Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp1650272rwr; Thu, 20 Apr 2023 19:39:06 -0700 (PDT) X-Google-Smtp-Source: AKy350YNUQh/aEew/p7S9RLPPjfIdOFgRphL8adYLxmJiOSw/fx+eSScVdhvTgO5YQovbzkX8yGd X-Received: by 2002:a05:6a20:6a28:b0:ef:cd5b:a5c7 with SMTP id p40-20020a056a206a2800b000efcd5ba5c7mr5159722pzk.56.1682044746113; Thu, 20 Apr 2023 19:39:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682044746; cv=none; d=google.com; s=arc-20160816; b=tktNNXJMEt0Tr4AqYToeGHBLops9lEfdLMwIq1zlUQoX2LvEJDa1kxrgKaDXuQi/l0 OG4WXkbDTcb2/QuN8dC4NOpeCsGhdO9TmoN7Rtq9OAACIWy4qT01QXwFshmBSAK6PVhf PDGV3wqoQyn/mz4Z10iDWSSampfvg9ULUR0IyfTf/kCeM9dGQ+iQODqnfd3YgPTGvL17 23zjYT6cmQX7+VjPniih1MneU0DbQkfM89Tf1p+YX+64VwKrhzOwAQANV1eoRiniWe2g xVl1vkV2yFkas/O3zk/yLxP7ipj3OZ/QQeqMwh6M/ykGQY+guzEjEqACa6drmOxude+j Butw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=imhdVEJYZQMHqB1fqfOKieeLdDmqH+2uFESmzMirTQ0=; b=jtMAO2bhgmAykUGFBQY+gjMo+a9ta1o1yZNEfHViLgaMVt7i8i3Ai1Gy0ezuaEtGw1 0KqqMRjsXrBtgRZ4wtmhhebL5ya8xgNx9gYe662V+9x2FUHAIrAF/6MdaErKjR7kHHlL 3lUOpw4NqcqKT4URTd/eMyvDz+ZmaA8nUqMVCkTfVgIpXeEgZWEUO74yCnRlF8pHe48+ C7gUlI8LxAL672LR4srOw6jItPxabkZNtC0V69NSuqTOFUbFHSZoFeFDoTua6/QJ306i LdnVVp9qKZ0DQGDBQnP3ZDcfzq7ryRz7j8tEX7cVwt0ExNOu/gPAYIwbVgBTU4AdtigH R/qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b="ZA1sx/BC"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m9-20020a654389000000b0051b3d534187si3178788pgp.576.2023.04.20.19.38.52; Thu, 20 Apr 2023 19:39:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b="ZA1sx/BC"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233560AbjDUCfV (ORCPT + 99 others); Thu, 20 Apr 2023 22:35:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231889AbjDUCfT (ORCPT ); Thu, 20 Apr 2023 22:35:19 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1D022D4C for ; Thu, 20 Apr 2023 19:35:17 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-2470271d9f9so1219583a91.2 for ; Thu, 20 Apr 2023 19:35:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682044517; x=1684636517; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=imhdVEJYZQMHqB1fqfOKieeLdDmqH+2uFESmzMirTQ0=; b=ZA1sx/BCMr616tN8PVa7GZJDBB+qJkHuyT0vsq0N8Mzzrqe3PD8ayLmsBQ3r6JayQW y9PDrD/Kdng/ztu4Wfr4ay+0ZN4UGoIZl9sC5nhNOSjcAc016PD0l4uBA1KOatppIyUN YTxmwMCwl4PxqfxfpEwHj/qHrrDQQowVIsyCigRbnZhVU/mBl6YOnBzLoBh188txdMmx 4pn1N8IqsKWoENAo7r0/UIumwx70hDEMZFKqC8GUuX7a1DSvCFf1pnyklo5VRtJ8A1pF 3Xeqi51V0U+BYwc9uD5kGghNroZslUiR//ck7wqaxY21zV3wPUBUZOICHsCtptqHOU+Y qXyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682044517; x=1684636517; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=imhdVEJYZQMHqB1fqfOKieeLdDmqH+2uFESmzMirTQ0=; b=Y6KzheMKVnfS3tBGFs5v22zoJLyCkm+XyCTt1odpTghnf1eSshPigRwvkOrlPEEKJI uaNfl2Ba70sXen8TZQ1pHIPa9DJbWwwv0hpCaEdLd9AYBWiUEWdcvillgP82YFS7pPK5 J5mfs7RzXjjk7crj3C7lkGVFo1XD7mZ22fm0RSb1D4PK1pV+KBwMwaM9VbBB6EmSqMZM 433AUHQz8jKTnABnvajXtsOn2+yn9ZCwPLUE+kzBb1CH00n1R29tLomhLQym0v5tGVC9 fBO+dihA2/YRgTKc34s3Af5R2hWnLnPCyoLQUhJfRqPhhj1YMCTyloqOJchUCDcxolUa JTQA== X-Gm-Message-State: AAQBX9fzN2UybVHGqg/VOps5ivz1Y1jbqYM722bCdzXcsT9lMIrX9Pn4 EIPOpInJh72UfKGehqd4DLXrWdxS+HnwscMgDT0= X-Received: by 2002:a17:90b:3008:b0:246:d182:cb22 with SMTP id hg8-20020a17090b300800b00246d182cb22mr3522429pjb.23.1682044517095; Thu, 20 Apr 2023 19:35:17 -0700 (PDT) MIME-Version: 1.0 References: <20230312145305.1908607-1-zyytlz.wz@163.com> <2023041308-nerd-dry-98a6@gregkh> <2023041308-unvisited-slinky-a56f@gregkh> In-Reply-To: From: Zheng Hacker Date: Fri, 21 Apr 2023 10:35:04 +0800 Message-ID: Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition To: Yongqin Liu Cc: Greg KH , John Stultz , Zheng Wang , Sumit Semwal , arnd@arndb.de, linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com, Mauro Carvalho Chehab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yongqin Liu =E4=BA=8E2023=E5=B9=B44=E6=9C=8820=E6= =97=A5=E5=91=A8=E5=9B=9B 14:31=E5=86=99=E9=81=93=EF=BC=9A > > Hi, Zheng > > BTW, I just see cancel_delayed_work_sync is used in > the drivers/usb/common/usb-conn-gpio.c usb_conn_remove function. > https://android.googlesource.com/kernel/common/+/refs/heads/android-m= ainline/drivers/usb/common/usb-conn-gpio.c#274 > > I know nothing about the cancel_delayed_work_sync and cancel_work_sync > functions, > just for your information in case cancel_delayed_work_sync might be > better to be used here. > HI Yongqin, Thanks for your kind reminder. The cancel_delayed_work_sync is used with INIT_DELAYED_WORK and queue_delayed_work. This is used to start a work after some time while schedule_work means start it immediately. In this case, the &hisi_hikey_usb->work is initialized with INIT_WORK and scheduled with schedule_work. So I think we'd better use cancel_work_sync here. I'm also not so familiar with the code. If there's something wrong with it, please feel free to let me know. Best regards, Zheng > Thanks, > Yongqin Liu > On Tue, 18 Apr 2023 at 21:18, Zheng Hacker wro= te: > > > > Yongqin Liu =E4=BA=8E2023=E5=B9=B44=E6=9C=8818= =E6=97=A5=E5=91=A8=E4=BA=8C 01:31=E5=86=99=E9=81=93=EF=BC=9A > > > > > > Hi, Zheng > > > > > > Sorry for the late reply. > > > > > > I tested this change with Android build based on the ACK > > > android-mainline branch. > > > The hisi_hikey_usb module could not be removed with error like this: > > > console:/ # rmmod -f hisi_hikey_usb > > > rmmod: failed to unload hisi_hikey_usb: Try again > > > 1|console:/ # > > > Sorry I am not able to reproduce any problem without this commit, > > > but I do not see any problem with this change applied either. > > > > > > If there is any specific things you want to check, please feel free l= et me know > > > > > > > Hi Yongqin, > > > > Thanks for your testing. I have no more questions about the issue. > > > > Best regards, > > Zheng > > > > > Thanks, > > > Yongqin Liu > > > > > > > > > On Fri, 14 Apr 2023 at 00:46, Zheng Hacker = wrote: > > > > > > > > Greg KH =E4=BA=8E2023=E5=B9=B44=E6=9C= =8813=E6=97=A5=E5=91=A8=E5=9B=9B 23:56=E5=86=99=E9=81=93=EF=BC=9A > > > > > > > > > > On Thu, Apr 13, 2023 at 11:35:17PM +0800, Zheng Hacker wrote: > > > > > > Greg KH =E4=BA=8E2023=E5=B9=B44=E6= =9C=8813=E6=97=A5=E5=91=A8=E5=9B=9B 20:48=E5=86=99=E9=81=93=EF=BC=9A > > > > > > > > > > > > > > On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote: > > > > > > > > Yongqin Liu =E4=BA=8E2023=E5=B9=B4= 4=E6=9C=8813=E6=97=A5=E5=91=A8=E5=9B=9B 18:55=E5=86=99=E9=81=93=EF=BC=9A > > > > > > > > > > > > > > > > > > Hi, Zheng > > > > > > > > > > > > > > > > > > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker wrote: > > > > > > > > > > > > > > > > > > > > Friendly ping about the bug. > > > > > > > > > > > > > > > > > > Sorry, wasn't aware of this message before, > > > > > > > > > > > > > > > > > > Could you please help share the instructions to reproduce= the problem > > > > > > > > > this change fixes? > > > > > > > > > > > > > > > > > > > > > > > > > Hi Yongqin, > > > > > > > > > > > > > > > > Thanks for your reply. This bug is found by static analysis= . There is no PoC. > > > > > > > > > > > > > > > > >From my personal experience, triggering race condition bug= s stably in > > > > > > > > the kernel needs some tricks. > > > > > > > > For example, you can insert some sleep-time code to slow do= wn the > > > > > > > > thread until the related object is freed. > > > > > > > > Besides, you can use gdb to control the time window. Also, = there are > > > > > > > > some other tricks as [1] said. > > > > > > > > > > > > > > > > As for the reproduction, this attack vector requires that t= he attacker > > > > > > > > can physically access the device. > > > > > > > > When he/she unplugs the usb, the remove function is trigger= ed, and if > > > > > > > > the set callback is invoked, there might be a race conditio= n. > > > > > > > > > > > > > > How does the removal of the USB device trigger a platform dev= ice > > > > > > > removal? > > > > > > > > > > > > Sorry I made a mistake. The USB device usually calls disconnect > > > > > > callback when it's unpluged. > > > > > > > > > > Yes, but you are changing the platform device disconnect, not the= USB > > > > > device disconnect. > > > > > > > > > > > What I want to express here is When the driver-related device(h= ere > > > > > > it's USB GPIO Hub) was removed, the remove function is triggere= d. > > > > > > > > > > And is this a patform device on a USB device? If so, that's a bi= gger > > > > > problem that we need to fix as that is not allowed. > > > > > > > > No this is not a platform device on a USB device. > > > > > > > > > > > > > > But in looking at the code, it does not seem to be that at all, t= his is > > > > > just a "normal" platform device. So how can it ever be removed f= rom the > > > > > system? (and no, unloading the driver doesn't count, that can ne= ver > > > > > happen on a normal machine.) > > > > > > > > > > > > > Yes, I finally figured out your meaning. I know it's hard to unplug > > > > the platform device > > > > directly. All I want to express is that it's a theoretical method > > > > except rmmod. I think it's better to fix the bug. But if the > > > > developers think it's practically impossible, I think there's no ne= ed > > > > to take further action. > > > > > > > > Sorry for wasting your time and thanks for your explanation. > > > > > > > > Best regards, > > > > Zheng > > > > > > > > > thanks, > > > > > > > > > > greg k-h > > > > > > > > > > > > -- > > > Best Regards, > > > Yongqin Liu > > > --------------------------------------------------------------- > > > #mailing list > > > linaro-android@lists.linaro.org > > > http://lists.linaro.org/mailman/listinfo/linaro-android > > > > -- > Best Regards, > Yongqin Liu > --------------------------------------------------------------- > #mailing list > linaro-android@lists.linaro.org > http://lists.linaro.org/mailman/listinfo/linaro-android