Re: KASAN: use-after-free Read in p54u_load_firmware_cb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christian Lamparter <chunkeey@gmail.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com>,
	andreyknvl@google.com, chunkeey@googlemail.com,
	davem@davemloft.net, kvalo@codeaurora.org,
	linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	oneukum@suse.com, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in p54u_load_firmware_cb
Date: Sat, 18 May 2019 22:11:26 +0200	[thread overview]
Message-ID: <1715066.X1OYgGOCOL@debian64> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1905181346380.10594-100000@netrider.rowland.org>

Hello,

On Saturday, May 18, 2019 7:49:49 PM CEST you wrote:
> On Sat, 18 May 2019, syzbot wrote:
> > 
> > syzbot has tested the proposed patch but the reproducer still triggered  
> > crash:
> > KASAN: use-after-free Read in usb_driver_release_interface
> > 
> > usb 1-1: Loading firmware file isl3887usb
> > usb 1-1: Direct firmware load for isl3887usb failed with error -2
> > usb 1-1: Firmware not found.
> > p54usb 1-1:0.143: failed to initialize device (-2)
> > ==================================================================
> > BUG: KASAN: use-after-free in usb_driver_release_interface+0x16b/0x190  
> > drivers/usb/core/driver.c:584
> > Read of size 8 at addr ffff88808fc31218 by task kworker/0:1/12
> 
> Now the bad access is in a different place.  That's a good sign.
> In this case it indicates that although udev is still hanging around, 
> intf has already been freed.  We really should acquire a reference to 
> it instead.
> 
> Alan Stern

Thanks. I can confirm that it works with the real ISL3887 
hardware as well. Can you please spin up a patch or how
should this be continued?

Cheers,
Christian 

>  drivers/net/wireless/intersil/p54/p54usb.c |   43 ++++++++++++-----------------
>  1 file changed, 18 insertions(+), 25 deletions(-)
> 
> Index: usb-devel/drivers/net/wireless/intersil/p54/p54usb.c
> ===================================================================
> --- usb-devel.orig/drivers/net/wireless/intersil/p54/p54usb.c
> +++ usb-devel/drivers/net/wireless/intersil/p54/p54usb.c
> @@ -33,6 +33,8 @@ MODULE_ALIAS("prism54usb");
>  MODULE_FIRMWARE("isl3886usb");
>  MODULE_FIRMWARE("isl3887usb");
>  
> +static struct usb_driver p54u_driver;
> +
>  /*
>   * Note:
>   *
> @@ -921,9 +923,9 @@ static void p54u_load_firmware_cb(const
>  {
>  	struct p54u_priv *priv = context;
>  	struct usb_device *udev = priv->udev;
> +	struct usb_interface *intf = priv->intf;
>  	int err;
>  
> -	complete(&priv->fw_wait_load);
>  	if (firmware) {
>  		priv->fw = firmware;
>  		err = p54u_start_ops(priv);
> @@ -932,26 +934,22 @@ static void p54u_load_firmware_cb(const
>  		dev_err(&udev->dev, "Firmware not found.\n");
>  	}
>  
> -	if (err) {
> -		struct device *parent = priv->udev->dev.parent;
> -
> -		dev_err(&udev->dev, "failed to initialize device (%d)\n", err);
> -
> -		if (parent)
> -			device_lock(parent);
> +	complete(&priv->fw_wait_load);
> +	/*
> +	 * At this point p54u_disconnect may have already freed
> +	 * the "priv" context. Do not use it anymore!
> +	 */
> +	priv = NULL;
>  
> -		device_release_driver(&udev->dev);
> -		/*
> -		 * At this point p54u_disconnect has already freed
> -		 * the "priv" context. Do not use it anymore!
> -		 */
> -		priv = NULL;
> +	if (err) {
> +		dev_err(&intf->dev, "failed to initialize device (%d)\n", err);
>  
> -		if (parent)
> -			device_unlock(parent);
> +		usb_lock_device(udev);
> +		usb_driver_release_interface(&p54u_driver, intf);
> +		usb_unlock_device(udev);
>  	}
>  
> -	usb_put_dev(udev);
> +	usb_put_intf(intf);
>  }
>  
>  static int p54u_load_firmware(struct ieee80211_hw *dev,
> @@ -972,14 +970,14 @@ static int p54u_load_firmware(struct iee
>  	dev_info(&priv->udev->dev, "Loading firmware file %s\n",
>  	       p54u_fwlist[i].fw);
>  
> -	usb_get_dev(udev);
> +	usb_get_intf(intf);
>  	err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw,
>  				      device, GFP_KERNEL, priv,
>  				      p54u_load_firmware_cb);
>  	if (err) {
>  		dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s "
>  					  "(%d)!\n", p54u_fwlist[i].fw, err);
> -		usb_put_dev(udev);
> +		usb_put_intf(intf);
>  	}
>  
>  	return err;
> @@ -1011,8 +1009,6 @@ static int p54u_probe(struct usb_interfa
>  	skb_queue_head_init(&priv->rx_queue);
>  	init_usb_anchor(&priv->submitted);
>  
> -	usb_get_dev(udev);
> -
>  	/* really lazy and simple way of figuring out if we're a 3887 */
>  	/* TODO: should just stick the identification in the device table */
>  	i = intf->altsetting->desc.bNumEndpoints;
> @@ -1053,10 +1049,8 @@ static int p54u_probe(struct usb_interfa
>  		priv->upload_fw = p54u_upload_firmware_net2280;
>  	}
>  	err = p54u_load_firmware(dev, intf);
> -	if (err) {
> -		usb_put_dev(udev);
> +	if (err)
>  		p54_free_common(dev);
> -	}
>  	return err;
>  }
>  
> @@ -1072,7 +1066,6 @@ static void p54u_disconnect(struct usb_i
>  	wait_for_completion(&priv->fw_wait_load);
>  	p54_unregister_common(dev);
>  
> -	usb_put_dev(interface_to_usbdev(intf));
>  	release_firmware(priv->fw);
>  	p54_free_common(dev);
>  }
> 
>

next prev parent reply	other threads:[~2019-05-18 20:11 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-06 11:16 KASAN: use-after-free Read in p54u_load_firmware_cb syzbot
2019-05-13 10:23 ` syzbot
2019-05-13 13:28   ` Oliver Neukum
2019-05-17 19:21     ` Christian Lamparter
2019-05-17 20:46       ` Alan Stern
2019-05-17 21:01         ` syzbot
2019-05-18 15:13           ` Alan Stern
2019-05-18 15:50             ` syzbot
2019-05-18 16:32               ` Alan Stern
2019-05-18 16:50                 ` syzbot
2019-05-18 17:01                   ` Alan Stern
2019-05-18 17:36                     ` syzbot
2019-05-18 17:49                       ` Alan Stern
2019-05-18 18:31                         ` syzbot
2019-05-18 20:11                         ` Christian Lamparter [this message]
2019-05-20 14:44       ` [PATCH] network: wireless: p54u: Fix race between disconnect and firmware loading Alan Stern
2019-05-24 21:19         ` Christian Lamparter
2019-05-28 12:11         ` Kalle Valo
2019-05-28 14:17           ` Alan Stern
2019-05-28 14:29             ` Kalle Valo
2019-06-25  4:43         ` [PATCH] p54usb: " Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1715066.X1OYgGOCOL@debian64 \
    --to=chunkeey@gmail.com \
    --cc=andreyknvl@google.com \
    --cc=chunkeey@googlemail.com \
    --cc=davem@davemloft.net \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=oneukum@suse.com \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.