All of lore.kernel.org
 help / color / mirror / Atom feed
From: Oliver Neukum <oneukum@suse.com>
To: Anton Volkov <avolkov@ispras.ru>,
	johan@kernel.org, gregkh@linuxfoundation.org,
	wsa-dev@sang-engineering.com
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>,
	ldv-project@linuxtesting.org, linux-kernel@vger.kernel.org,
	linux-usb@vger.kernel.org
Subject: Re: Possible null pointer dereference in adutux.ko
Date: Tue, 15 Aug 2017 15:20:17 +0200	[thread overview]
Message-ID: <1502803217.6606.3.camel@suse.com> (raw)
In-Reply-To: <fc719c9c-db6a-9254-2d6d-918946c5a18d@ispras.ru>

Am Dienstag, den 15.08.2017, 15:59 +0300 schrieb Anton Volkov:
> Hello.
> 
> While searching for races in the Linux kernel I've come across 
> "drivers/usb/misc/adutux.ko" module. Here is a question that I came up 
> with while analyzing results. Lines are given using the info from Linux 
> v4.12.
> 
> Consider the following case:
> 
> Thread 1:                   Thread 2:
> adu_release
> ->adu_release_internal      adu_disconnect
>      <READ &dev->udev->dev>    dev->udev = NULL
>      (adutux.c: line 298)      (adutux.c: line 771)
>                                usb_deregister_dev
> 
> Comments in the source code point at the possibility of adu_release() 
> being called separately from adu_disconnect(). adu_release() and 
> adu_disconnect() acquire different mutexes, so they are not protected 
> from one another. If adu_disconnect() changes dev->udev before its value 
> is read in adu_release_internal() there will be a NULL pointer 
> dereference on a read attempt. Is this case feasible from your point of 
> view?
> 
> Thank you for your time.

Hi,

your analysis seems correct to me. In fact it looks like

66d4bc30d128e7c7ac4cf64aa78cb76e971cec5b
USB: adutux: remove custom debug macro

more or less broke disconnect on this driver
(the URBs can also finish after dev->udev = NULL)

Do you want to do a fix or do you want me to do it?

	Regards
		Oliver

  reply	other threads:[~2017-08-15 13:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-15 12:59 Possible null pointer dereference in adutux.ko Anton Volkov
2017-08-15 13:20 ` Oliver Neukum [this message]
2017-08-15 13:38   ` Anton Volkov
2017-08-15 15:58     ` Oliver Neukum
2017-08-18 15:04       ` Anton Volkov
2017-08-28 12:09         ` Oliver Neukum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1502803217.6606.3.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=avolkov@ispras.ru \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=khoroshilov@ispras.ru \
    --cc=ldv-project@linuxtesting.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=wsa-dev@sang-engineering.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.