Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2266995rwl; Thu, 13 Apr 2023 04:14:09 -0700 (PDT) X-Google-Smtp-Source: AKy350aYsSfFrXiGPDaAFJm2c7KCmKCumBmzaVEl2KMxOIu6J5uPeHaE4VZfcEKXnnGV2Qt44DFE X-Received: by 2002:aa7:da8f:0:b0:4be:b39b:ea8f with SMTP id q15-20020aa7da8f000000b004beb39bea8fmr2430446eds.2.1681384448745; Thu, 13 Apr 2023 04:14:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681384448; cv=none; d=google.com; s=arc-20160816; b=RDrXpEXxebBX/kytO7UuMMAJHftAvLPp4LExYFlzM+CiW7f1nzE1nR8AsUfztvPI2x XhWu+Y0KHkHtwpg28kdh1B2XA4lW00BqlG5Jb8OxzlaDA/EozintQZ/lszHBp9cplnkx lC+jeNlUQjOSfff6JdkwcH42L5lYpUnZxJRaTzhrXZbxE/3WEmOcfoD1zejNqifbch95 WufeMFdvViO0jqVLEFTl2uckYRmU6TGdeaFFsMIYYyXnRU1TUIlqZbJnzL8xektrgdZO HoJh957g+c15umkC21fG8BafXPLwVHIG5AcriErJgfqnWDsqCwMn2gaoMuB9Ay2yb90n mgIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=A73lIhTXN7SmewkpI9NxDWpme+x9dolditKkQgZC8NA=; b=GP5HyXrQtVYvzF8BWLH2xjq7V+vdrYZRi2XOumuAFTzq6mO0GWRukpY0d8JMbR25PA 8UB2VPS1TXTM1kNDxOdAGU6WNxVyNPRbediwTtmDjlqXBlJqiwg+mIiFRUjE1qCY5tFo ZUm2NmfyRUXRQIXqcYzfYY1fnFo3pspDE4SljNZNHqBFAsyOuRUbYR23YInYoOOgLD5i DQ6NbFwMcjNQRwuuaJVRK8iuvfIaa2DQvAMAt1kqdg6iOAx9OukD4Ol8j9fsuQFh8U3p ZQ9xw5fCrO0qb4PhIHr/jTA9MLV5j0FfOd0g7SMO9J2lpC4aEyMrRvuMws0pCMclG4HS afng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=XSjnJwmJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r26-20020aa7cfda000000b005046253fea2si1525353edy.63.2023.04.13.04.13.44; Thu, 13 Apr 2023 04:14:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=XSjnJwmJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229604AbjDMLMV (ORCPT + 99 others); Thu, 13 Apr 2023 07:12:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229580AbjDMLMU (ORCPT ); Thu, 13 Apr 2023 07:12:20 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75ADF5FDE for ; Thu, 13 Apr 2023 04:12:19 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id lh8so1601555plb.1 for ; Thu, 13 Apr 2023 04:12:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681384339; x=1683976339; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=A73lIhTXN7SmewkpI9NxDWpme+x9dolditKkQgZC8NA=; b=XSjnJwmJv2qB/HoGUzKhLO0qSpSMz8QvIXHumXbWbrFWPs266GvyxjGgAi0h8hmGIB W/bTmRP1GhtbEtKaqNriNMoeUE5WGW+tGOEDiPc2rpkzl2uUXLOWIWfq6EoRKFJt107o gNe2YIdBBubMFFHiEJjCXfGOJpJp/eM2q+tis2uQXOiATnVM/Zi4aXGeKIbtmQDZs+Jj v1hmxBhLOQb9qZ0gxrhaAdrG9hjkrg/CzQQ2FRD/jHKHSRftB2z7Lk3eSKUV1lkJIPBe 7pJDfiPRhOAVmNzwTFatyYzUdVeTYT8pL+Uuz1MBof9g5zddrWKqWl8/cjxPrXv6j8qQ 77GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681384339; x=1683976339; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A73lIhTXN7SmewkpI9NxDWpme+x9dolditKkQgZC8NA=; b=fnP6Q13CXJVYhlQaMCIKE/fHAghT7y7cYjjLsaH1eUp+ABrTXW5ejQ8LL+4EmNXFtA xo+LfCdlfGi3CA/uDJbnCJbT4pPK4lmNYvCaE4AtoLoZo3AkBebg3X752W5MC4mvwqUD AxBd8Mzl3GyyNrg3M0head1pQBCYRO9gKu4GN1GAqVxM9RekZvp4oP5xWJ0pSDzplAGc 3eiHyZ200XQQz/VVIc6jhdtQTsBiguX6/s+DAORznkiL1I25FmtMpsjwDPeGrBiunhjg oDlgkihO3Wdo0IjdTbrRCwdevNPPN+g6+KUsLmACcA40zPejVMN1U3j9R9e1ymOwuqLO lC0A== X-Gm-Message-State: AAQBX9eAIbuSe3HlAKuPXjRom3g54Cojz2tiQTEtBaF+Ik1gWe8LeOzA QeI03XkpWoCvtAM/fvN9lh2A1j5vbrfy4ch5HHM= X-Received: by 2002:a17:90a:6fc7:b0:244:9909:6e60 with SMTP id e65-20020a17090a6fc700b0024499096e60mr425249pjk.3.1681384338861; Thu, 13 Apr 2023 04:12:18 -0700 (PDT) MIME-Version: 1.0 References: <20230312145305.1908607-1-zyytlz.wz@163.com> In-Reply-To: From: Zheng Hacker Date: Thu, 13 Apr 2023 19:12:07 +0800 Message-ID: Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition To: Yongqin Liu Cc: John Stultz , Zheng Wang , Sumit Semwal , arnd@arndb.de, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com, Mauro Carvalho Chehab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yongqin Liu =E4=BA=8E2023=E5=B9=B44=E6=9C=8813=E6= =97=A5=E5=91=A8=E5=9B=9B 18:55=E5=86=99=E9=81=93=EF=BC=9A > > Hi, Zheng > > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker wro= te: > > > > Friendly ping about the bug. > > Sorry, wasn't aware of this message before, > > Could you please help share the instructions to reproduce the problem > this change fixes? > Hi Yongqin, Thanks for your reply. This bug is found by static analysis. There is no Po= C. From my personal experience, triggering race condition bugs stably in the kernel needs some tricks. For example, you can insert some sleep-time code to slow down the thread until the related object is freed. Besides, you can use gdb to control the time window. Also, there are some other tricks as [1] said. As for the reproduction, this attack vector requires that the attacker can physically access the device. When he/she unplugs the usb, the remove function is triggered, and if the set callback is invoked, there might be a race condition. In practice, you can just use rmmod command to simulate the unplug movement, which will also trigger the hisi_hikey_usb_remove if there is a real USB device. If there's some other help I can provide, please feel free to let me know. Thanks again for your effort. Best regards, Zheng [1] https://www.usenix.org/conference/usenixsecurity21/presentation/lee-yoo= chan > Thanks, > Yongqin Liu > > Zheng Hacker =E4=BA=8E2023=E5=B9=B43=E6=9C= =8814=E6=97=A5=E5=91=A8=E4=BA=8C 09:01=E5=86=99=E9=81=93=EF=BC=9A > > > > > > John Stultz =E4=BA=8E2023=E5=B9=B43=E6=9C=8814= =E6=97=A5=E5=91=A8=E4=BA=8C 03:57=E5=86=99=E9=81=93=EF=BC=9A > > > > > > > > On Sun, Mar 12, 2023 at 7:53=E2=80=AFAM Zheng Wang wrote: > > > > > > > > > > In hisi_hikey_usb_probe, it called hisi_hikey_usb_of_role_switch > > > > > and bound &hisi_hikey_usb->work with relay_set_role_switch. > > > > > When it calls hub_usb_role_switch_set, it will finally call > > > > > schedule_work to start the work. > > > > > > > > > > When we call hisi_hikey_usb_remove to remove the driver, there > > > > > may be a sequence as follows: > > > > > > > > > > Fix it by finishing the work before cleanup in hisi_hikey_usb_rem= ove. > > > > > > > > > > CPU0 CPU1 > > > > > > > > > > |relay_set_role_switch > > > > > hisi_hikey_usb_remove| > > > > > usb_role_switch_put| > > > > > usb_role_switch_release | > > > > > kfree(sw) | > > > > > | usb_role_switch_set_role > > > > > | //use > > > > > > > > > > Fixes: 7a6ff4c4cbc3 ("misc: hisi_hikey_usb: Driver to support onb= oard USB gpio hub on Hikey960") > > > > > Signed-off-by: Zheng Wang > > > > > --- > > > > > drivers/misc/hisi_hikey_usb.c | 1 + > > > > > 1 file changed, 1 insertion(+) > > > > > > > > > > diff --git a/drivers/misc/hisi_hikey_usb.c b/drivers/misc/hisi_hi= key_usb.c > > > > > index 2165ec35a343..26fc895c4418 100644 > > > > > --- a/drivers/misc/hisi_hikey_usb.c > > > > > +++ b/drivers/misc/hisi_hikey_usb.c > > > > > @@ -242,6 +242,7 @@ static int hisi_hikey_usb_probe(struct platfo= rm_device *pdev) > > > > > static int hisi_hikey_usb_remove(struct platform_device *pdev) > > > > > { > > > > > struct hisi_hikey_usb *hisi_hikey_usb =3D platform_get_dr= vdata(pdev); > > > > > + cancel_work_sync(&hisi_hikey_usb->work); > > > > > > > > > > if (hisi_hikey_usb->hub_role_sw) { > > > > > usb_role_switch_unregister(hisi_hikey_usb->hub_ro= le_sw); > > > > > > > > Looks sane to me. > > > > Pulling in Sumit and YongQin as they have hardware and can test wit= h it. > > > > > > > Hi John, > > > > > > Thanks for your reply. Thank Sumit and YongQin for being willing to > > > test the solution with their hardware. > > > > > > Best regards, > > > Zheng > > > > -- > Best Regards, > Yongqin Liu > --------------------------------------------------------------- > #mailing list > linaro-android@lists.linaro.org > http://lists.linaro.org/mailman/listinfo/linaro-android