Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3344953pxv; Sun, 4 Jul 2021 16:08:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzilA9WI1jY2k6Q4zESaDj8o/om01yZjUnVLvKFS6F4vf/iA1TjkceQEWrpGbbQU0g3qRxl X-Received: by 2002:a92:ad02:: with SMTP id w2mr8575096ilh.8.1625440090836; Sun, 04 Jul 2021 16:08:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625440090; cv=none; d=google.com; s=arc-20160816; b=IUcAjkusAH6ic2o5Pb/MtHBjCG56jn1YYmXW/WjLwCETis2hX9k2Ax+tXXoYKaiNy2 DzHnJ26vLj+d+8rzB4fqUhTGl/6Wd3vM9aqqhibetgG8LtfcIC6xSNoly/obwjo8Wmz7 Fs+6XG+qC/BzqR8hKVc+/vb93tFf/3zi8bQU7AKPI0FJSoRiHi4FT+j/gx0xyuKUt9gN kwtgHevE0GshstugkPdl3m/9mr+wxdsm0511lhiCWAqFSor43ywhmQBzKBdpwk/Zhiit o0M3yx4y5TPpBS2z7ceRiJRhmYI1rmI+L9DeXDvImsrSoASYFqSdA4fU2SeFWrnOLYxN pg9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=nStKyGCEKbgs1EQIAxyhrQLzlgS2k+Do1atOm4EPhAQ=; b=u1T8sXqmWtOg7/4PpfHnxA/xmUnktQFYip33pB2GxIAdNuSNk+WRBDp2NlIIcGBICL 0kwbmqep0s3fidxbU6GZMz2CAYVOSHls5glQ53s/tPg0YMtrrO1VWOu0zTlHlSBDzebS wvbRGjLX8BDH+y7SKBHqAH7SfEur9atIUtc4M18S9g+jYQRgkoGBH64hbUkvF6RGvzLg 3dEsdrnwxtZaH/nQUCEfRXsAXCnldTmXsTgJy2y0MC8YvrexFQz5mcu6Np8U7x5v7Fh8 KoQTxwkXRRg1LsXl5E/gQskjYr8/YYfccRsLF0xtJDa4zitUlRWuS+xL4ltABTMpBEJl 1LfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=d4JjJjzQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e11si10658180iov.20.2021.07.04.16.07.58; Sun, 04 Jul 2021 16:08:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=d4JjJjzQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231701AbhGDXJD (ORCPT + 99 others); Sun, 4 Jul 2021 19:09:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:46062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230417AbhGDXIH (ORCPT ); Sun, 4 Jul 2021 19:08:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0581B61951; Sun, 4 Jul 2021 23:05:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625439930; bh=+0RmVVSDzLNt2nkptVlfGz2MqVzeDxn8hiCZHkPC86c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d4JjJjzQQx2XASswXQLJ4hmO/jTrr5oou1N1kqhhm5KrnOoR3nN0pXVQko5BhhEV7 bvOo1s7Kl07EIMxtrPsrolwJ9lQmErjqlLox+aDx6HW1VZzIFo19MwlIR1TGvfUfYu X21ouPkcKhfzZ+WlQtJfL37mVvYVuWDwKClPeTI4NreKkktDXo9cJolVG1nyVFrsLY g+GUXd/poBt1fr4NqljZI4MN4cU9GpgJxXQkU8+OETvqvEZ+bfrS4hFMdUTMRhR8iy 5CKqwwflBsCx7rvkLuG6fbDqkmX8PBath0mZq3Caf+nctyDuE8fpPKTf7kVO4/p+7Y 6DybYkGAwzRJQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tong Zhang , Ulf Hansson , Sasha Levin , linux-mmc@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 51/85] memstick: rtsx_usb_ms: fix UAF Date: Sun, 4 Jul 2021 19:03:46 -0400 Message-Id: <20210704230420.1488358-51-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210704230420.1488358-1-sashal@kernel.org> References: <20210704230420.1488358-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tong Zhang [ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ] This patch fixes the following issues: 1. memstick_free_host() will free the host, so the use of ms_dev(host) after it will be a problem. To fix this, move memstick_free_host() after when we are done with ms_dev(host). 2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove and free host otherwise memstick_check will be called and UAF will happen. [ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357376] platform_remove+0x2a/0x50 [ 11.367531] Freed by task 298: [ 11.368537] kfree+0xa4/0x2a0 [ 11.368711] device_release+0x51/0xe0 [ 11.368905] kobject_put+0xa2/0x120 [ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] [ 11.369386] platform_remove+0x2a/0x50 [ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 [ 12.045432] mutex_lock+0xc9/0xd0 [ 12.046080] memstick_check+0x6a/0x578 [memstick] [ 12.046509] process_one_work+0x46d/0x750 [ 12.052107] Freed by task 297: [ 12.053115] kfree+0xa4/0x2a0 [ 12.053272] device_release+0x51/0xe0 [ 12.053463] kobject_put+0xa2/0x120 [ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] [ 12.053939] platform_remove+0x2a/0x50 Signed-off-by: Tong Zhang Co-developed-by: Ulf Hansson Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin --- drivers/memstick/host/rtsx_usb_ms.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c index 102dbb8080da..29271ad4728a 100644 --- a/drivers/memstick/host/rtsx_usb_ms.c +++ b/drivers/memstick/host/rtsx_usb_ms.c @@ -799,9 +799,9 @@ static int rtsx_usb_ms_drv_probe(struct platform_device *pdev) return 0; err_out: - memstick_free_host(msh); pm_runtime_disable(ms_dev(host)); pm_runtime_put_noidle(ms_dev(host)); + memstick_free_host(msh); return err; } @@ -828,9 +828,6 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev) } mutex_unlock(&host->host_mutex); - memstick_remove_host(msh); - memstick_free_host(msh); - /* Balance possible unbalanced usage count * e.g. unconditional module removal */ @@ -838,10 +835,11 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev) pm_runtime_put(ms_dev(host)); pm_runtime_disable(ms_dev(host)); - platform_set_drvdata(pdev, NULL); - + memstick_remove_host(msh); dev_dbg(ms_dev(host), ": Realtek USB Memstick controller has been removed\n"); + memstick_free_host(msh); + platform_set_drvdata(pdev, NULL); return 0; } -- 2.30.2