Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2710442rwl;
        Thu, 13 Apr 2023 09:49:19 -0700 (PDT)
X-Google-Smtp-Source: AKy350YI6dHPzjBpXbycXMNkRWWqIFdamhuIDmCnsc2KSG+nV7N8SR3OaEKxyutXJZgDPQRWXGa2
X-Received: by 2002:a17:90b:3747:b0:246:f73c:3aba with SMTP id ne7-20020a17090b374700b00246f73c3abamr2556324pjb.39.1681404558866;
        Thu, 13 Apr 2023 09:49:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681404558; cv=none;
        d=google.com; s=arc-20160816;
        b=cj+guCOOkFIbdZMZCiVTJsdB9djw05YJAD/MsV+O2wsTlvstp7rHHqlTE3mXr9ZVxd
         ydIS1GRINozdwtwqbHYvHT/gMK3uiohpwVZNoXd5lReeIE7NznOMl+KFH/9uczRaXITy
         UTGOPA9JH900mIS/clAiTbS2Z9+Ji4uEJZ445NmTuOEj+CvS0F9FfUCzgZzXAfLtdwc8
         xjmWBfPTz87PRLFPFQVIS4qi5NlpSc11zq4Y3N9p9qTOWX3q4FNgMP6aAb0UFu6XON98
         2eg0v6YMm8HJ2QY3yUQV/Po3iqM0VWmfaTauIaV5+/F2tRP+YEzSpxUajHL2q0atsESH
         +66Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=p0h0KR6elNnNqXKvjoeKJcNlR6E45HlPbpf02lsirvk=;
        b=djibeCvgsmAMyi29S9GCsskdtEtEnm4wm5usxMiNvkTXWEDUMNs8dQYP5xy5SIObIG
         l3GYsTR4Uy0MrCDjLt1D1MYgWGUZR9l9/2YUtxtTua7uPad+4DJcX3SUgELcUENxt7ks
         E4KX1r1e+/fhqOYE71rQ+UmpGUIOmkXdD69KAd42Z4td1J25Z0ufXqJuTsQPplmnJu+D
         oVcuzmHzIR/NMc99/OXrgqSFN8/YQwhGlq2Rg4xANBQyAlr59qBr/FLDoReNLT0hy9YL
         9rDqAE8xVXrMapuvEJIb0qHd4yyT50aPcIL7j+DSR5D8bWBVR9LkNtcrfiZnaLDGTvm9
         VpeA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=lAWIIiar;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j8-20020a17090ae60800b0023fc91ee498si4931755pjy.188.2023.04.13.09.49.06;
        Thu, 13 Apr 2023 09:49:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=lAWIIiar;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230106AbjDMQq0 (ORCPT <rfc822;arya.hemanshu@gmail.com>
        + 99 others); Thu, 13 Apr 2023 12:46:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51004 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230194AbjDMQqW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Apr 2023 12:46:22 -0400
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B10493F4
        for <linux-kernel@vger.kernel.org>; Thu, 13 Apr 2023 09:46:21 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id c3so16670277pjg.1
        for <linux-kernel@vger.kernel.org>; Thu, 13 Apr 2023 09:46:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1681404381; x=1683996381;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=p0h0KR6elNnNqXKvjoeKJcNlR6E45HlPbpf02lsirvk=;
        b=lAWIIiar6znvVMTNS5FSjWiS2KF5uQyvgo/lWJhKpkacy84wCkIK2xwiMiXySaOtEF
         AInrn4fdEd/AeLHvSiEjIuEFrHfyllQA1jRJwSXK76v7oRvdEByGtECDVriJPV/h8BJU
         di9BMUiJYsDU9ZlVd5SSqF0AsKcD8ajKcLDyGgnewzdPzWw2sLaVSA+SwcwI+ybJV2jC
         ht6zqz9d56yrjULi5T+BtsHEkjIsjRd+oxVNuM6o7qbr+CB3gTKhIyZuZQZU7okE3fVh
         8T6ACcRZXYK7UNd8iU17S1Shi5CeKzKk+Iz2c0ezB6EKhSjTlfzhNz6mplKGoTVum+ws
         1X0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1681404381; x=1683996381;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=p0h0KR6elNnNqXKvjoeKJcNlR6E45HlPbpf02lsirvk=;
        b=dcKnerq+NjFVZi6PqNfNsIMvXxRWDT2xG3grBBN0i1zo15unLyF8ieGGzkRDKoCxpG
         Qe57q45fmcQOEZiKfx3yRZ4Rixbu6TpnNdco+iVg+wIYFnb7jv2M1plbxt1vWyR+clJG
         pj5GSC4m3otioGlbtexQC+U8R6bLEq+ReP7PT/XgJqMz0BwTCsAyEQrloFM5Azh5sleS
         qsGYpKvBHJQxfhj/XbkX1eACyoCd2PDbF+uSHnv9sVzu/v14LDnqLbxWdrtAE5nH7RUW
         4Jnf3HKmqH6nuOm/N3KgkH1glUOtcEHshfHEwDzNaDNDYTWVqeR3ofSZZo0b0zmfqkwg
         7jwA==
X-Gm-Message-State: AAQBX9ejGeDSt7LVWd34o/te+V9widZocAJYmGbwABD3Z0Yxf22S0Dsz
        03oqLrVmOVFVEznhmPZKZlwWEiocl3sEiv2FxC4=
X-Received: by 2002:a17:903:4051:b0:1a2:6e4d:7831 with SMTP id
 n17-20020a170903405100b001a26e4d7831mr859431pla.12.1681404380958; Thu, 13 Apr
 2023 09:46:20 -0700 (PDT)
MIME-Version: 1.0
References: <20230312145305.1908607-1-zyytlz.wz@163.com> <CANDhNCr=hdhKS4c+U=+W1ONHDWv6BrwL5TovGjs0G2G+Reqc9g@mail.gmail.com>
 <CAJedcCyJnV+KnFF5h+2-0W1R4uaUxUxXFUH3Q9HGYh-5F5LmBQ@mail.gmail.com>
 <CAJedcCyERP0-9DNgeKmS3C9Soqq590PteEorr_bxKzNanht=TQ@mail.gmail.com>
