From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753404AbcE0ElI (ORCPT <rfc822;w@1wt.eu>);
	Fri, 27 May 2016 00:41:08 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:56698 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751188AbcE0ElG (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 27 May 2016 00:41:06 -0400
Date: Thu, 26 May 2016 21:41:03 -0700
From: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
To: Chung-Geol Kim <chunggeol.kim@samsung.com>
Cc: "mathias.nyman@linux.intel.com" <mathias.nyman@linux.intel.com>,
        "stefan.koch10@gmail.com" <stefan.koch10@gmail.com>,
        "hkallweit1@gmail.com" <hkallweit1@gmail.com>,
        "sergei.shtylyov@cogentembedded.com" 
	<sergei.shtylyov@cogentembedded.com>,
        "dan.j.williams@intel.com" <dan.j.williams@intel.com>,
        "sarah.a.sharp@linux.intel.com" <sarah.a.sharp@linux.intel.com>,
        "stern@rowland.harvard.edu" <stern@rowland.harvard.edu>,
        "chris.bainbridge@gmail.com" <chris.bainbridge@gmail.com>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] usb: core: fix a double free in the usb driver
Message-ID: <20160527044103.GA9391@kroah.com>
References: <1060192669.191661464313093233.JavaMail.weblogic@epmlwas08d>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1060192669.191661464313093233.JavaMail.weblogic@epmlwas08d>
User-Agent: Mutt/1.6.1 (2016-04-27)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 27, 2016 at 01:38:17AM +0000, Chung-Geol Kim wrote:
> There is a double free problem in the usb driver.

Which driver?

> This is caused by delayed deregister for scsi device.
> <*> at Insert USB Storage
>     -  USB bus #1 register
>      usb_create_hcd (primary-kref==1)
>      * primary-bandwidth_mutex(alloc))
> usb_get_hcd    (primary-kref==2)
>     -  USB bus #2 register
> usb_create_hcd (second-kref==1)
>      * second-bandwidth_mutex==primary-bandwidth_mutex
>      usb_get_hcd    (second-kref==2)
>     -  scsi_device_get
> usb_get_hcd    (second-kref==3)
> 
> <*> at remove USB Storage (Normal)
>     -  scsi_device_put
> usb_put_hcd    (second-kref==2)
>     -  USB bus #2 deregister
>      usb_release_dev(second-kref==1)
> usb_release_dev(second-kref==0)  -> hcd_release()
>     -  USB bus #1 deregister
>      usb_release_dev(primary-kref==1)
>      usb_release_dev(primary-kref==0) -> hcd_release()
> *(primary-bandwidth_mutex free)
> 
> at remove USB Storage 
>     -  USB bus #2 deregister
>      usb_release_dev(second-kref==2)
> usb_release_dev(second-kref==1)
>     -  USB bus #1 deregister
>      usb_release_dev(primary-kref==1)
>      usb_release_dev(primary-kref==0) -> hcd_release()
>      *(primary-bandwidth_mutex free)
>     -  scsi_device_put
>      usb_put_hcd    (second-kref==0)  -> hcd_release(*)
>      * at this, second->primary==0 therefore try to
> free the primary-bandwidth_mutex.(already freed)

The formatting for this is all confused, can you fix it up?

> 
>     To fix this problem kfree(hcd->bandwidth_mutex);
>     should be executed at only (hcd->primary_hcd==hcd).
> 
> Signed-off-by: Chunggeol Kim 

We need an email address at the end of this line, look at how the
commits in the kernel git history look like for examples.

> ---
> drivers/usb/core/hcd.c |    2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
> index 34b837a..60077f3 100644
> --- a/drivers/usb/core/hcd.c
> +++ b/drivers/usb/core/hcd.c
> @@ -2608,7 +2608,7 @@ static void hcd_release(struct kref *kref)
> struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);
> 
> mutex_lock(&usb_port_peer_mutex);
> - if (usb_hcd_is_primary_hcd(hcd)) {
> + if (hcd == hcd->primary_hcd) {

That doesn't make sense, usb_hcd_is_primary_hcd() is the same as this
check, what are you changing here?

> kfree(hcd->address0_mutex);
> kfree(hcd->bandwidth_mutex);
> }

Your patch itself is also corrupted, and can't be applied, can you also
resolve this and resend?

thanks,

greg k-h