From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04205C43331 for ; Tue, 24 Mar 2020 14:37:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CE24620774 for ; Tue, 24 Mar 2020 14:37:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="URod6sSA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727385AbgCXOhl (ORCPT ); Tue, 24 Mar 2020 10:37:41 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:38099 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727168AbgCXOhl (ORCPT ); Tue, 24 Mar 2020 10:37:41 -0400 Received: by mail-lf1-f68.google.com with SMTP id c5so7962217lfp.5 for ; Tue, 24 Mar 2020 07:37:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wOe/cwkgIM9Ab4hg3mczmIi4wh/0K818LHuirOHiJ4A=; b=URod6sSAasEBeJ7UfuCiMIlcvfkkmmZgypzB/5zXAFTWfHRahsHWewBjncbYea079c SmcUkFauuYKCzTJYp+pY5jNK8w8yvzCcJnLvjcCuDh0rdqlNDMA4aDzEmZOeheV6pUZh 9WxWbs93NyNQcQTu2lzSartwXN2f5jMacelqkx5eYHNr2RorLXid4QjyUf4HNlYbfTrc iatkxTNrJQH5MqYmr2azDFe/snTXi56H7SU+2PeKKHRY0ybLYnUNdjtePQC40pST6MyQ 9dvnU5AE/Mkw6IvAS3f9iHzso7pFclL29N4AWSAoYUf1iF5GGs1xDDiKK0BJklqwQP+3 45kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wOe/cwkgIM9Ab4hg3mczmIi4wh/0K818LHuirOHiJ4A=; b=oS/bdoYcXPUo0rXQ1IegNkJZjMxOc6dcNufrtoFcnzr6/m0nWInP/9MN/dGL/dQTXx eIV7+eIbl74TB42BU8nXmkN0P6dgveMG7ypl+nJF4MfDxnANdNLVYYsFWNIW/o8hvDeg lujEGZC20BupsBIQVqKJk7lM974YIOqBYUIGgunFy6wvqFhg5hycmCwIPLRNmkxCO9Yf I46wqPW/388bB1Ui/iUdiELSVEtSd0+/AIPqvcbPH7KoZy74ceG5SJo1fknCXe5YA+Tf Fg114hj7IT7atZpeM2gKqzOeal8bS8TRID7L0Unmj99dghgJ6gq03Q4DC2e5zv19jAI1 IbPg== X-Gm-Message-State: ANhLgQ3Mi8OJXvYLqJf/xdas96F7EPBUY7Q97UkbvqZEyLXL06Ja+Qzh X/1Sigu4QwPztpIN7meCHlUIkRlWksiPAfjWUOY= X-Google-Smtp-Source: ADFU+vsZC/jXY3DWAG9uq5f+7YhlDvIzgnDW5IikwmVU4Ij6DBBavpPGJpMHsoKVUxWEmUfvJu4weAVKU1KqduhRP0E= X-Received: by 2002:ac2:548f:: with SMTP id t15mr16681025lfk.115.1585060658724; Tue, 24 Mar 2020 07:37:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyungtae Kim Date: Tue, 24 Mar 2020 10:37:27 -0400 Message-ID: Subject: Re: Fwd: BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c To: Alan Stern Cc: Oliver Neukum , USB list Content-Type: text/plain; charset="UTF-8" Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Tue, Mar 24, 2020 at 10:14:39AM -0400, Alan Stern wrote: > On Mon, 23 Mar 2020, Kyungtae Kim wrote: > > > We report a bug (in linux-5.5.11) found by FuzzUSB (a modified version > > of syzkaller) > > > > In function usb_hcd_unlink_urb (driver/usb/core/hcd.c:1607), it tries to > > read "urb->use_count". But it seems the instance "urb" was > > already freed (right after urb->dev at line 1597) by the function "urb_destroy" > > in a different thread, which caused memory access violation. > > To solve, it may need to check if urb is valid before urb->use_count, > > to avoid such freed memory access. > > No, the problem is "free while still in use", caused by the fact that > usb_sg_cancel() fails to indicate it is using the data structures. > > > kernel config: https://kt0755.github.io/etc/config_v5.5.11 > > > > ================================================================== > > BUG: KASAN: use-after-free in atomic_read > > include/asm-generic/atomic-instrumented.h:26 [inline] > > BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 > > drivers/usb/core/hcd.c:1607 > > Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 > > Here is a patch which ought to fix the problem. Can you test it? > > Alan Stern > > > Index: usb-devel/drivers/usb/core/message.c > =================================================================== > --- usb-devel.orig/drivers/usb/core/message.c > +++ usb-devel/drivers/usb/core/message.c > @@ -588,12 +588,13 @@ void usb_sg_cancel(struct usb_sg_request > int i, retval; > > spin_lock_irqsave(&io->lock, flags); > - if (io->status) { > + if (io->status || io->count == 0) { > spin_unlock_irqrestore(&io->lock, flags); > return; > } > /* shut everything down */ > io->status = -ECONNRESET; > + io->count++; /* Keep the request alive until we're done */ > spin_unlock_irqrestore(&io->lock, flags); > > for (i = io->entries - 1; i >= 0; --i) { > @@ -607,6 +608,12 @@ void usb_sg_cancel(struct usb_sg_request > dev_warn(&io->dev->dev, "%s, unlink --> %d\n", > __func__, retval); > } > + > + spin_lock_irqsave(&io->lock, flags); > + io->count--; > + if (!io->count) > + complete(&io->complete); > + spin_unlock_irqrestore(&io->lock, flags); > } > EXPORT_SYMBOL_GPL(usb_sg_cancel); > > Thanks for the patch. Unfortunately, we don't have a repro program to test right now. Regards, Kyungtae Kim