From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6AF2C3A5A0 for ; Sun, 19 Apr 2020 14:07:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF6A521D94 for ; Sun, 19 Apr 2020 14:07:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726117AbgDSOHg (ORCPT ); Sun, 19 Apr 2020 10:07:36 -0400 Received: from netrider.rowland.org ([192.131.102.5]:45079 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725949AbgDSOHf (ORCPT ); Sun, 19 Apr 2020 10:07:35 -0400 Received: (qmail 30013 invoked by uid 500); 19 Apr 2020 10:07:34 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Apr 2020 10:07:34 -0400 Date: Sun, 19 Apr 2020 10:07:34 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: Dmitry Torokhov cc: Julian Squires , Hans de Goede , Jiri Kosina , Benjamin Tissoires , syzbot , , , , , Kernel development list , USB list , , Ping Cheng , , Subject: Re: KASAN: use-after-free Read in usbhid_close (3) In-Reply-To: <20200419041344.GC166864@dtor-ws> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 18 Apr 2020, Dmitry Torokhov wrote: > On Sat, Apr 18, 2020 at 09:09:44PM -0700, Dmitry Torokhov wrote: > > Hi Alan, > > > > On Sat, Apr 18, 2020 at 10:16:32PM -0400, Alan Stern wrote: > > > linux-input people: > > > > > > syzbot has found a bug related to USB/HID/input, and I have narrowed it > > > down to the wacom driver. As far as I can tell, the problem is caused > > > the fact that drivers/hid/wacom_sys.c calls input_register_device() > > > in several places, but it never calls input_unregister_device(). > > > > > > I know very little about the input subsystem, but this certainly seems > > > like a bug. > > > > Wacom driver uses devm_input_allocate_device(), so unregister should > > happen automatically on device removal once we exit wacom_probe(). > > > > > > > > When the device is unplugged, the disconnect pathway doesn't call > > > hid_hw_close(). That routine doesn't get called until the user closes > > > the device file (which can be long after the device is gone and > > > hid_hw_stop() has run). Then usbhid_close() gets a use-after-free > > > error when it tries to access data structures that were deallocated by > > > usbhid_stop(). No doubt there are other problems too, but this is > > > the one that syzbot found. > > > > Unregistering the input device should result in calling wacom_close() > > (if device was previously opened), which, as far as I can tell, calls > > hid_hw_close(). > > > > I wonder if it is valid to call hid_hw_stop() before hid_hw_close()? No, it isn't. If it were, for example, why would evdev_disconnect() -> evdev_cleanup() need to call input_close_device()? And why would usbhid_disconnect() deallocate the usbhid structure which usbhid_stop() accesses? > > It could be that we again get confused by the "easiness" of devm APIs > > and completely screwing up unwind order. That's probably what happened. Alan Stern > Let's also add Ping and Jason to the conversation...