From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
Tomoki Sekiyama <tomoki.sekiyama@gmail.com>,
Oliver Neukum <oneukum@suse.com>,
andreyknvl@google.com, Alan Stern <stern@rowland.harvard.edu>,
syzkaller-bugs@googlegroups.com, dtor@chromium.org,
syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com,
Suzuki K Poulose <suzuki.poulose@arm.com>
Subject: [PATCH 4.4 07/78] usb: yurex: Fix use-after-free in yurex_delete
Date: Thu, 22 Aug 2019 10:18:11 -0700 [thread overview]
Message-ID: <20190822171832.257171451@linuxfoundation.org> (raw)
In-Reply-To: <20190822171832.012773482@linuxfoundation.org>
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit fc05481b2fcabaaeccf63e32ac1baab54e5b6963 upstream.
syzbot reported the following crash [0]:
BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
drivers/usb/core/usb.c:928
Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007
CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
kref_put include/linux/kref.h:65 [inline]
yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413511
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff
Allocated by task 2776:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
hub_port_connect drivers/usb/core/hub.c:5004 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 16007:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1470 [inline]
slab_free mm/slub.c:3012 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3953
device_release+0x71/0x200 drivers/base/core.c:1064
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x171/0x280 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2213
usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
kref_put include/linux/kref.h:65 [inline]
yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881b1859980
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 72 bytes inside of
2048-byte region [ffff8881b1859980, ffff8881b185a180)
The buggy address belongs to the page:
page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
A quick look at the yurex_delete() shows that we drop the reference
to the usb_device before releasing any buffers associated with the
device. Delay the reference drop until we have finished the cleanup.
[0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/
Fixes: 6bc235a2e24a5e ("USB: add driver for Meywa-Denki & Kayac YUREX")
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: andreyknvl@google.com
Cc: gregkh@linuxfoundation.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: syzkaller-bugs@googlegroups.com
Cc: dtor@chromium.org
Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -96,7 +96,6 @@ static void yurex_delete(struct kref *kr
dev_dbg(&dev->interface->dev, "%s\n", __func__);
- usb_put_dev(dev->udev);
if (dev->cntl_urb) {
usb_kill_urb(dev->cntl_urb);
kfree(dev->cntl_req);
@@ -112,6 +111,7 @@ static void yurex_delete(struct kref *kr
dev->int_buffer, dev->urb->transfer_dma);
usb_free_urb(dev->urb);
}
+ usb_put_dev(dev->udev);
kfree(dev);
}
next prev parent reply other threads:[~2019-08-22 17:48 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-22 17:18 [PATCH 4.4 00/78] 4.4.190-stable review Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 01/78] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 02/78] sound: fix a memory leak bug Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 03/78] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 04/78] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 05/78] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 06/78] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
2019-08-22 17:18 ` Greg Kroah-Hartman [this message]
2019-08-22 17:18 ` [PATCH 4.4 08/78] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 09/78] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 10/78] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 11/78] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 12/78] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 13/78] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 14/78] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 15/78] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 16/78] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 17/78] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 18/78] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 19/78] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 20/78] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 21/78] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 22/78] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 23/78] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 24/78] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 25/78] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 26/78] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 27/78] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 28/78] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 29/78] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 30/78] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 31/78] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 32/78] scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 33/78] sh: kernel: hw_breakpoint: Fix missing break in switch statement Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 34/78] usb: gadget: f_midi: fail if set_alt fails to allocate requests Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 35/78] USB: gadget: f_midi: fixing a possible double-free in f_midi Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 36/78] mm/memcontrol.c: fix use after free in mem_cgroup_iter() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 37/78] ALSA: hda - Fix a memory leak bug Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 38/78] HID: holtek: test for sanity of intfdata Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 39/78] HID: hiddev: avoid opening a disconnected device Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 40/78] HID: hiddev: do cleanup in failure of opening a device Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 41/78] Input: kbtab - sanity check for endpoint type Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 42/78] Input: iforce - add sanity checks Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 43/78] net: usb: pegasus: fix improper read if get_registers() fail Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 44/78] xen/pciback: remove set but not used variable old_state Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 45/78] irqchip/irq-imx-gpcv2: Forward irq type to parent Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 46/78] perf header: Fix divide by zero error if f_header.attr_size==0 Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 47/78] perf header: Fix use of unitialized value warning Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 48/78] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 49/78] scsi: hpsa: correct scsi command status issue after reset Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 50/78] ata: libahci: do not complain in case of deferred probe Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 51/78] kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 52/78] IB/core: Add mitigation for Spectre V1 Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 53/78] ocfs2: remove set but not used variable last_hash Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 54/78] asm-generic: fix -Wtype-limits compiler warnings Greg Kroah-Hartman
2019-08-22 17:18 ` [PATCH 4.4 55/78] staging: comedi: dt3000: Fix signed integer overflow divider * base Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 56/78] staging: comedi: dt3000: Fix rounding up of timer divisor Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 57/78] USB: core: Fix races in character device registration and deregistraion Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 58/78] usb: cdc-acm: make sure a refcount is taken early enough Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 59/78] USB: serial: option: add D-Link DWM-222 device ID Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 60/78] USB: serial: option: Add support for ZTE MF871A Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 61/78] USB: serial: option: add the BroadMobi BM818 card Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 62/78] USB: serial: option: Add Motorola modem UARTs Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 63/78] Backport minimal compiler_attributes.h to support GCC 9 Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 64/78] include/linux/module.h: copy __init/__exit attrs to init/cleanup_module Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 65/78] arm64: compat: Allow single-byte watchpoints on all addresses Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 66/78] Input: psmouse - fix build error of multiple definition Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 67/78] asm-generic: default BUG_ON(x) to if(x)BUG() Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 68/78] scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 69/78] RDMA: Directly cast the sockaddr union to sockaddr Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 70/78] IB/mlx5: Make coding style more consistent Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 71/78] x86/vdso: Remove direct HPET access through the vDSO Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 72/78] iommu/amd: Move iommu_init_pci() to .init section Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 73/78] x86/boot: Disable the address-of-packed-member compiler warning Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 74/78] net/packet: fix race in tpacket_snd() Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 75/78] xen/netback: Reset nr_frags before freeing skb Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 76/78] net/mlx5e: Only support tx/rx pause setting for port owner Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 77/78] sctp: fix the transport error_count check Greg Kroah-Hartman
2019-08-22 17:19 ` [PATCH 4.4 78/78] bonding: Add vlan tx offload to hw_enc_features Greg Kroah-Hartman
2019-08-22 21:17 ` [PATCH 4.4 00/78] 4.4.190-stable review kernelci.org bot
2019-08-22 22:40 ` Kevin Hilman
2019-08-23 8:31 ` Naresh Kamboju
2019-08-23 16:05 ` Kevin Hilman
2019-08-23 2:05 ` Jon Hunter
2019-08-23 2:05 ` Jon Hunter
2019-08-23 17:38 ` Greg Kroah-Hartman
2019-08-23 8:26 ` Naresh Kamboju
2019-08-23 17:38 ` Greg Kroah-Hartman
2019-08-23 14:27 ` Guenter Roeck
2019-08-23 17:39 ` Greg Kroah-Hartman
2019-08-24 18:03 ` shuah
2019-08-24 18:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190822171832.257171451@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=dtor@chromium.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=suzuki.poulose@arm.com \
--cc=syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tomoki.sekiyama@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.