Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp976527imu; Thu, 20 Dec 2018 08:12:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/VrtKvOf5dPUbOzQofXYP1hzX+H2BmgxEFDopchH9LB46dR9Zjrlz2sK1VC7A2xr/9QAKC7 X-Received: by 2002:a63:bc02:: with SMTP id q2mr20462301pge.116.1545322328654; Thu, 20 Dec 2018 08:12:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545322328; cv=none; d=google.com; s=arc-20160816; b=YHhdMJUHHuv2zp9NaaZjYHSXSmWI1Dzac8VMTs15EcHT5wzU8HSSaH+CV9mw4tcNZs gyeiPFdZAe/2aquxHPmz1mAiwLe6QeCcCcdT42nPpfLeJ5JTNAEXB4wGUvH35lusvvlO khJCjQOrrjWbiFut41tJJs3IKHLCZNcS98yUBGTuKW5czBi7gl+1GW2R6Pmh5d1XirmI SuoezTyb24gHFd/0KryfEHBDsOfRPVqjpuRu+u9jnHwedrSBpNArjxJWE6OHpH3Bzxrc VYEBkXJHYbpmRcaizW5xZ09BXqiI2joy5UL67HYO6kLJdutXTp52HgVDSpxYX4MHuw3S Afiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:mime-version:user-agent:date:message-id :subject:from:cc:to:dkim-signature; bh=/Qy8aBweUW1wXxSZ5SJE6Xdvh8e8dCOYbchxg7GPjPU=; b=reYbn4fb5uenSi3C2gsyBCGK+GIWJk0hQCwHA1RcHy+M+0M1aekztAunYfvfcXNd4I c3iXKp1zWmxkf+kUUuD7lAQafpJvDiIMo6LcLEn+rRw2nYgJBQwL6u0/jxstsDDQZ3xq nMcH27E36Kq0iBYLr+4ZTvN27CV4v/JeoDk/w0IIvspq1EAZQcVQADdmkJeEgUnYX0VS d6vZB2jcVXagwtDCOSlKRMgJJZmaTyUBfEhu20t2qAslbilKPgU3TN2by0jvhSAvZFqW QVQw2LfugHEqqo45ubcLQuqZEOURD3ZTo8eWp8fGhHUiEwJq95W8W+2+P2nGRUK9X+5T D5Ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VvtuqWUY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gn20si18193878plb.98.2018.12.20.08.11.50; Thu, 20 Dec 2018 08:12:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VvtuqWUY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732739AbeLTNl0 (ORCPT + 99 others); Thu, 20 Dec 2018 08:41:26 -0500 Received: from mail-pg1-f182.google.com ([209.85.215.182]:45177 "EHLO mail-pg1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729096AbeLTNl0 (ORCPT ); Thu, 20 Dec 2018 08:41:26 -0500 Received: by mail-pg1-f182.google.com with SMTP id y4so905280pgc.12; Thu, 20 Dec 2018 05:41:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=/Qy8aBweUW1wXxSZ5SJE6Xdvh8e8dCOYbchxg7GPjPU=; b=VvtuqWUYu92+mlauC5OXbfYVd2cjQqyLNnINHa6JcLyqBTOgOGFj3uqh458VksF4a5 j5eoGGFuil0b5wnENp1XAvQ4Vzh/Klcn3dPNJkNSDkuf9QiiczbziWh5SVRLQtpYCSiY 7XBn1EnRIA5swdY2WgGeyr6ad26Udp+pJeDbsjDX9PixsNw/toF7LbL0KLl3i9D2AMz8 Ysilqmka664fctYmyh5mjufNYTuInmoBWOE8MJzlG+jQWbftoM1mFgwZdSYM8NHqRz10 SUoeTDvHrCfesTYfSSrKQqAeby8/AUS9dPhG96wRxEcPTJZyH97y6p5v520GQsfLm6CC soEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=/Qy8aBweUW1wXxSZ5SJE6Xdvh8e8dCOYbchxg7GPjPU=; b=Y+0fc5YIA4nx2i7kAxRoRenNVtlZ8tOmeVWGGhnHqOAhlgF/HlVUMaS5gfFrhXqm6O prjMPd/VlE0AOMnV1XcZhHditc3CqYlP06mTMv2R/9JdatVyxiEEU3ECErwAZaszilZQ /tpASqwkI5pQJ7d9XXySvUTw7y3i76hkHo4Zd7GfPBV4YBFPCHWHumN6Cl6P3/Tg9FOr xyO37JldpXFipQ+RCE1Lwtjge1JhpzC4nj9q00t9Lpww6+NjdyW3BhcxCtvU1zWb4aK9 wes/qHbR6Cz/bVzXvX2nVIqPJVjr7xU3re0m6vJEHehopuuTiOEiVQDRG3b+SqNzkgtU EeZQ== X-Gm-Message-State: AA+aEWYjC+9jdlgeGysHX54aPCotpzWmcjiM43/L6WJyuyFWI6GlL8BW D5LTdacRTgn8yj3UdLHqEeQ5/4sr X-Received: by 2002:a63:5907:: with SMTP id n7mr22934921pgb.435.1545313285417; Thu, 20 Dec 2018 05:41:25 -0800 (PST) Received: from ?IPv6:2402:f000:1:1501:200:5efe:166.111.71.24? ([2402:f000:1:1501:200:5efe:a66f:4718]) by smtp.gmail.com with ESMTPSA id e23sm31978761pfh.68.2018.12.20.05.41.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Dec 2018 05:41:24 -0800 (PST) To: Johan Hovold , Greg KH Cc: linux-usb@vger.kernel.org, Linux Kernel Mailing List From: Jia-Ju Bai Subject: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug Message-ID: <8b24e2fc-df9a-8e06-aa49-a27675fd36e9@gmail.com> Date: Thu, 20 Dec 2018 21:41:16 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In drivers/usb/serial/garmin_gps.c, the functions garmin_read_bulk_callback() and garmin_write_bulk_callback() may be concurrently executed. In garmin_write_bulk_callback() on line 969: kfree(urb->transfer_buffer); In garmin_read_bulk_callback() on line 1165: unsigned char *data = urb->transfer_buffer; Thus, a concurrency use-after-free bug may occur. This possible bug is found by a static analysis tool written by myself. Best wishes, Jia-Ju Bai