Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3621203pxj; Tue, 15 Jun 2021 05:10:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwBJpjgxKQS189pExDyhM01NtrDtt1rV+/QFNzdKPK5WmDmWRm3P+ZnvOsrwThZ896gCUb X-Received: by 2002:a05:6602:50:: with SMTP id z16mr18190501ioz.155.1623759016377; Tue, 15 Jun 2021 05:10:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623759016; cv=none; d=google.com; s=arc-20160816; b=bDfmWobCjdofE6c4Lo2OA8ByvfQ8HDm/SlFbWOF0jldaFQ+RlzT9Lg53FreY9fvezk 34yhcNJUFyhzVjsjMiBWi6pu6ZCZT8HGMQl+6cXxE8JDZQ/8ZNKpM0bJUZMah9tYol6H xHy/HZnnsJUwhNpabDwvAVHkVUx8NN4KecVTmU0wHwaYFQCoAgD+GahAYsh8Ez8HS1qw 4dQ3MJvIAgx7zmXIG/TXU9cUu6WVj32prIdcnIYi9kT9XuQFLsySeqT05Zym8+kUmpe0 QtA3ktoJmRVWKwGrmNOuBhE4vd93Aaybnmuj3Hmbv7keP1u2ut705bLQ+ehV6dfr1yTh 5S1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=F2WOp7laceuxMILuVpXWmQIN4CP/UaKDpQrNGuoiets=; b=rtp7Nvjfv9p2P0W1yARy9x9oiK1TcxSdloUUMXo8uNfcwqHgEgWRpke6Qz9IYMbTDC J0MSuIgppTPMVQa0Ve8VPuY+V/2StUY6Fplz7Y2NUWyhdATTJhPQ/8kvDn66LOEOAHCe ZZGsM/mQ/YIGxijHhYsfYp7jq6yAUHdmqyce4S43u91lb6A7f2GTSMQDRDu98mTHCWdp 5bj2seqyz7jZDl2BiWSA+IeeA+sSMHOclQRIBfKjcW2WdNlYkYJazXtonWEPzdsTdFMC E7lJ3lhujSQmri+vOdqFblDCE56q1rnYQ6GPBcpMj0gqrzo97UnIHFnAZPE0irWRkvJk JcjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bpIE1xt9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h1si19529412ioq.17.2021.06.15.05.10.02; Tue, 15 Jun 2021 05:10:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bpIE1xt9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230383AbhFOMJn (ORCPT + 99 others); Tue, 15 Jun 2021 08:09:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229983AbhFOMJm (ORCPT ); Tue, 15 Jun 2021 08:09:42 -0400 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35CBBC061574; Tue, 15 Jun 2021 05:07:38 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id g8so22182534ejx.1; Tue, 15 Jun 2021 05:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F2WOp7laceuxMILuVpXWmQIN4CP/UaKDpQrNGuoiets=; b=bpIE1xt9f4WHxc1LIBkz+TxemnxivXcZLk3PGwB9kZY3wEhtdoaHdaNGjkp0jFD8k1 N1iud+3xq0b+kGQuusZcT2CSyTBCurvuJk3iQ1PecywAzsAAnwEzpDHqQfYUln9+Zoi0 6RqzEA8NfkaBoMoOC+vPlk37DoBwqMlk/1m888jTNKYAB1au9ay8aouvG2bYtURbnkZI XCnW5XJDnlQaL4QXdOvH9KsYWG/mwwG3mMRi5kTARQfWRBO8a25rUlvHJAoa3CI6Y+yF 8mfFFIGh05/+67prKlVF/nksi253pKlnzlwVxYW5cOG3tQ5G7u5SLvfq73fukSLKP2tP LGMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F2WOp7laceuxMILuVpXWmQIN4CP/UaKDpQrNGuoiets=; b=mgdkzI93KEinQ3qkKM6oUwjO5VJJtysgAA8J8u5VSMhES2fQIjDrgqGXky11cmcP0C /cGm52QwjCZj7WgsEt+U8q4Psza/YD7z4P2A4BRselRqcCMcjsO3SG5Ug0bZWTPVl5zA C56T8WNkWAQ7nhhttAtMoOtHM7uaV1wZt3ucqf47qqgWyIFDiDQpo9G2cOJ1VOPbIYyy FmbwHuJzI57fKsem7uaLiww98d4NXY92lhMJDxYdZMwiA5f0SCMWDLSh+bY/GA7AbHhU Pdq7kW5ve/SR2fzE6NKGoUXqmuHwWPedDwuXLTKyZT5ugOYWfMf8N+oZt/dLwGqhlp4z PUPg== X-Gm-Message-State: AOAM531Dti6SR9C8W104FFkno90Vs5HAjDmnzJISH9vHntrw+1RklMJZ zEc0Q3gUJjl7dD9SH2oGCgxNwRWcxTcewYrGdBE= X-Received: by 2002:a17:906:7f0e:: with SMTP id d14mr20030316ejr.103.1623758856683; Tue, 15 Jun 2021 05:07:36 -0700 (PDT) MIME-Version: 1.0 References: <20210614153712.2172662-1-mudongliangabcd@gmail.com> In-Reply-To: