Received: by 10.223.164.202 with SMTP id h10csp515444wrb; Fri, 10 Nov 2017 10:01:10 -0800 (PST) X-Google-Smtp-Source: AGs4zMb2SYgfN9qEEBO6akrIP1UaQsQ0ovZa7icRRzNLKH1kDiFfmLrLzINFDPqf4IDbWmXLqbn2 X-Received: by 10.101.93.132 with SMTP id f4mr1094642pgt.152.1510336870746; Fri, 10 Nov 2017 10:01:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510336870; cv=none; d=google.com; s=arc-20160816; b=BF7gDQxQ//Pidb1z4ba9tZx/E4XYColAPgntNFN/v3f862BFyVndTmXhyOvOrt3jNb pOTLp2s2rruAOvwBU/l4aOuI2HZ2ypUkffq24pYA4V3okdjjts3jTJecfQBfhOavmAaQ 2lSkuietO5lG2c1jjDbsc5omO4xScs+MNZpFt1WfhXRy1B7xhLlmC2BkUy/s1T3uWjZ2 Xpvs+wuE4OmazJnpSNI9go3tpKhhuolaQ6SzVG76FLD184vO7zy/SfOs2I0gSHoUoAlH desYmaP2Ly96d5X92w+Oq1oeTB9BkOAx+rrD5WdLEGKR2p6g7kef2P13A0bZgM89fZTX PGKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :user-agent:in-reply-to:references:subject:cc:to:from:message-id :date:arc-authentication-results; bh=3tazHWE8DAnV/t1aLxIh1p9bLU+l2ZsS7yOU2Gg/zXg=; b=fBL5hsVEEhLBBTjpIxtBaiRjRgc6a4x3LtpnFDsDeKDQDrXJBTLaPaQZHiYwIz3dPQ KL7GZG8b07/cpAC1GsurxWjDdWJ/t0PdwmqcBiOFWpRH80gzoWpRlvbw6FiML5rnrUXV 8vFOzMKmhE1YAkIrehyeYllViBkboA6MiBohk2rfd+Di48Nowl1FyAVe2NY2j8JAPLdc VYdf6US1jGZWwowvRFKaYgcK+078r2rIh9zN7y2e5Qsflo918G8mZsrHsZ7IVXe4g/Iw FeFSA/gMRfidrUoNoP48kDhJBNhgmctZNREP3jX3WhJXGs4DkXkepRSS3SfF4nR70qlV 5/QQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u186si8917622pgb.578.2017.11.10.10.00.59; Fri, 10 Nov 2017 10:01:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753554AbdKJR7c (ORCPT + 82 others); Fri, 10 Nov 2017 12:59:32 -0500 Received: from gateway20.websitewelcome.com ([192.185.65.13]:37578 "EHLO gateway20.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752831AbdKJR7a (ORCPT ); Fri, 10 Nov 2017 12:59:30 -0500 X-Greylist: delayed 1398 seconds by postgrey-1.27 at vger.kernel.org; Fri, 10 Nov 2017 12:59:30 EST Received: from cm11.websitewelcome.com (cm11.websitewelcome.com [100.42.49.5]) by gateway20.websitewelcome.com (Postfix) with ESMTP id 87C8640105F79 for ; Fri, 10 Nov 2017 11:35:53 -0600 (CST) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id DDDdegW7ZtuxmDDDde2uxH; Fri, 10 Nov 2017 11:35:53 -0600 Received: from gator4166.hostgator.com ([108.167.133.22]:54147) by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1eDDDc-001QO4-RK; Fri, 10 Nov 2017 11:35:52 -0600 Received: from 189.175.248.21 ([189.175.248.21]) by gator4166.hostgator.com (Horde Framework) with HTTPS; Fri, 10 Nov 2017 11:35:52 -0600 Date: Fri, 10 Nov 2017 11:35:52 -0600 Message-ID: <20171110113552.Horde.eGcnMRStkxzNDhQOqlhnkI5@gator4166.hostgator.com> From: "Gustavo A. R. Silva" To: Andrey Konovalov Cc: Mauro Carvalho Chehab , Hans Verkuil , Sean Young , linux-media@vger.kernel.org, Andi Shyti , LKML , Dmitry Vyukov , Kostya Serebryany , syzkaller Subject: Re: [PATCH] au0828: fix use-after-free at USB probing References: <20171110002134.GA32019@embeddedor.com> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 108.167.133.22 X-Source-L: Yes X-Exim-ID: 1eDDDc-001QO4-RK X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: gator4166.hostgator.com [108.167.133.22]:54147 X-Source-Auth: garsilva@embeddedor.com X-Email-Count: 4 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Andrey Konovalov : > On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva > wrote: >> Hi Andrey, >> >> Could you please try this patch? >> >> Thank you > > Hi Gustavo, > > With your patch I get a different crash. Not sure if it's another bug > or the same one manifesting differently. > That's the same one. It seems that the best solution is to remove the kfree after the mutex_unlock and let the device resources be freed in au0828_usb_disconnect. Please try the following patch instead. I appreciate your help. Thank you, Andrey. --- drivers/media/usb/au0828/au0828-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c index cd363a2..257ae0d 100644 --- a/drivers/media/usb/au0828/au0828-core.c +++ b/drivers/media/usb/au0828/au0828-core.c @@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface *interface, pr_err("%s() au0282_dev_register failed to register on V4L2\n", __func__); mutex_unlock(&dev->lock); - kfree(dev); goto done; } -- 2.7.4 > au0828: recv_control_msg() Failed receiving control message, error -71. > au0828: recv_control_msg() Failed receiving control message, error -71. > au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5) > usb 1-1: selecting invalid altsetting 5 > au0828: Failure setting usb interface0 to as5 > au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2 > au0828: probe of 1-1:0.0 failed with error -22 > usb 1-1: USB disconnect, device number 2 > ================================================================== > BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3 > Read of size 8 at addr ffff8800641d0410 by task kworker/0:1/24 > > CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted > 4.14.0-rc5-43687-g72e555fa3d2e-dirty #105 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:16 > dump_stack+0xc1/0x11f lib/dump_stack.c:52 > print_address_description+0x71/0x234 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 > kasan_report+0x173/0x270 mm/kasan/report.c:409 > __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 > __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54 > __list_del_entry ./include/linux/list.h:116 > list_del_init ./include/linux/list.h:158 > device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149 > device_del+0x55f/0xa30 drivers/base/core.c:1986 > usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170 > usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 > hub_port_connect drivers/usb/core/hub.c:4754 > hub_port_connect_change drivers/usb/core/hub.c:5009 > port_event drivers/usb/core/hub.c:5115 > hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195 > process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119 > process_scheduled_works kernel/workqueue.c:2179 > worker_thread+0x689/0xea0 kernel/workqueue.c:2255 > kthread+0x334/0x400 kernel/kthread.c:231 > ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 > > The buggy address belongs to the page: > page:ffffea0001907400 count:0 mapcount:-127 mapping: (null) > index:0x0 > flags: 0x100000000000000() > raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80 > raw: ffffea00018a8f20 ffff88007fffa690 0000000000000002 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >> ffff8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ^ > ffff8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ================================================================== > > Thanks! > >> >> >> The device is typically freed on failure after trying to set >> USB interface0 to as5 in function au0828_analog_register. >> >> Fix use-after-free by returning the error value inmediately >> after failure, instead of jumping to au0828_usb_disconnect >> where _dev_ is also freed. >> >> Signed-off-by: Gustavo A. R. Silva >> --- >> drivers/media/usb/au0828/au0828-core.c | 3 +-- >> 1 file changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/drivers/media/usb/au0828/au0828-core.c >> b/drivers/media/usb/au0828/au0828-core.c >> index cd363a2..b4abd90 100644 >> --- a/drivers/media/usb/au0828/au0828-core.c >> +++ b/drivers/media/usb/au0828/au0828-core.c >> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct >> usb_interface *interface, >> __func__); >> mutex_unlock(&dev->lock); >> kfree(dev); >> - goto done; >> + return retval; >> } >> >> /* Digital TV */ >> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct >> usb_interface *interface, >> >> retval = au0828_media_device_register(dev, usbdev); >> >> -done: >> if (retval < 0) >> au0828_usb_disconnect(interface); >> >> -- >> 2.7.4 >> From 1583682173870556885@xxx Fri Nov 10 12:30:14 +0000 2017 X-GM-THRID: 1583636396516207991 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread