From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
Tomoki Sekiyama <tomoki.sekiyama@gmail.com>,
Oliver Neukum <oneukum@suse.com>,
andreyknvl@google.com, Alan Stern <stern@rowland.harvard.edu>,
syzkaller-bugs@googlegroups.com, dtor@chromium.org,
syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com,
Suzuki K Poulose <suzuki.poulose@arm.com>
Subject: [PATCH 4.14 22/69] usb: yurex: Fix use-after-free in yurex_delete
Date: Wed, 14 Aug 2019 19:01:20 +0200 [thread overview]
Message-ID: <20190814165747.019089144@linuxfoundation.org> (raw)
In-Reply-To: <20190814165744.822314328@linuxfoundation.org>
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit fc05481b2fcabaaeccf63e32ac1baab54e5b6963 upstream.
syzbot reported the following crash [0]:
BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
drivers/usb/core/usb.c:928
Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007
CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
kref_put include/linux/kref.h:65 [inline]
yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413511
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff
Allocated by task 2776:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
hub_port_connect drivers/usb/core/hub.c:5004 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 16007:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1470 [inline]
slab_free mm/slub.c:3012 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3953
device_release+0x71/0x200 drivers/base/core.c:1064
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x171/0x280 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2213
usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
kref_put include/linux/kref.h:65 [inline]
yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881b1859980
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 72 bytes inside of
2048-byte region [ffff8881b1859980, ffff8881b185a180)
The buggy address belongs to the page:
page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
A quick look at the yurex_delete() shows that we drop the reference
to the usb_device before releasing any buffers associated with the
device. Delay the reference drop until we have finished the cleanup.
[0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/
Fixes: 6bc235a2e24a5e ("USB: add driver for Meywa-Denki & Kayac YUREX")
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: andreyknvl@google.com
Cc: gregkh@linuxfoundation.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: syzkaller-bugs@googlegroups.com
Cc: dtor@chromium.org
Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -96,7 +96,6 @@ static void yurex_delete(struct kref *kr
dev_dbg(&dev->interface->dev, "%s\n", __func__);
- usb_put_dev(dev->udev);
if (dev->cntl_urb) {
usb_kill_urb(dev->cntl_urb);
kfree(dev->cntl_req);
@@ -112,6 +111,7 @@ static void yurex_delete(struct kref *kr
dev->int_buffer, dev->urb->transfer_dma);
usb_free_urb(dev->urb);
}
+ usb_put_dev(dev->udev);
kfree(dev);
}
next prev parent reply other threads:[~2019-08-14 17:18 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 17:00 [PATCH 4.14 00/69] 4.14.139-stable review Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.14 01/69] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 02/69] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 03/69] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 04/69] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 05/69] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 06/69] sound: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 07/69] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 08/69] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 09/69] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 10/69] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 11/69] lkdtm: support llvm-objcopy Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 12/69] crypto: ccp - Validate buffer lengths for copy operations Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 13/69] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 14/69] tcp: Clear sk_send_head after purging the write queue Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 15/69] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 16/69] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 17/69] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 18/69] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 19/69] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 20/69] perf record: Fix module size on s390 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 21/69] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
2019-08-14 17:01 ` Greg Kroah-Hartman [this message]
2019-08-14 17:01 ` [PATCH 4.14 23/69] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 24/69] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 25/69] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 26/69] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 27/69] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 28/69] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 29/69] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 30/69] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 31/69] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 32/69] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 33/69] drm: silence variable conn set but not used Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 34/69] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 35/69] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 36/69] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 37/69] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 38/69] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 39/69] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 40/69] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 41/69] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 42/69] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 43/69] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 44/69] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 45/69] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 46/69] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 47/69] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 48/69] test_firmware: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 49/69] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 50/69] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 51/69] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 52/69] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 53/69] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 54/69] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 55/69] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
2019-08-14 17:01 ` Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 56/69] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 57/69] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 58/69] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 59/69] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 60/69] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.14 61/69] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 62/69] NFSv4: Only pass the delegation to setattr if were sending a truncate Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 63/69] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 64/69] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 65/69] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 66/69] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 67/69] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 68/69] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
2019-08-14 17:02 ` [PATCH 4.14 69/69] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
2019-08-14 22:56 ` [PATCH 4.14 00/69] 4.14.139-stable review kernelci.org bot
2019-08-15 1:20 ` Naresh Kamboju
2019-08-15 15:17 ` Guenter Roeck
2019-08-16 2:37 ` shuah
2019-08-16 7:15 ` Greg Kroah-Hartman
2019-08-16 6:37 ` Kelsey Skunberg
2019-08-16 9:28 ` Thierry Reding
2019-08-16 9:28 ` Thierry Reding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190814165747.019089144@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=dtor@chromium.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=suzuki.poulose@arm.com \
--cc=syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tomoki.sekiyama@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.