use-after-free in usbnet

Message ID	CACVXFVODFvtF1DRyWJmnYCByw7sr9QDv_+Taxo5maVaUauDNtg@mail.gmail.com
State	RFC, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> MIME-Version: 1.0 In-Reply-To: <201203221008.46882.oneukum@suse.de> References: <CACVXFVP+U1k7JFTmbabF-k8F3bO9zc58c3tLG6=1nQPcrR9p1g@mail.gmail.com> <Pine.LNX.4.44L0.1203211201560.1369-100000@iolanthe.rowland.org> <CACVXFVOVjnWjqpKxbU98DAyUC_OSb8ZL-3WcyYuFXgPJn5UyuA@mail.gmail.com> <201203221008.46882.oneukum@suse.de> Date: Thu, 22 Mar 2012 17:30:36 +0800 Message-ID: <CACVXFVODFvtF1DRyWJmnYCByw7sr9QDv_+Taxo5maVaUauDNtg@mail.gmail.com> Subject: Re: use-after-free in usbnet From: Ming Lei <tom.leiming@gmail.com> To: Oliver Neukum <oneukum@suse.de> Cc: Alan Stern <stern@rowland.harvard.edu>, netdev@vger.kernel.org, linux-usb@vger.kernel.org, Fedora Kernel Team <kernel-team@fedoraproject.org>, Dave Jones <davej@redhat.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

CACVXFVODFvtF1DRyWJmnYCByw7sr9QDv_+Taxo5maVaUauDNtg@mail.gmail.com

State

RFC, archived

Delegated to:

David Miller

Headers

MIME-Version: 1.0
In-Reply-To: <201203221008.46882.oneukum@suse.de>
References: <CACVXFVP+U1k7JFTmbabF-k8F3bO9zc58c3tLG6=1nQPcrR9p1g@mail.gmail.com>
	<Pine.LNX.4.44L0.1203211201560.1369-100000@iolanthe.rowland.org>
	<CACVXFVOVjnWjqpKxbU98DAyUC_OSb8ZL-3WcyYuFXgPJn5UyuA@mail.gmail.com>
	<201203221008.46882.oneukum@suse.de>
Date: Thu, 22 Mar 2012 17:30:36 +0800
Message-ID: <CACVXFVODFvtF1DRyWJmnYCByw7sr9QDv_+Taxo5maVaUauDNtg@mail.gmail.com>
Subject: Re: use-after-free in usbnet
From: Ming Lei <tom.leiming@gmail.com>
To: Oliver Neukum <oneukum@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>, netdev@vger.kernel.org,
	linux-usb@vger.kernel.org,
	Fedora Kernel Team <kernel-team@fedoraproject.org>,
	Dave Jones <davej@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Ming Lei March 22, 2012, 9:30 a.m. UTC

On Thu, Mar 22, 2012 at 5:08 PM, Oliver Neukum <oneukum@suse.de> wrote:
>
> this looks good, but could you add a comment explaining the reason for
> taking a reference?

OK, I will post a formal one if you have no objection on the below.

 		// these (async) unlinks complete immediately
@@ -597,6 +605,7 @@ static int unlink_urbs (struct usbnet *dev, struct
sk_buff_head *q)
 			netdev_dbg(dev->net, "unlink urb err, %d\n", retval);
 		else
 			count++;
+		usb_put_urb(urb);
 		spin_lock_irqsave(&q->lock, flags);
 	}
 	spin_unlock_irqrestore (&q->lock, flags);


Thanks,

Comments

Oliver Neukum March 22, 2012, 9:57 a.m. UTC | #1

Am Donnerstag, 22. März 2012, 10:30:36 schrieb Ming Lei:
> On Thu, Mar 22, 2012 at 5:08 PM, Oliver Neukum <oneukum@suse.de> wrote:
> >
> > this looks good, but could you add a comment explaining the reason for
> > taking a reference?
> 
> OK, I will post a formal one if you have no objection on the below.

Good patch :-)

	Regards
		Oliver
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 4b8b52c..febfdce 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -589,6 +589,14 @@  static int unlink_urbs (struct usbnet *dev,
struct sk_buff_head *q)
 		entry = (struct skb_data *) skb->cb;
 		urb = entry->urb;

+		/*
+		 * Get a reference count of the URB to avoid it to be
+		 * freed during usb_unlink_urb, which may trigger
+		 * use-after-free problem inside usb_unlink_urb since
+		 * usb_unlink_urb is always racing with .complete
+		 * handler(include defer_bh).
+		 */
+		usb_get_urb(urb);
 		spin_unlock_irqrestore(&q->lock, flags);
 		// during some PM-driven resume scenarios,

use-after-free in usbnet

Commit Message

Comments

Patch