Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4196273ybi; Mon, 3 Jun 2019 07:11:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqzRDxVahiFIueR0FT73n2vjfqEmr2raoVXtd5DlbFcqWMh5oFvMlFpq3XfPcCYV7IghUYzO X-Received: by 2002:a17:902:8490:: with SMTP id c16mr30847482plo.259.1559571091842; Mon, 03 Jun 2019 07:11:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559571091; cv=none; d=google.com; s=arc-20160816; b=q+HPKkgDytBov/WnlUphtQ5PfyeeCIJWMyR9jlb37PjQLCB9DvLPCjg7JD6sbZkRY/ EgatU1G+LGQ3B2XZRwzJ8Edp1Dq68dOdcJN154MGYwNcovnHdau4py1mMLwwPv41087W aFFp50lXOvztPb87eNpWLbF9/h2AioZ6GhG4g5Uy9pm6A4a3QdHJdhP2130mmiLFSpPo zoHQqiNW7TrLoVK2PwnyrF6LAL1EHt4JLM04+j5VNYVxquY+hy72KPHvSvva60Wm/ujJ sX2ULQVvW+EKT5s9Gg07cB5cid+n5C+Fc0kc7Oty/1M5ak45r9YNllRxhE8X/y32fgki q5Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=obS+0UFTap+1uduzW/YHel7wsgI/JVOfcyw90Vg1JOI=; b=i+F3CR+FNdU9WcbLP2xTkigW6t3WBXHLSH+kqWBldQ5onHn+fPNki32eeK7QxP7vEH PYOQH+CY+49/WWayGoP4eVZvx/UhO5VsUdI/ZhaR/h33vWA/DH/OIjXD2V9TAyhqZcXp UwMitXXF6AWhC00rgnnjg+NIGg14+13E7tkRyVY4xOHzfwuoYeUeJNEZyHjir/tdkIGS HlDQ53phi2AQOR35e9XOQznhiy9O5RNVMnZqWV48BCPndvDFFBUXsa6ykhfN0rxXroFe hnm/c9c+vohLS7KD3uJF5Dst7LvNxzSP3BuIaDssrt6rViLGkFPG+zc2mn5pQOqyeUxJ +6ig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e4si17606322pjs.104.2019.06.03.07.10.58; Mon, 03 Jun 2019 07:11:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728594AbfFCOKr (ORCPT + 99 others); Mon, 3 Jun 2019 10:10:47 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:46190 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728253AbfFCOKr (ORCPT ); Mon, 3 Jun 2019 10:10:47 -0400 Received: (qmail 1758 invoked by uid 2102); 3 Jun 2019 10:10:46 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Jun 2019 10:10:46 -0400 Date: Mon, 3 Jun 2019 10:10:46 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Christian Lamparter cc: linux-wireless@vger.kernel.org, Kalle Valo , USB list Subject: Re: [PATCH] carl9170: Fix misuse of device driver API In-Reply-To: <20190602090622.13656-1-chunkeey@gmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Sun, 2 Jun 2019, Christian Lamparter wrote: > This patch follows Alan Stern's recent patch: > "p54: Fix race between disconnect and firmware loading" > > that overhauled carl9170 buggy firmware loading and driver > unbinding procedures. > > Since the carl9170 code was adapted from p54 it uses the > same functions and is likely to have the same problem, but > it's just that the syzbot hasn't reproduce them (yet). > > a summary from the changes (copied from the p54 patch): > * Call usb_driver_release_interface() rather than > device_release_driver(). > > * Lock udev (the interface's parent) before unbinding the > driver instead of locking udev->parent. > > * During the firmware loading process, take a reference > to the USB interface instead of the USB device. > > * Don't take an unnecessary reference to the device during > probe (and then don't drop it during disconnect). > > and > > * Make sure to prevent use-after-free bugs by explicitly > setting the driver context to NULL after signaling the > completion. > > Cc: > Cc: Alan Stern > Signed-off-by: Christian Lamparter This basically looks right. However... > --- > drivers/net/wireless/ath/carl9170/usb.c | 26 ++++++++++++------------- > 1 file changed, 12 insertions(+), 14 deletions(-) > > diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c > index e7c3f3b8457d..297a7b877d31 100644 > --- a/drivers/net/wireless/ath/carl9170/usb.c > +++ b/drivers/net/wireless/ath/carl9170/usb.c > @@ -128,6 +128,8 @@ static const struct usb_device_id carl9170_usb_ids[] = { > }; > MODULE_DEVICE_TABLE(usb, carl9170_usb_ids); > > +static struct usb_driver carl9170_driver; > + > static void carl9170_usb_submit_data_urb(struct ar9170 *ar) > { > struct urb *urb; > @@ -966,7 +968,7 @@ static int carl9170_usb_init_device(struct ar9170 *ar) > > static void carl9170_usb_firmware_failed(struct ar9170 *ar) > { > - struct device *parent = ar->udev->dev.parent; > + struct usb_interface *intf = ar->intf; > struct usb_device *udev; It looks a little strange to initialize intf in the definition but to initialize udev afterward. Nothing wrong with it, just odd. > > /* > @@ -978,16 +980,15 @@ static void carl9170_usb_firmware_failed(struct ar9170 *ar) > udev = ar->udev; > > complete(&ar->fw_load_wait); > + /* at this point 'ar' could be already freed. Don't use it anymore */ > + ar = NULL; > > /* unbind anything failed */ > - if (parent) > - device_lock(parent); > - > - device_release_driver(&udev->dev); > - if (parent) > - device_unlock(parent); > + usb_lock_device(udev); > + usb_driver_release_interface(&carl9170_driver, intf); > + usb_unlock_device(udev); > > - usb_put_dev(udev); > + usb_put_intf(intf); > } > > static void carl9170_usb_firmware_finish(struct ar9170 *ar) > @@ -1009,7 +1010,7 @@ static void carl9170_usb_firmware_finish(struct ar9170 *ar) > goto err_unrx; > > complete(&ar->fw_load_wait); > - usb_put_dev(ar->udev); > + usb_put_intf(ar->intf); But this could be a problem. As soon as the complete() call runs, ar might be deallocated. The code should copy ar->intf before calling complete(). Alan Stern > return; > > err_unrx: > @@ -1052,7 +1053,6 @@ static int carl9170_usb_probe(struct usb_interface *intf, > return PTR_ERR(ar); > > udev = interface_to_usbdev(intf); > - usb_get_dev(udev); > ar->udev = udev; > ar->intf = intf; > ar->features = id->driver_info; > @@ -1094,15 +1094,14 @@ static int carl9170_usb_probe(struct usb_interface *intf, > atomic_set(&ar->rx_anch_urbs, 0); > atomic_set(&ar->rx_pool_urbs, 0); > > - usb_get_dev(ar->udev); > + usb_get_intf(intf); > > carl9170_set_state(ar, CARL9170_STOPPED); > > err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME, > &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2); > if (err) { > - usb_put_dev(udev); > - usb_put_dev(udev); > + usb_put_intf(intf); > carl9170_free(ar); > } > return err; > @@ -1131,7 +1130,6 @@ static void carl9170_usb_disconnect(struct usb_interface *intf) > > carl9170_release_firmware(ar); > carl9170_free(ar); > - usb_put_dev(udev); > } > > #ifdef CONFIG_PM >