Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752608AbdHOM7y (ORCPT ); Tue, 15 Aug 2017 08:59:54 -0400 Received: from mail.ispras.ru ([83.149.199.45]:43410 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751082AbdHOM7x (ORCPT ); Tue, 15 Aug 2017 08:59:53 -0400 From: Anton Volkov Subject: Possible null pointer dereference in adutux.ko To: johan@kernel.org, gregkh@linuxfoundation.org, wsa-dev@sang-engineering.com Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org, Alexey Khoroshilov Message-ID: Date: Tue, 15 Aug 2017 15:59:50 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1056 Lines: 30 Hello. While searching for races in the Linux kernel I've come across "drivers/usb/misc/adutux.ko" module. Here is a question that I came up with while analyzing results. Lines are given using the info from Linux v4.12. Consider the following case: Thread 1: Thread 2: adu_release ->adu_release_internal adu_disconnect udev->dev> dev->udev = NULL (adutux.c: line 298) (adutux.c: line 771) usb_deregister_dev Comments in the source code point at the possibility of adu_release() being called separately from adu_disconnect(). adu_release() and adu_disconnect() acquire different mutexes, so they are not protected from one another. If adu_disconnect() changes dev->udev before its value is read in adu_release_internal() there will be a NULL pointer dereference on a read attempt. Is this case feasible from your point of view? Thank you for your time. -- Anton Volkov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: avolkov@ispras.ru