Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1637107ybv; Fri, 14 Feb 2020 03:23:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxHeYHiM+72HPP80kuKl4uKhCvTVlhPKP96mvBj5OGbJfNDbYkUE651uMW20ldjdrWev3L8 X-Received: by 2002:aca:1108:: with SMTP id 8mr1507466oir.127.1581679398253; Fri, 14 Feb 2020 03:23:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581679398; cv=none; d=google.com; s=arc-20160816; b=WdUuy25MLeL/8fALoOBNmWM2bim97WBnZYcrXaTtZSHONkdOGY+y2IzvxU4B4UbtgA uW6KY7IuOX/0bSqDkSfYwJj4qF1cll3a7bd7G26NFxJx6qawhaMtjVFkXkB4UpU/OTo2 fVtsozSk5TdxKFMPfNsDTWOCp7AVPJcMrDYeKA74utqfAfTc1Y6Fj3J1CkjCK1Udd7Jr M21AgkSo/l+0MJS0ZRfzeSxawn2h++3NREa/e72KlalomNmOLON91B/SvQcGLuh/1YeH FmSkJwT6J5ssN6zFdng1Myd5NvjE9Yz/PEfgekRR+9W9Cl45pkgrruq9RTi+LbNKsota FZ4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=0hg4lL/xMMf3lnL9z1zPxYG5Br5BEMb8UBYymeeXrM0=; b=j2eLcUcRmzw32SXvY8rgFmnEBYyrQ2+4jky6Cq1EVLV1AYJEAKsm4DDjPAe3H/5lG6 Io6Nocm989xpK2Vrz829aglwYdpgiycCfzmZYhM7bpDlNjOq4r2qIx/Ajt/wm1DygGSW pQewHLQfMberle1gyV5LQfK4ghitUVXwjHZxhDMZ76PGkHes2Nt9AeSdAXFhZmsnZz8c 6Wh8rRoEnRIfO5Gu8rGyR/ukwgcLMdRUp/nsF0gK8V/PDbWWAUy81JLzq9Ww4e0K2wN/ 0FYmTS0pz/b0CkghfRbPVmpKTMiVQqKlG9JJocj9tWt/1oKW5MIIsglXQqIKF3c3kaQZ F8Nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=dbikSYFk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10si1585502otd.219.2020.02.14.03.23.05; Fri, 14 Feb 2020 03:23:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=dbikSYFk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387409AbgBNLXB (ORCPT + 99 others); Fri, 14 Feb 2020 06:23:01 -0500 Received: from perceval.ideasonboard.com ([213.167.242.64]:35086 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726220AbgBNLXA (ORCPT ); Fri, 14 Feb 2020 06:23:00 -0500 Received: from pendragon.ideasonboard.com (81-175-216-236.bb.dnainternet.fi [81.175.216.236]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id D1E09504; Fri, 14 Feb 2020 12:22:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1581679378; bh=ZSkmN5u06wPe7iYRdeMx/Hh4C2B8L2HC0yJxyMiKJYU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dbikSYFkwW/xuDj7JtfCtOEgsCQw9RHd6Xo311tS/fZc898nEr+BmYGr5xtoxEJ6G 5fKjigyeoRYxKmnl4YiCrlCPHu9hqclEX/wnmygzarg5JWVAtPUS7MXMpVNCytl/aB lwco81mD9hPvBEjYdHD+I0x3SBCfJF37KMlTbbMQ= Date: Fri, 14 Feb 2020 13:22:39 +0200 From: Laurent Pinchart To: Hans Verkuil Cc: Dan Carpenter , syzbot , Hillf Danton , Alan Stern , Allison Randal , Greg Kroah-Hartman , Souptick Joarder , andreyknvl@google.com, bnvandana@gmail.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, mchehab@kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] media: usbvision: Fix a use after free in v4l2_release() Message-ID: <20200214112239.GC4831@pendragon.ideasonboard.com> References: <20200124141356.365bgzg2lp3tjedm@kili.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Hans, On Fri, Feb 14, 2020 at 11:06:36AM +0100, Hans Verkuil wrote: > On 1/24/20 3:13 PM, Dan Carpenter wrote: > > Syzbot triggered a use after free in v5.5-rc6: > > > > BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459 > > > > Allocated by task 94: > > usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1315 [inline] > > usbvision_probe.cold+0x5c5/0x1f21 drivers/media/usb/usbvision/usbvision-video.c:1469 > > > > Freed by task 1913: > > kfree+0xd5/0x300 mm/slub.c:3957 > > usbvision_release+0x181/0x1c0 drivers/media/usb/usbvision/usbvision-video.c:1364 > > usbvision_radio_close.cold+0x2b/0x74 drivers/media/usb/usbvision/usbvision-video.c:1130 > > v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455 > > > > The problem is that the v4l2_release() calls usbvision_release() which > > frees "usbvision" but v4l2_release() still wants to use > > "usbvision->vdev". One solution is to make this devm_ allocated memory > > so the memory isn't freed until later. > > devm_ allocated memory is freed after disconnect, so I doubt this will help, or at > best it will just move the problem elsewhere. Yes, devm_*alloc is evil :-( It has spread to many drivers and is used incorrectly in most cases. > The right approach would be to use the release() callback from struct v4l2_device: > that's called when the very last open filehandle is closed. Hillf Danton has sent a patch to do so in the "Re: KASAN: use-after-free Read in v4l2_release (3)" thread. Have you seen it ? > But I'm not sure if it is worth the effort. The usbvision driver is a mess and > personally I think it should be deprecated. I agree. > > Reported-by: syzbot+75287f75e2fedd69d680@syzkaller.appspotmail.com > > Signed-off-by: Dan Carpenter > > --- > > I copied this idea from a different driver, but I haven't tested it. > > I wanted to try the #syz fix command to see if it works. > > > > drivers/media/usb/usbvision/usbvision-video.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c > > index 93d36aab824f..07b4763062c4 100644 > > --- a/drivers/media/usb/usbvision/usbvision-video.c > > +++ b/drivers/media/usb/usbvision/usbvision-video.c > > @@ -1312,7 +1312,7 @@ static struct usb_usbvision *usbvision_alloc(struct usb_device *dev, > > { > > struct usb_usbvision *usbvision; > > > > - usbvision = kzalloc(sizeof(*usbvision), GFP_KERNEL); > > + usbvision = devm_kzalloc(&dev->dev, sizeof(*usbvision), GFP_KERNEL); > > if (!usbvision) > > return NULL; > > > > @@ -1336,7 +1336,6 @@ static struct usb_usbvision *usbvision_alloc(struct usb_device *dev, > > v4l2_ctrl_handler_free(&usbvision->hdl); > > v4l2_device_unregister(&usbvision->v4l2_dev); > > err_free: > > - kfree(usbvision); > > return NULL; > > } > > > > @@ -1361,7 +1360,6 @@ static void usbvision_release(struct usb_usbvision *usbvision) > > > > v4l2_ctrl_handler_free(&usbvision->hdl); > > v4l2_device_unregister(&usbvision->v4l2_dev); > > - kfree(usbvision); > > > > PDEBUG(DBG_PROBE, "success"); > > } -- Regards, Laurent Pinchart