Re: KASAN: use-after-free Read in usblp_bulk_read

[Oliver Neukum <oneukum@suse.com>]

Am Donnerstag, den 23.04.2020, 00:10 -0500 schrieb Pete Zaitcev:
> 
> I do not agree with this kind of workaround. The model we're following
> is for usb_kill_urb() to cancel the transfer. The usblp invokes it
> through usb_kill_anchored_urbs() and usblp_unlink_urbs(), as seen
> above. There can be no timer hitting anything once it returns.

Right. It seems to me that the problem is not killing an existing
transfer but a failure to check in case of new transfers whether
the device has been disconnected.

> 1104 is kzalloc for struct usblp.
> 
> > > Freed by task 12266:
> > >  save_stack+0x1b/0x80 mm/kasan/common.c:72
> > >  set_track mm/kasan/common.c:80 [inline]
> > >  kasan_set_free_info mm/kasan/common.c:337 [inline]
> > >  __kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
> > >  slab_free_hook mm/slub.c:1444 [inline]
> > >  slab_free_freelist_hook mm/slub.c:1477 [inline]
> > >  slab_free mm/slub.c:3034 [inline]
> > >  kfree+0xd5/0x300 mm/slub.c:3995
> > >  usblp_disconnect.cold+0x24/0x29 drivers/usb/class/usblp.c:1380
> > >  usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:436
> > >  __device_release_driver drivers/base/dd.c:1137 [inline]
> > >  device_release_driver_internal+0x42f/0x500 drivers/base/dd.c:1168
> > >  bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533
> 
> 1380 is an inlined call to usblp_cleanup, which is just
> a bunch of kfree.

But that must never happen while while the device is open.
If that ever happens something is wrong with usblp->used.

> The bug report is still a bug report, but I'm pretty sure the
> culprit is the emulated HCD and/or the gadget layer. Unfortunately,
> I'm not up to speed in that subsystem. Maybe Alan can look at it?

I doubt it. Operation by a timer triggering a timeout must work.

	Regards
		Oliver