| Message ID | 20181218100020.26250-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() | expand |
On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote: > The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may > be concurrently executed. > The two functions both access a possible shared variable "hep->hcpriv". > > This shared variable is freed by r8a66597_endpoint_disable() via the > call path: > r8a66597_endpoint_disable > kfree(hep->hcpriv) (line 1995 in Linux-4.19) > > This variable is read by r8a66597_urb_enqueue() via the call path: > r8a66597_urb_enqueue > spin_lock_irqsave(&r8a66597->lock); > init_pipe_info > enable_r8a66597_pipe > pipe = hep->hcpriv (line 802 in Linux-4.19) > > The read operation is protected by a spinlock, but the free operation > is not protected by this spinlock, thus a concurrency use-after-free bug > may occur. > > To fix this bug, the spin-lock and spin-unlock function calls in > r8a66597_endpoint_disable() are moved to protect the free operation. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > drivers/usb/host/r8a66597-hcd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c > index 984892dd72f5..1495ce14ad22 100644 > --- a/drivers/usb/host/r8a66597-hcd.c > +++ b/drivers/usb/host/r8a66597-hcd.c > @@ -1991,13 +1991,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, > return; > pipenum = pipe->info.pipenum; > > + spin_lock_irqsave(&r8a66597->lock, flags); Don't you also need the __aquires/__releases markings on this function in order to properly annotate it, like the rest of the driver has? Otherwise this seems to look good to me. thanks, greg k-h
On 2018/12/18 19:11, Greg KH wrote: > On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote: >> The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may >> be concurrently executed. >> The two functions both access a possible shared variable "hep->hcpriv". >> >> This shared variable is freed by r8a66597_endpoint_disable() via the >> call path: >> r8a66597_endpoint_disable >> kfree(hep->hcpriv) (line 1995 in Linux-4.19) >> >> This variable is read by r8a66597_urb_enqueue() via the call path: >> r8a66597_urb_enqueue >> spin_lock_irqsave(&r8a66597->lock); >> init_pipe_info >> enable_r8a66597_pipe >> pipe = hep->hcpriv (line 802 in Linux-4.19) >> >> The read operation is protected by a spinlock, but the free operation >> is not protected by this spinlock, thus a concurrency use-after-free bug >> may occur. >> >> To fix this bug, the spin-lock and spin-unlock function calls in >> r8a66597_endpoint_disable() are moved to protect the free operation. >> >> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> >> --- >> drivers/usb/host/r8a66597-hcd.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c >> index 984892dd72f5..1495ce14ad22 100644 >> --- a/drivers/usb/host/r8a66597-hcd.c >> +++ b/drivers/usb/host/r8a66597-hcd.c >> @@ -1991,13 +1991,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, >> return; >> pipenum = pipe->info.pipenum; >> >> + spin_lock_irqsave(&r8a66597->lock, flags); > Don't you also need the __aquires/__releases markings on this function > in order to properly annotate it, like the rest of the driver has? Okay, thanks for this suggestion :) I will send a v2 patch. Best wishes, Jia-Ju Bai
diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c index 984892dd72f5..1495ce14ad22 100644 --- a/drivers/usb/host/r8a66597-hcd.c +++ b/drivers/usb/host/r8a66597-hcd.c @@ -1991,13 +1991,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, return; pipenum = pipe->info.pipenum; + spin_lock_irqsave(&r8a66597->lock, flags); if (pipenum == 0) { kfree(hep->hcpriv); hep->hcpriv = NULL; + spin_unlock_irqrestore(&r8a66597->lock, flags); return; } - spin_lock_irqsave(&r8a66597->lock, flags); pipe_stop(r8a66597, pipe); pipe_irq_disable(r8a66597, pipenum); disable_irq_empty(r8a66597, pipenum);
The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This shared variable is freed by r8a66597_endpoint_disable() via the call path: r8a66597_endpoint_disable kfree(hep->hcpriv) (line 1995 in Linux-4.19) This variable is read by r8a66597_urb_enqueue() via the call path: r8a66597_urb_enqueue spin_lock_irqsave(&r8a66597->lock); init_pipe_info enable_r8a66597_pipe pipe = hep->hcpriv (line 802 in Linux-4.19) The read operation is protected by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/usb/host/r8a66597-hcd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)