drivers/usb/usbip/vudc_dev.c | 1 + 1 file changed, 1 insertion(+)
In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_timer.
When it calls usbip_sockfd_store, it will call v_start_timer to start the
timer work.
When we call vudc_remove to remove the driver, theremay be a sequence as
follows:
Fix it by shutdown the timer work before cleanup in vudc_remove.
Note that removing a driver is a root-only operation, and should never
happen.
CPU0 CPU1
|v_timer
vudc_remove |
kfree(udc); |
//free shost |
|udc->gadget
|//use
This bug was found by static analysis.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- add more details about how the bug was found suggested by Shuah
---
drivers/usb/usbip/vudc_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index 2bc428f2e261..33d0991755bb 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *pdev)
{
struct vudc *udc = platform_get_drvdata(pdev);
+ timer_shutdown_sync(&udc->timer);
usb_del_gadget_udc(&udc->gadget);
cleanup_vudc_hw(udc);
kfree(udc);
--
2.25.1Hi Zheng,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on usb/usb-testing]
[also build test ERROR on usb/usb-next usb/usb-linus linus/master v6.3-rc2 next-20230316]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Zheng-Wang/usbip-vudc-Fix-use-after-free-bug-in-vudc_remove-due-to-race-condition/20230317-021228
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
patch link: https://lore.kernel.org/r/20230316180940.1601515-1-zyytlz.wz%40163.com
patch subject: [PATCH v2] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
config: i386-randconfig-a015-20230313 (https://download.01.org/0day-ci/archive/20230317/202303170604.MoMGMPvW-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/46cc0947344ed93f7f1f4639209c5c6cce16fad3
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Zheng-Wang/usbip-vudc-Fix-use-after-free-bug-in-vudc_remove-due-to-race-condition/20230317-021228
git checkout 46cc0947344ed93f7f1f4639209c5c6cce16fad3
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash drivers/usb/usbip/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303170604.MoMGMPvW-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/usb/usbip/vudc_dev.c:636:28: error: no member named 'timer' in 'struct vudc'
timer_shutdown_sync(&udc->timer);
~~~ ^
1 error generated.
vim +636 drivers/usb/usbip/vudc_dev.c
631
632 int vudc_remove(struct platform_device *pdev)
633 {
634 struct vudc *udc = platform_get_drvdata(pdev);
635
> 636 timer_shutdown_sync(&udc->timer);
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
On 3/16/23 12:09, Zheng Wang wrote:
> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_timer.
>
> When it calls usbip_sockfd_store, it will call v_start_timer to start the
> timer work.
>
> When we call vudc_remove to remove the driver, theremay be a sequence as
> follows:
>
> Fix it by shutdown the timer work before cleanup in vudc_remove.
>
> Note that removing a driver is a root-only operation, and should never
> happen.
>
> CPU0 CPU1
>
> |v_timer
> vudc_remove |
> kfree(udc); |
> //free shost |
> |udc->gadget
> |//use
>
> This bug was found by static analysis.
Tell me which static analysis tool did you use to find this and
the output from the tool.
>
> Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v2:
> - add more details about how the bug was found suggested by Shuah
> ---
> drivers/usb/usbip/vudc_dev.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
> index 2bc428f2e261..33d0991755bb 100644
> --- a/drivers/usb/usbip/vudc_dev.c
> +++ b/drivers/usb/usbip/vudc_dev.c
> @@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *pdev)
> {
> struct vudc *udc = platform_get_drvdata(pdev);
>
> + timer_shutdown_sync(&udc->timer);
> usb_del_gadget_udc(&udc->gadget);
> cleanup_vudc_hw(udc);
> kfree(udc);
thanks,
-- Shuah
© 2016 - 2026 Red Hat, Inc.