Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2614427rwl; Thu, 13 Apr 2023 08:39:34 -0700 (PDT) X-Google-Smtp-Source: AKy350beBymFdJ49m7G5IUBBwQV4bO/uLcedzAd8Fvm9G6ESLGc5KKlzYrG297uCUJusDb+cHK7z X-Received: by 2002:a17:902:c64a:b0:1a6:4016:8974 with SMTP id s10-20020a170902c64a00b001a640168974mr2749228pls.31.1681400374123; Thu, 13 Apr 2023 08:39:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681400374; cv=none; d=google.com; s=arc-20160816; b=vsDgFCfiaQp0HRPTILc5K2LwDaOp/qvkJQktkpSToAgYXC2GPegg/+apk/Kkazh5el 9sqv9elWMsZXTyzyWp+ExQbaxqf2nRvCtiOSu3nH9Nnjhm8h3vY2ydD92zz6zHDWFQqm Ax9heYmwAle6dou9kb+vVb49slJLNWYj3+BmRpYuCBtFk9Vy00fR9miO+klA2V1N382T +XA5KW/p4x8HBViv0GlO0Cl2E8vqRVhj1MYYjv8nuKP1lns5WpvTHE6ptnsSJDmVxAtr Xz5mpF1lH7Zcc2DX0Pzfqu+DidrTgr/nPyR5ZeIt1pLkbFDUJ86G0HHuGvbkHgUnS/c7 xrtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Wj/wa6WpHTBFyxPNYkL5IzzzdL6xSIEEdLqjlbSu7iA=; b=JPtGry7CArhI9xJ03mHVPtM61MdTpEMO1ITOrQngDejGX3W1l9yVB6R9iT2mAHe1ll HVNK4Wf2GK0g1DtUbzSrklPbXEyUon8znndK2GS9IV1U0Xz34XVK7ta8+WEVAh0lCnyL jlXLXYMM/S8IU3r0U0Nchzy4yUReJ8hLGd0jKoGnCPN+DQDb0p6jUKHCIHWRIjXk/aOM u6320HcwVmtc+S3bO+eTGlZNLUVKqzs8wNSXUli//3f0Eus8DCHjCAWQnniUgYHXbXZU 4nBsoTGlfIGeZCFLBPovohPzRSad6AYR66345w23RDUGM0OkCq8l2vAdsC5uwS8knkLa UAlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=BT1EDxm1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jl4-20020a170903134400b001a67798316dsi2183144plb.261.2023.04.13.08.39.20; Thu, 13 Apr 2023 08:39:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=BT1EDxm1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229936AbjDMPfk (ORCPT + 99 others); Thu, 13 Apr 2023 11:35:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229854AbjDMPfi (ORCPT ); Thu, 13 Apr 2023 11:35:38 -0400 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0AFC9755 for ; Thu, 13 Apr 2023 08:35:29 -0700 (PDT) Received: by mail-pg1-x534.google.com with SMTP id 185so21445142pgc.10 for ; Thu, 13 Apr 2023 08:35:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681400129; x=1683992129; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Wj/wa6WpHTBFyxPNYkL5IzzzdL6xSIEEdLqjlbSu7iA=; b=BT1EDxm154Qs8n7f7Ddi2eHkivkOlP8lc3sMyS9QhyT9VdDLHexL3hkPHI2K5WbOpY Qm3HmW0pktwlWdRBVp/1S4dretjVEhIdP9d738FSqqjno8xeXf0BFSCh5migWn9xalkT 2XMIb9n1d22x2doaFpJ4RP7cj/lUz6dAl4jw3rkaKGpzM0rhL0QTExkjqOnDi/Brxkys iTQjKZaviQrHbFt944l5UCzwthtwtnX5MOKHrmtqIZqTypR4jZJlGnTk6P9oOl0hrXMm 9Wlt3EIML3ilK1X0Go7tQ4DVAEKCvbyRYyQqKIDS/Z4mBs/V3wDvZ4m+xHjvuB7dgBwk RKfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681400129; x=1683992129; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Wj/wa6WpHTBFyxPNYkL5IzzzdL6xSIEEdLqjlbSu7iA=; b=NiMU1VfitEkSrMjIigxBgxtnAEZQdAtWuDAa5RimC6Sfv2XP6J91twlEfltWhH4oY7 WE0xAIR0gdeRGTpizVf7tUJ3/e+xXA/vFEFevdNp+ka94en4yV75ANO+Z6z3dmDuHG/o TkVoJrDdem/Uy5BjDyXRY1gWC66jD996JDPdC2Jw25IZfREAqQKjhj2jl4JabREhrbKh SooLng3zleoSXCrguxRLBb2t2kjrCcgDJOz6BgZ40/fpP6DIok66wa6+YiIIy4oYGzRP Hcgz//Qg/9hM8ubUCvemcSqFbok3E7ePNIi1cqNyBh1RHvPArkx8zDODfsSJpik0h2cH newQ== X-Gm-Message-State: AAQBX9fxV1joYl0D+/9J3GQrcl6djECXrfTcDUYPtjGrmWXTTCzDjTFq T1urNGeHN7XYxiavS8hRn3rqzjpXYERXLYPu1Xw= X-Received: by 2002:a65:51c7:0:b0:51a:f873:2645 with SMTP id i7-20020a6551c7000000b0051af8732645mr599219pgq.9.1681400129269; Thu, 13 Apr 2023 08:35:29 -0700 (PDT) MIME-Version: 1.0 References: <20230312145305.1908607-1-zyytlz.wz@163.com> <2023041308-nerd-dry-98a6@gregkh> In-Reply-To: <2023041308-nerd-dry-98a6@gregkh> From: Zheng Hacker Date: Thu, 13 Apr 2023 23:35:17 +0800 Message-ID: Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition To: Greg KH Cc: Yongqin Liu , John Stultz , Zheng Wang , Sumit Semwal , arnd@arndb.de, linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com, Mauro Carvalho Chehab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg KH =E4=BA=8E2023=E5=B9=B44=E6=9C=8813=E6= =97=A5=E5=91=A8=E5=9B=9B 20:48=E5=86=99=E9=81=93=EF=BC=9A > > On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote: > > Yongqin Liu =E4=BA=8E2023=E5=B9=B44=E6=9C=8813= =E6=97=A5=E5=91=A8=E5=9B=9B 18:55=E5=86=99=E9=81=93=EF=BC=9A > > > > > > Hi, Zheng > > > > > > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker = wrote: > > > > > > > > Friendly ping about the bug. > > > > > > Sorry, wasn't aware of this message before, > > > > > > Could you please help share the instructions to reproduce the problem > > > this change fixes? > > > > > > > Hi Yongqin, > > > > Thanks for your reply. This bug is found by static analysis. There is n= o PoC. > > > > >From my personal experience, triggering race condition bugs stably in > > the kernel needs some tricks. > > For example, you can insert some sleep-time code to slow down the > > thread until the related object is freed. > > Besides, you can use gdb to control the time window. Also, there are > > some other tricks as [1] said. > > > > As for the reproduction, this attack vector requires that the attacker > > can physically access the device. > > When he/she unplugs the usb, the remove function is triggered, and if > > the set callback is invoked, there might be a race condition. > > How does the removal of the USB device trigger a platform device > removal? Sorry I made a mistake. The USB device usually calls disconnect callback when it's unpluged. What I want to express here is When the driver-related device(here it's USB GPIO Hub) was removed, the remove function is triggered. > > Are you sure this can be triggered by some other way other than manually > unloading the driver? As I didn't make a PoC, I'm not 100 percent sure about that. Best regards, Zheng > > thanks, > > greg k-h