid, Carsten
2019-08-14 12:54 ` Hans de Goede
2019-08-14 13:32 ` AW: " Schmid, Carsten
2019-08-14 13:36 ` Hans de Goede [this message]
2019-08-14 14:32 ` [PATCH v2] " Schmid, Carsten
2019-08-15 15:27 ` Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=662c2014-f52c-a4a7-cbf0-78d43c3a4f22@redhat.com \
--to=hdegoede@redhat.com \
--cc=Carsten_Schmid@mentor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).