From patchwork Fri Mar  4 22:43:38 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Linus Torvalds <torvalds@linux-foundation.org>
X-Patchwork-Id: 592241
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 2152B14030E
	for <patchwork-incoming@ozlabs.org>;
	Sat,  5 Mar 2016 09:43:46 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=pD9+mSVg;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=linux-foundation.org
	header.i=@linux-foundation.org header.b=FC64xAfb;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759498AbcCDWnl (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 4 Mar 2016 17:43:41 -0500
Received: from mail-ig0-f181.google.com ([209.85.213.181]:34224 "EHLO
	mail-ig0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1759071AbcCDWnj (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 4 Mar 2016 17:43:39 -0500
Received: by mail-ig0-f181.google.com with SMTP id ir4so11136444igb.1;
	Fri, 04 Mar 2016 14:43:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date:message-id:subject
	:from:to:cc; bh=JVZBxIWUJ4kKaUnBpCQLklZvBVuJAdBX0tNBKkUx2to=;
	b=pD9+mSVgAIwTpJQpt7x2fgb8u4okFzOOgQlfbog4neKoIqjburLDV+QBadNcYy6Vb7
	ZeUjT6+cs34gZChiQ7f/wT/9G9LidL40tZrOxl+CsEzJF/R1VI8Rs6hrv+A9otxzp8Di
	y+5kRFeuHS0xvdhUJXxHFSkVpzTuyD3yjXeDsoE7kea2jbtWdYN64A6WIRVtxIDV75w0
	+rX6k4pn/2CXQhTKvT2KlyEllKDKbJrZPavalC9x9gIOlxx9RLrXWzwZN2VtdJVsHngB
	8fniHKjq4aSbUxLgj9nXDH0ka+virr6V60yZlJCXkZMpAOcF+ZbA6A6oLeBrZD3bMjCx
	1y+g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=linux-foundation.org; s=google;
	h=mime-version:sender:in-reply-to:references:date:message-id:subject
	:from:to:cc; bh=JVZBxIWUJ4kKaUnBpCQLklZvBVuJAdBX0tNBKkUx2to=;
	b=FC64xAfbBBx6TNYI7bY8Og6WwlDYy358CYdak+EYsmQWhG/YWvM2ICFVYVIaoT5qQi
	VD+yfORkBB7XBdXwapFvlOaf21MyfSeLPUK9gkLl9t8om2CclgJR891kdQOxftXQ38Ej
	CVyCBD25gCMO69FLmb3jtQi+y/gBzEZx1a8/Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
	:message-id:subject:from:to:cc;
	bh=JVZBxIWUJ4kKaUnBpCQLklZvBVuJAdBX0tNBKkUx2to=;
	b=hysRQcoAMzx232yxZl5AvM3jq6tdRvHDKRUsie+GSHKk/LIfXSjOi2mVaOSi5Xt6gW
	g14k0ToBd+ofzyH4tVkI1STn1OO9dkUmE0inoiO2T4svH+jv4TFGfEAzfu1tr1nhkde8
	7zmZzmfMJlWf4LM8dsV5WQSPAaHXzKogIP3yNTnGtTh8lwCht1F1+sNIbIBFwBO0eUHF
	NwEBnzJpBMAPzSBQrLhS5tTt2oi5rzX4QDOUxf0E97362sv3urzR7DSM8Hs54aU+vugL
	8HKGHobuguVX9Agk/5j7v1iJHyq+gZfTp/yfGZuqKcQnVwt+TQkd6zLU8WiarTcvV3CB
	MDwQ==
X-Gm-Message-State: 
 AD7BkJLlQfswGo6W01iAQ45CzjzZ9FhDTSq4nPxSInTrYl1mrc+HZ/CtzvUry7DGE25BRuQu3erDAsRmDSJMTw==
MIME-Version: 1.0
X-Received: by 10.50.64.179 with SMTP id p19mr1279749igs.25.1457131418581;
	Fri, 04 Mar 2016 14:43:38 -0800 (PST)
Received: by 10.36.93.202 with HTTP; Fri, 4 Mar 2016 14:43:38 -0800 (PST)
In-Reply-To: 
 <CA+fCnZfS51F7WZEM1YTSPDMWSzvBTJWGf5cRWv5LrNCSOf_-qA@mail.gmail.com>
References: 
 <CA+55aFxqwjs5gs6Fw2jmTteWM4hZTnr7Ls111ExNTieObLs82Q@mail.gmail.com>
	<CA+fCnZfS51F7WZEM1YTSPDMWSzvBTJWGf5cRWv5LrNCSOf_-qA@mail.gmail.com>
Date: Fri, 4 Mar 2016 14:43:38 -0800
X-Google-Sender-Auth: I9_QZQLFAmKKn0w1letH2c2_EFk
Message-ID: 
 <CA+55aFwxbs_hLG58Q_xSK2vpufjmwMk-xkqxTNh_5h-A8y4vbg@mail.gmail.com>
Subject: Re: Possible double-free in the usbnet driver
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kostya Serebryany <kcc@google.com>, Dmitry Vyukov <dvyukov@google.com>,
	Alexander Potapenko <glider@google.com>,
	USB list <linux-usb@vger.kernel.org>,
	Network Development <netdev@vger.kernel.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Fri, Mar 4, 2016 at 2:26 PM, Andrey Konovalov <andreyknvl@gmail.com> wrote:
>
> and when I run the vm and connect the device I get:
>
> [   23.672662] cdc_ncm 1-1:1.6: bind() failure
> [   23.673447] usbnet_probe(): freeing netdev: ffff88006ab48000
> [   23.675822] usbnet_probe(): freeing netdev: ffff88006ab48000
>
> So this seems to be a double-free (or at least a double free_netdev()
> call), but the object gets freed twice from usbnet_probe() and not
> from usbnet_disconnect(), so you're right that the latter doesn't get
> called. I'm not sure how usbnet_probe() ends up being called twice.

I still don't think it's a double free. I think the probe thing is
called twice, and that's why to different allocations get free'd twice
(and the reason it's the same pointer is that the same allocation got
reused)

But I don't know that driver, really.

>> Which particular usbnet bind routine is this? There are multiple
>> sub-drivers for usbnet that all do different things.
>
> cdc_ncm_bind()

Ok, so that matches my theory.

Does this attached stupid patch make the warning go away? Because from
what I can tell, usbnet_link_change() really will start using that
"dev" that simply isn't valid - and will be free'd - if the bind
fails.

So you have usbnet_defer_kevent() getting triggered, which in turn
ends up using "usbnet->kevent"

But somebody like Oliver is really the right person to check this. For
example, it's entirely possible that we should just instead do

        cancel_work_sync(&dev->kevent);

before the "free_netdev(net)" in the "out1" label.

And there might be other things that bind() can have touched than the
kevent workqueue.

               Linus
drivers/net/usb/cdc_ncm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index dc0212c3cc28..5878b54cc563 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -995,6 +995,8 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
 	 * placed NDP.
 	 */
 	ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
+	if (ret < 0)
+		return ret;
 
 	/*
 	 * We should get an event when network connection is "connected" or
@@ -1003,7 +1005,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
 	 * start IPv6 negotiation and more.
 	 */
 	usbnet_link_change(dev, 0, 0);
-	return ret;
+	return 0;
 }
 
 static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)