Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4465246ybz; Tue, 28 Apr 2020 11:45:15 -0700 (PDT) X-Google-Smtp-Source: APiQypKcu+0WkCpuw0Y/9f6qZt2XMx8NskKGHP50uRjKC9tAV7o4/hrWnwMje3yiRTn10dZvY6ot X-Received: by 2002:a17:906:b7da:: with SMTP id fy26mr26913862ejb.327.1588099514943; Tue, 28 Apr 2020 11:45:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588099514; cv=none; d=google.com; s=arc-20160816; b=z0/9q9HBHS93kS1NsUF3l/YgFRG7/YnSbmps34XJLUwyQavUnUOwK6TYe0BTvKxd7z YSY3KTWbWtEkHfGFYCRBteU5XCKxAlcGzSTyv4bLdz6lMXP8m4hSO0gdQj7+JIb2WzpY AJHKgNtUWmWHixcTB8h6/439RudGKTUYuMAjpr+O5/cWupIg+x278PZZAlGq80YaLtCp LkMYWQqNWFHfC98yrUnr5gd5wl1hCITk6ILP99w1Pht3KL0mpwN64q5UsqK0SPDSdCbL EygWO2fgCakt1ZbfIVq3L/BNlja3OpbJOgUYiM1T5egP07x5US/E2Nj50C8px0jdwt9B 9jEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mP12okAK3babgxdPWrBaS51sYvkGHhoh+TIAcMGwewA=; b=k64fj8PFhoyOrr4RrgzOeTJl+HChJMY/w6mlStBPOrxz+PFpPhvneJ/WUutIqhhd0U 1zgNHWahnRrOHgqVaFPiodjPIhDGABJS0RdFViEEwXNgR3jgfRIZZar17AMgE5+2XhSi RuL1A4Y4JA1EmoSn+Stv3SndbvP9UICCVm5dCDi7ZFCXzZKZyCRrI/7fRXNwzHImcyTs DP1hMJiR2+QSaUPscFGaTcJ1fwLZXj4MrSMsy4mBhbDnx2n78rlthQjrpp0I0SdCZ6jD fgiAiPwWFVR6SXWagIzwa0oCXqkwb3fkQMWXGKS6FYCx6mU6vFP2xXu7YHuvLSRt9Fm0 h/zA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AOctV5R6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m11si2024646edq.373.2020.04.28.11.44.51; Tue, 28 Apr 2020 11:45:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AOctV5R6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731262AbgD1Sng (ORCPT + 99 others); Tue, 28 Apr 2020 14:43:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:36012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731250AbgD1Snd (ORCPT ); Tue, 28 Apr 2020 14:43:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 91370206D6; Tue, 28 Apr 2020 18:43:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588099413; bh=btMmoRmbm0aFeh7V8QPWVWglOxt22/y9OzCifBjnb+c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AOctV5R6rnpzMMnvQuNMuKxNshaZTr3HvncHnQ5dULXDfaY1FSlCNnFdRBnjjyNqA 2mxAXmMI14LP3oxGDnBSQTBUlQYc0WnKELkTMZfXk6aess1IwmHNQRlBYQ5saWj0Mz ULdsQxesyvvRrBwq3tgj/WvZCRs+/ofRjjlgvE34= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Kyungtae Kim Subject: [PATCH 5.4 098/168] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Date: Tue, 28 Apr 2020 20:24:32 +0200 Message-Id: <20200428182244.742339543@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182231.704304409@linuxfoundation.org> References: <20200428182231.704304409@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit 056ad39ee9253873522f6469c3364964a322912b upstream. FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: scsi_tmf_2 scmd_eh_abort_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x153/0x1cb mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657 usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602 usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937 This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The bug is caused by the fact that usb_sg_cancel() does not take any sort of reference to the transfer, and so there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Signed-off-by: Alan Stern Reported-and-tested-by: Kyungtae Kim CC: Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/message.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -588,12 +588,13 @@ void usb_sg_cancel(struct usb_sg_request int i, retval; spin_lock_irqsave(&io->lock, flags); - if (io->status) { + if (io->status || io->count == 0) { spin_unlock_irqrestore(&io->lock, flags); return; } /* shut everything down */ io->status = -ECONNRESET; + io->count++; /* Keep the request alive until we're done */ spin_unlock_irqrestore(&io->lock, flags); for (i = io->entries - 1; i >= 0; --i) { @@ -607,6 +608,12 @@ void usb_sg_cancel(struct usb_sg_request dev_warn(&io->dev->dev, "%s, unlink --> %d\n", __func__, retval); } + + spin_lock_irqsave(&io->lock, flags); + io->count--; + if (!io->count) + complete(&io->complete); + spin_unlock_irqrestore(&io->lock, flags); } EXPORT_SYMBOL_GPL(usb_sg_cancel);