 <CAMSo37Vfr0DOqN+1XjH0o3pOY=BaHnSFkUbnZPOdMQ3TbfoAKg@mail.gmail.com>
 <CAJedcCzm3MqYe3QGT7V4sMmDsVHbjVSnEc2NXWPMGVZL=a_cBA@mail.gmail.com>
 <2023041308-nerd-dry-98a6@gregkh> <CAJedcCyeM2a79i0=ffKwdKfnQayo7svhTTEth2ka6K9np0Ztiw@mail.gmail.com>
 <2023041308-unvisited-slinky-a56f@gregkh>
In-Reply-To: <2023041308-unvisited-slinky-a56f@gregkh>
From:   Zheng Hacker <hackerzheng666@gmail.com>
Date:   Fri, 14 Apr 2023 00:46:08 +0800
Message-ID: <CAJedcCxzGbUSj0nh4xYp8P2zhYSM31CGi2fGE+9VJt7mkg6h4g@mail.gmail.com>
Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in
 hisi_hikey_usb_remove due to race condition
To:     Greg KH <gregkh@linuxfoundation.org>
Cc:     Yongqin Liu <yongqin.liu@linaro.org>,
        John Stultz <jstultz@google.com>,
        Zheng Wang <zyytlz.wz@163.com>,
        Sumit Semwal <sumit.semwal@linaro.org>, arnd@arndb.de,
        linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com,
        alex000young@gmail.com, Mauro Carvalho Chehab <mchehab@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
        FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Greg KH <gregkh@linuxfoundation.org> =E4=BA=8E2023=E5=B9=B44=E6=9C=8813=E6=
=97=A5=E5=91=A8=E5=9B=9B 23:56=E5=86=99=E9=81=93=EF=BC=9A
>
> On Thu, Apr 13, 2023 at 11:35:17PM +0800, Zheng Hacker wrote:
> > Greg KH <gregkh@linuxfoundation.org> =E4=BA=8E2023=E5=B9=B44=E6=9C=8813=
=E6=97=A5=E5=91=A8=E5=9B=9B 20:48=E5=86=99=E9=81=93=EF=BC=9A
> > >
> > > On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote:
> > > > Yongqin Liu <yongqin.liu@linaro.org> =E4=BA=8E2023=E5=B9=B44=E6=9C=
=8813=E6=97=A5=E5=91=A8=E5=9B=9B 18:55=E5=86=99=E9=81=93=EF=BC=9A
> > > > >
> > > > > Hi, Zheng
> > > > >
> > > > > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker <hackerzheng666@gmail.=
com> wrote:
> > > > > >
> > > > > > Friendly ping about the bug.
> > > > >
> > > > > Sorry, wasn't aware of this message before,
> > > > >
> > > > > Could you please help share the instructions to reproduce the pro=
blem
> > > > > this change fixes?
> > > > >
> > > >
> > > > Hi Yongqin,
> > > >
> > > > Thanks for your reply. This bug is found by static analysis. There =
is no PoC.
> > > >
> > > > >From my personal experience, triggering race condition bugs stably=
 in
> > > > the kernel needs some tricks.
> > > > For example, you can insert some sleep-time code to slow down the
> > > > thread until the related object is freed.
> > > > Besides, you can use gdb to control the time window. Also, there ar=
e
> > > > some other tricks as [1] said.
> > > >
> > > > As for the reproduction, this attack vector requires that the attac=
ker
> > > > can physically access the device.
> > > > When he/she unplugs the usb, the remove function is triggered, and =
if
> > > > the set callback is invoked, there might be a race condition.
> > >
> > > How does the removal of the USB device trigger a platform device
> > > removal?
> >
> > Sorry I made a mistake. The USB device usually calls disconnect
> > callback when it's unpluged.
>
> Yes, but you are changing the platform device disconnect, not the USB
> device disconnect.
>
> > What I want to express here is When the driver-related device(here
> > it's USB GPIO Hub) was removed, the remove function is triggered.
>
> And is this a patform device on a USB device?  If so, that's a bigger
> problem that we need to fix as that is not allowed.

No this is not a platform  device on a USB device.

>
> But in looking at the code, it does not seem to be that at all, this is
> just a "normal" platform device.  So how can it ever be removed from the
> system?  (and no, unloading the driver doesn't count, that can never
> happen on a normal machine.)
>

Yes, I finally figured out your meaning. I know it's hard to unplug
the platform device
directly. All I want to express is that it's a theoretical method
except  rmmod. I think it's better to fix the bug. But if the
developers think it's practically impossible, I think there's no need
to take further action.

Sorry for wasting your time and thanks for your explanation.

Best regards,
Zheng

> thanks,
>
> greg k-h