Re: Possible double-free in the usbnet driver

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
To: Andrey Konovalov
	<andreyknvl-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
	Oliver Neukum <oneukum-IBi9RG/b67k@public.gmane.org>,
	Greg Kroah-Hartman
	<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
Cc: Kostya Serebryany <kcc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
	Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
	Alexander Potapenko
	<glider-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
	USB list <linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	Network Development
	<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: Possible double-free in the usbnet driver
Date: Fri, 4 Mar 2016 13:26:48 -0800	[thread overview]
Message-ID: <CA+55aFxqwjs5gs6Fw2jmTteWM4hZTnr7Ls111ExNTieObLs82Q@mail.gmail.com> (raw)

[ Moving this to proper lists ]

On Thu, Mar 3, 2016 at 4:19 PM, Andrey Konovalov <andreyknvl-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> I found another double-free, this time in the usbnet driver.

Hmm. It doesn't look like a double free to me, at least from the logs
you attached.

> Whenever the `bind()` function fails (drivers/net/usb/usbnet.c:1676) when
> called from `usbnet_probe()` (and it can fail due to a invalid usb descriptor),
> `free_netdev()` is called for the `net` device (drivers/net/usb/usbnet.c:1772).
> Then, `free_netdev(net)` is called again in `usbnet_disconnect()`
> (drivers/net/usb/usbnet.c:1570) causing a double-free.

The KASAN report says that it's a use-after-free in the kworker
thread: the net device got free'd at the end of usbnet_probe(), but
some work-struct was apparently active at the time.

There might be a double free later that isn't in your report, though.
Do you have the data for that?

But I didn't think we even called the disconnect() function if the
"bind()" failed, so I don't think that one should free it. Greg?

So it *sounds* to me like the usbnet "bind()" routine ended up
returning an error, but doing so *after* it had already activated the
structure somehow.

Which particular usbnet bind routine is this? There are multiple
sub-drivers for usbnet that all do different things.

For example, it *looks* like the cdc_ncm_bind() will have done a
usbnet_link_change() even if the bind fails. So now we've done a
usbnet_defer_kevent() even though we're failing, and then that sets
the ball rolling to later touch the netdev that we're freeing due to
the failure.

But I may be *entirely* misreading this thing.

Anyway, I'm cc'ing the usbnet people who actually know the code (and netdev).

The proper fix may be to just cancel any work that might have been set
up before freeing. Or maybe that netdev *does* get free'd later some
other way properly. Let's see what the experts on the usbnet driver
say.

                  Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next             reply	other threads:[~2016-03-04 21:26 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-04 21:26 Linus Torvalds [this message]
     [not found] ` <CA+55aFxqwjs5gs6Fw2jmTteWM4hZTnr7Ls111ExNTieObLs82Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-04 22:26   ` Possible double-free in the usbnet driver Andrey Konovalov
     [not found]     ` <CA+fCnZfS51F7WZEM1YTSPDMWSzvBTJWGf5cRWv5LrNCSOf_-qA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-04 22:42       ` Oliver Neukum
     [not found]         ` <1457131342.8935.2.camel-l3A5Bk7waGM@public.gmane.org>
2016-03-04 23:00           ` Andrey Konovalov
2016-03-04 23:22             ` Andrey Konovalov
2016-03-04 22:43     ` Linus Torvalds
2016-03-04 23:00       ` Andrey Konovalov
2016-03-05 15:51       ` Oliver Neukum
     [not found]         ` <1457193090.8935.7.camel-IBi9RG/b67k@public.gmane.org>
2016-03-05 19:53           ` Bjørn Mork
     [not found]             ` <DBDB517D-E4A4-4422-AECE-52194FE2AED0-yOkvZcmFvRU@public.gmane.org>
2016-03-07 18:13               ` Linus Torvalds
     [not found]                 ` <CA+55aFw43uKkUK-h=VMwXcb9NM+g2AdeB960kWb4YihmjQ8DRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-07 19:11                   ` David Miller
     [not found]                     ` <20160307.141100.1511700720120062677.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2016-03-07 19:50                       ` Andrey Konovalov
     [not found]                         ` <CA+fCnZdurxGBsOrANb_m5BLK1BKzH3J_GmZ=dbH=ABThgFNGxg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-07 19:54                           ` David Miller
2016-03-07 20:15                             ` [PATCH] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind Bjørn Mork
     [not found]                               ` <87k2le815w.fsf_-_-lbf33ChDnrE/G1V5fR+Y7Q@public.gmane.org>
2016-03-07 20:58                                 ` David Miller
2016-03-08 19:43                               ` Linus Torvalds
     [not found]                                 ` <CA+55aFxt7zWW+-EkwCbAWCb9wkgVswYJNAz86bc_QRcv1pBHZw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-08 20:12                                   ` Oliver Neukum
2016-03-08 20:18                                   ` Bjørn Mork
     [not found]                                     ` <871t7k7mgo.fsf-lbf33ChDnrE/G1V5fR+Y7Q@public.gmane.org>
2016-03-08 20:20                                       ` Oliver Neukum
2016-03-08 20:37                                     ` Ben Hutchings
2016-03-07 21:39                           ` Possible double-free in the usbnet driver Oliver Neukum
     [not found]                             ` <1457386754.3404.15.camel-IBi9RG/b67k@public.gmane.org>
2016-03-08 11:42                               ` Andrey Konovalov
     [not found]       ` <CA+55aFwxbs_hLG58Q_xSK2vpufjmwMk-xkqxTNh_5h-A8y4vbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-07  9:08         ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+55aFxqwjs5gs6Fw2jmTteWM4hZTnr7Ls111ExNTieObLs82Q@mail.gmail.com \
    --to=torvalds-de/tnxtf+jlsfhdxvbkv3wd2fqjk+8+b@public.gmane.org \
    --cc=andreyknvl-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    --cc=dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
    --cc=glider-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
    --cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
    --cc=kcc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
    --cc=linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=oneukum-IBi9RG/b67k@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).