Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751830AbdHONXO (ORCPT ); Tue, 15 Aug 2017 09:23:14 -0400 Received: from mx2.suse.de ([195.135.220.15]:58580 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751666AbdHONXN (ORCPT ); Tue, 15 Aug 2017 09:23:13 -0400 Message-ID: <1502803217.6606.3.camel@suse.com> Subject: Re: Possible null pointer dereference in adutux.ko From: Oliver Neukum To: Anton Volkov , johan@kernel.org, gregkh@linuxfoundation.org, wsa-dev@sang-engineering.com Cc: Alexey Khoroshilov , ldv-project@linuxtesting.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org Date: Tue, 15 Aug 2017 15:20:17 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1375 Lines: 41 Am Dienstag, den 15.08.2017, 15:59 +0300 schrieb Anton Volkov: > Hello. > > While searching for races in the Linux kernel I've come across > "drivers/usb/misc/adutux.ko" module. Here is a question that I came up > with while analyzing results. Lines are given using the info from Linux > v4.12. > > Consider the following case: > > Thread 1: Thread 2: > adu_release > ->adu_release_internal adu_disconnect > udev->dev> dev->udev = NULL > (adutux.c: line 298) (adutux.c: line 771) > usb_deregister_dev > > Comments in the source code point at the possibility of adu_release() > being called separately from adu_disconnect(). adu_release() and > adu_disconnect() acquire different mutexes, so they are not protected > from one another. If adu_disconnect() changes dev->udev before its value > is read in adu_release_internal() there will be a NULL pointer > dereference on a read attempt. Is this case feasible from your point of > view? > > Thank you for your time. Hi, your analysis seems correct to me. In fact it looks like 66d4bc30d128e7c7ac4cf64aa78cb76e971cec5b USB: adutux: remove custom debug macro more or less broke disconnect on this driver (the URBs can also finish after dev->udev = NULL) Do you want to do a fix or do you want me to do it? Regards Oliver