From patchwork Wed Mar 21 01:04:15 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ming Lei X-Patchwork-Id: 147890 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5837FB6F13 for ; Wed, 21 Mar 2012 12:04:19 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758690Ab2CUBER (ORCPT ); Tue, 20 Mar 2012 21:04:17 -0400 Received: from mail-pz0-f46.google.com ([209.85.210.46]:39621 "EHLO mail-pz0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757735Ab2CUBEQ (ORCPT ); Tue, 20 Mar 2012 21:04:16 -0400 Received: by dajr28 with SMTP id r28so767907daj.19 for ; Tue, 20 Mar 2012 18:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iUeRqEReGNSahxtPHnVkMtxQ6AoFocu+PzOe/XFwpMo=; b=a37cH6dgaW2L8fCju8NeIieNwmtgWowdzEuCcAeqg1R/+Y1c1b4HNb5cprtfQkMRoZ 8PedLDkIyqwyxLERMDil5xZXVuuL4ushl5AnAA1sEXrGpFi4fcRbUKFB64zv+G+eyZ0V F9AQIOAaBmOgi+BewDDAPfJ34kMs0CiYnJxTI3WSKw85Zp/NZ0+ZXeuhOBJqK3nAm1WR iqS8287JAW5Z9H0INQKygAmDklyQDJFmaD8A5JkZIa4wJpL63CFtuiuX/KY4ArT81nf4 cDHVA2U2BwIurNC2WSCF6Sy4M2QFhMLklRJ/rSSpnyaVvWR+uU4LrOuqx7IQyWYo1vTz j/Gw== MIME-Version: 1.0 Received: by 10.68.232.2 with SMTP id tk2mr6073767pbc.68.1332291855576; Tue, 20 Mar 2012 18:04:15 -0700 (PDT) Received: by 10.143.41.13 with HTTP; Tue, 20 Mar 2012 18:04:15 -0700 (PDT) In-Reply-To: References: <20120319151224.GA16031@redhat.com> Date: Wed, 21 Mar 2012 09:04:15 +0800 Message-ID: Subject: Re: use-after-free in usbnet From: Ming Lei To: Dave Jones Cc: netdev@vger.kernel.org, linux-usb@vger.kernel.org, Fedora Kernel Team Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, Mar 20, 2012 at 5:40 PM, Ming Lei wrote: > Hi, > > On Mon, Mar 19, 2012 at 11:12 PM, Dave Jones wrote: >> We've had two reports of this use after free in Fedora now recently.. > > Could you provide output of 'dmesg' and 'lsusb -v' from the reported machine? Looks I have figured out why your problem is triggered. If the URB being unlinked is freed before usb_put_dev inside usb_hcd_unlink_urb, the use-after-free will be triggered. And the below patch[1] should fix the problem. Also there is another bug in tx_complete() of usbnet, the line below urb->dev = NULL; should be removed to avoid possible oops or memory leak in unlink path. Please test the patch if you can reproduce the problem. [1], else @@ -1028,7 +1030,6 @@ static void tx_complete (struct urb *urb) } usb_autopm_put_interface_async(dev->intf); - urb->dev = NULL; entry->state = tx_done; defer_bh(dev, skb, &dev->txq); } Thanks, diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 59681f0..4f4e028 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -592,7 +592,9 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q) spin_unlock_irqrestore(&q->lock, flags); // during some PM-driven resume scenarios, // these (async) unlinks complete immediately + local_bh_disable(); retval = usb_unlink_urb (urb); + local_bh_enable(); if (retval != -EINPROGRESS && retval != 0) netdev_dbg(dev->net, "unlink urb err, %d\n", retval);