From: Dongliang Mu Date: Tue, 15 Jun 2021 20:07:10 +0800 Message-ID: Subject: Re: [PATCH] net: usb: fix possible use-after-free in smsc75xx_bind To: Greg KH Cc: Steve Glendinning , "David S. Miller" , Jakub Kicinski , Pavel Skripkin , netdev@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 15, 2021 at 7:12 PM Greg KH wrote: > > On Tue, Jun 15, 2021 at 06:24:17PM +0800, Dongliang Mu wrote: > > On Tue, Jun 15, 2021 at 6:10 PM Dongliang Mu wrote: > > > > > > On Tue, Jun 15, 2021 at 5:44 PM Greg KH wrote: > > > > > > > > On Tue, Jun 15, 2021 at 03:56:32PM +0800, Dongliang Mu wrote: > > > > > On Tue, Jun 15, 2021 at 3:38 PM Greg KH wrote: > > > > > > > > > > > > On Mon, Jun 14, 2021 at 11:37:12PM +0800, Dongliang Mu wrote: > > > > > > > The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") > > > > > > > fails to clean up the work scheduled in smsc75xx_reset-> > > > > > > > smsc75xx_set_multicast, which leads to use-after-free if the work is > > > > > > > scheduled to start after the deallocation. In addition, this patch also > > > > > > > removes one dangling pointer - dev->data[0]. > > > > > > > > > > > > > > This patch calls cancel_work_sync to cancel the schedule work and set > > > > > > > the dangling pointer to NULL. > > > > > > > > > > > > > > Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") > > > > > > > Signed-off-by: Dongliang Mu > > > > > > > --- > > > > > > > drivers/net/usb/smsc75xx.c | 3 +++ > > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > > > > > diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c > > > > > > > index b286993da67c..f81740fcc8d5 100644 > > > > > > > --- a/drivers/net/usb/smsc75xx.c > > > > > > > +++ b/drivers/net/usb/smsc75xx.c > > > > > > > @@ -1504,7 +1504,10 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) > > > > > > > return 0; > > > > > > > > > > > > > > err: > > > > > > > + cancel_work_sync(&pdata->set_multicast); > > > > > > > kfree(pdata); > > > > > > > + pdata = NULL; > > > > > > > > > > > > Why do you have to set pdata to NULL afterward? > > > > > > > > > > > > > > > > It does not have to. pdata will be useless when the function exits. I > > > > > just referred to the implementation of smsc75xx_unbind. > > > > > > > > It's wrong there too :) > > > > > > /: I will fix such two sites in the v2 patch. > > > > Hi gregkh, > > > > If the schedule_work is not invoked, can I call > > ``cancel_work_sync(&pdata->set_multicast)''? > > Why can you not call this then? I don't know the internal of schedule_work and cancel_work_sync, so I ask this question to confirm my patch does not introduce any new issues. > > Did you try it and see? Yes, I thought up a method and tested it in my local workspace. First, I reproduced the memory leak in smsc75xx_bind [1] since the PoC triggered an error before schedule_work. Then, I merged two patches, and run the PoC. The result showed that my patch does not trigger any new issues even the schedule_work is not called. [1] https://syzkaller.appspot.com/bug?id=c978ec308a1b89089a17ff48183d70b4c840dfb0 > > thanks, > > greg k-h