Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, <gregkh@linuxfoundation.org>,
	<gustavo@embeddedor.com>, <hdanton@sina.com>,
	<linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>,
	<oneukum@suse.com>, <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb
Date: Tue, 13 Aug 2019 16:13:48 -0400 (EDT)
Message-ID: <Pine.LNX.4.44L0.1908121115390.1659-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <000000000000d195cc058feb2498@google.com>

On Mon, 12 Aug 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> KASAN: invalid-free in hcd_buffer_free

This bug report shows that Hillf's fix isn't exactly right.

> usb 5-1: USB disconnect, device number 2
> ==================================================================
> BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260  
> drivers/usb/core/buffer.c:165
> 
> CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xca/0x13e lib/dump_stack.c:113
>   print_address_description+0x6a/0x32c mm/kasan/report.c:351
>   kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
>   __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
>   slab_free_hook mm/slub.c:1423 [inline]
>   slab_free_freelist_hook mm/slub.c:1470 [inline]
>   slab_free mm/slub.c:3012 [inline]
>   kfree+0xe4/0x2f0 mm/slub.c:3953
>   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
>   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
>   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
>   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
>   logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797

Here the double-free occurred when logi_dj_remove() called 
hd_hw_stop()...

>   hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
>   __device_release_driver drivers/base/dd.c:1118 [inline]
>   device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
>   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
>   device_del+0x420/0xb10 drivers/base/core.c:2288
>   hid_remove_device drivers/hid/hid-core.c:2413 [inline]
>   hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
>   usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414

which occurred inside usbhid_disconnect()'s call to
hid_destroy_device().

But just above the call to hid_destroy_device(), Hillf's patch adds a 
direct call to hid_hw_stop(), which is what did the original free.

So it looks like the problem here is that some paths in the original
unpatched code end up calling hid_hw_stop() by way of the hid_device's
driver, and other paths do not.

I haven't had time to track down this difference.  Maybe somebody 
on the mailing list already knows why it occurs.

Alan Stern


  parent reply index

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-29 11:48 syzbot
2019-07-30 14:10 ` Alan Stern
2019-07-30 14:12   ` Andrey Konovalov
2019-07-30 14:24     ` Oliver Neukum
2019-07-30 16:58 ` syzbot
2019-08-12 12:46   ` Andrey Konovalov
2019-08-12 13:03     ` syzbot
2019-08-12 14:23       ` Andrey Konovalov
2019-08-13 20:13       ` Alan Stern [this message]
2019-08-21 12:51         ` Andrey Konovalov
2019-08-21 13:09           ` syzbot
2019-08-21 14:08             ` Andrey Konovalov
     [not found]     ` <20190812144720.1980-1-hdanton@sina.com>
2019-08-12 14:55       ` Andrey Konovalov
2019-08-12 15:06       ` general protection fault in __pm_runtime_resume syzbot
2019-08-15 17:43         ` Alan Stern
2019-08-20 20:00           ` [PATCH] HID: USB: Fix general protection fault caused by Logitech driver Alan Stern
2019-08-21 14:11             ` Andrey Konovalov
2019-08-22  7:53             ` Jiri Kosina
2019-08-22 12:32             ` Andrey Konovalov
2019-08-22 17:11               ` Alan Stern
2019-08-22 18:25                 ` Andrey Konovalov
2019-08-22 20:21                   ` Alan Stern
2019-08-23  9:29                     ` Jiri Kosina
2019-08-24  0:41                       ` Roderick.Colenbrander
2019-09-03 10:46                         ` Andrey Konovalov
2019-09-03 20:00                           ` Roderick.Colenbrander
     [not found]     ` <20190813042649.888-1-hdanton@sina.com>
2019-08-13  7:35       ` WARNING in usbhid_raw_request/usb_submit_urb Dmitry Vyukov
2019-08-13  8:14       ` Oliver Neukum

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.44L0.1908121115390.1659-100000@iolanthe.rowland.org \
    --to=stern@rowland.harvard.edu \
    --cc=andreyknvl@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=gustavo@embeddedor.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=oneukum@suse.com \
    --cc=syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox