Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp616258imi;
        Thu, 21 Jul 2022 07:41:22 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vL6U9l0eKux0zbU1IWGjRfbF5cKeioPq0H9xxWc6vsYejAG2mkNcW5WOHKyaq6/C/Ch5yf
X-Received: by 2002:a05:6870:51ce:b0:10d:4691:7bd9 with SMTP id b14-20020a05687051ce00b0010d46917bd9mr5059475oaj.185.1658414482007;
        Thu, 21 Jul 2022 07:41:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658414482; cv=none;
        d=google.com; s=arc-20160816;
        b=0iy5BsMwBy4S5U5lxDyfO/yX0ZjusH1LXH7MXe2QtCCHnr4ThphGg9TagOfsRej4VX
         YgnuCAyv/2z8Il29kZOGVD/AcsVnVn30k/b3SGy6CvAOEIKmoM/GyYbXXU+vwxXf4yZ+
         jZ5OBou1pEyHFvxpwjxZizna93kKGNXXCcbf9T5gfpdvoYwcCAvzPGwROpeF928JPQ+N
         VtIbgr4nB8C/cBUDckWcLiVh0Ys62DqQnCrQ6QrbT4kQ2q++fQdRCYtw3QV93ZsYiq1P
         lbnn3z94PsIxIjVXtmCIc/XMOmTFaviFgkTjoDGO8HyCMpfNRQc9iy536kN4RggVtKes
         z4qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=IMCOXMKM7n97C6UoiONBKv9OXoLa5MlhwNiFvc9+ebo=;
        b=t07tAqhHyhu4UAndwWbSngUOtTXTm2GYmLNMBdElNzqjiOsA3InPEbQ01Xw0Rbq88+
         i3w+QOQjGicPMVm+3nkECTbsVilVr6IGoDwFdv6TDXxPmYGd8c684e8vzlsq43cBPQbZ
         z8a/lF7YmQxJd1eGlpLkt5XBE3IHAJckOqtyG9CWgaAbMVgiI1a0955ikjeZxkhxivqC
         4NS7vJ0TjyuG3Kp9NQaQhwkuGkfdUwHcmuJ8x5BrbiAXEy57zwhiX3bBi49xJM+2WkDi
         fJE5OV3DTrANMusxTvRarDW9iD0JFiGW0w2lDcmq/VYe5PkAzfUREQxf+PhSyYM/dxga
         LX6g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id u6-20020a056808150600b0033a5f055762si1741283oiw.48.2022.07.21.07.41.08;
        Thu, 21 Jul 2022 07:41:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230151AbiGUN6t (ORCPT <rfc822;alexzyp@gmail.com> + 99 others);
        Thu, 21 Jul 2022 09:58:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38774 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229778AbiGUN6r (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Jul 2022 09:58:47 -0400
Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5])
        by lindbergh.monkeyblade.net (Postfix) with SMTP id F069C30F7A
        for <linux-kernel@vger.kernel.org>; Thu, 21 Jul 2022 06:58:42 -0700 (PDT)
Received: (qmail 230677 invoked by uid 1000); 21 Jul 2022 09:58:42 -0400
Date:   Thu, 21 Jul 2022 09:58:42 -0400
From:   Alan Stern <stern@rowland.harvard.edu>
To:     syzbot <syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com>
Cc:     andriy.shevchenko@linux.intel.com, balbi@kernel.org,
        gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, rogerq@ti.com,
        syzkaller-bugs@googlegroups.com, zhengdejin5@gmail.com
Subject: Re: [syzbot] KASAN: use-after-free Read in usb_udc_uevent
Message-ID: <YtlbkmVGJyhO4kR6@rowland.harvard.edu>
References: <0000000000004de90405a719c951@google.com>
 <000000000000d36e8705e4406a16@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000000000000d36e8705e4406a16@google.com>
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 20, 2022 at 11:03:24AM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    cb71b93c2dc3 Add linux-next specific files for 20220628
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=172591aa080000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=badbc1adb2d582eb
> dashboard link: https://syzkaller.appspot.com/bug?extid=b0de012ceb1e2a97891b
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13ab4d62080000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
> Read of size 8 at addr ffff888078ce2050 by task udevd/2968
> 
> CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
>  print_address_description mm/kasan/report.c:317 [inline]
>  print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
>  kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
>  usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
>  dev_uevent+0x290/0x770 drivers/base/core.c:2424
>  uevent_show+0x1b8/0x380 drivers/base/core.c:2480

It looks like the usb_udc_uevent call races with gadget removal.  The 
problem is that usb_udc_uevent accesses udc->driver but does not hold 
the udc_lock mutex (which protects this field) while doing so.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ cb71b93c2dc3

Index: usb-devel/drivers/usb/gadget/udc/core.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/udc/core.c
+++ usb-devel/drivers/usb/gadget/udc/core.c
@@ -1728,13 +1728,14 @@ static int usb_udc_uevent(struct device
 		return ret;
 	}
 
-	if (udc->driver) {
+	mutex_lock(&udc_lock);
+	if (udc->driver)
 		ret = add_uevent_var(env, "USB_UDC_DRIVER=%s",
 				udc->driver->function);
-		if (ret) {
-			dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
-			return ret;
-		}
+	mutex_unlock(&udc_lock);
+	if (ret) {
+		dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
+		return ret;
 	}
 
 	return 0;