From: Oliver Neukum <oliver@neukum.org>
To: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Marcel Holtmann <marcel@holtmann.org>,
linux-bluetooth@vger.kernel.org,
Sachin Kamat <sachin.kamat@linaro.org>,
Alan Stern <stern@rowland.harvard.edu>,
USB list <linux-usb@vger.kernel.org>
Subject: Re: issue with devm_ methods in disconnect and freeing memory in btusb
Date: Mon, 17 Nov 2025 12:30:48 +0100 [thread overview]
Message-ID: <dd8f4ffb-23b7-4dd7-909f-923ffcceddec@neukum.org> (raw)
In-Reply-To: <aRdwvZdbCEap6vuP@rpthibeault-XPS-13-9305>
On 14.11.25 19:11, Raphael Pinsonneault-Thibeault wrote:
> On Fri, Nov 14, 2025 at 09:03:45AM +0100, Oliver Neukum wrote:
>> We must always be ready to handle any arbitrary order.
>> The code in the second branch of the if statement used to be perfectly correct.
>> The actual breaking commit was 98921dbd00c4e by introducing devm_kzalloc()
>> for memory allocation. That ties the lifetime of memory to the binding
>> of a driver to an interface. In hindsight in a driver that binds
>> to multiple interfaces, this is problematic. Hence I would propose
>> to just revert 98921dbd00c4e. It seems to me that we have discovered
>> a design limitation in the devm_ methods. What do you think?
>>
>> Regards
>> Oliver
>>
>
> Hi Oliver,
>
> I was under the impression that tying the memory lifetime to the INTF
> interface was intentional since 98921dbd00c4e was from 2012, hence my
No, it was not. And it would be kind of defeating the purpose
of a devm-method. You use them to not have to free memory manually.
In the disconnect() method of btusb we do free memory manually,
only that we do so implicitly. And that is dangerous.
> commit message in 23d22f2f7176:
>
> -- quote --
>
> There is a KASAN: slab-use-after-free read in btusb_disconnect().
> Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
Was that obvious to you?
> free the btusb data associated with the interface. The same data is
> then used later in the function, hence the UAF.
>
> Fix by moving the accesses to btusb data to before the data is free'd.
>
> -- quote --
>
> However, it seems that support for other interfaces was added
> later, e.g. by 9d08f50401ac7, and out-of-band wakeup support even later
> by fd913ef7ce619.
ISO support is very old. It is necessary because you cannot
change the altsetting of an interface that is in use. It is
a design flaw of USB.
> So, maybe it just wasn't considered?
Indeed and hence I would just revert it.
This is an accident waiting to happen.
Regards
Oliver
prev parent reply other threads:[~2025-11-17 11:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 8:03 issue with devm_ methods in disconnect and freeing memory in btusb Oliver Neukum
2025-11-14 18:11 ` Raphael Pinsonneault-Thibeault
2025-11-17 11:30 ` Oliver Neukum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd8f4ffb-23b7-4dd7-909f-923ffcceddec@neukum.org \
--to=oliver@neukum.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=rpthibeault@gmail.com \
--cc=sachin.kamat@linaro.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox