RE: [syzbot] KASAN: use-after-free Read in dev_uevent

From: Zhang, Qiang1
Date: Wed Feb 23 2022 - 20:57:17 EST

Next message: Lu, Aaron: "Re: [PATCH 5/6] mm/page_alloc: Free pages in a single pass during bulk free"
Previous message: Mimi Zohar: "Re: [PATCH v5 3/8] fs-verity: define a function to return the integrity protected file digest"
In reply to: stern@xxxxxxxxxxxxxxxxxxx: "Re: [syzbot] KASAN: use-after-free Read in dev_uevent"
Next in thread: Zhang, Qiang1: "RE: [syzbot] KASAN: use-after-free Read in dev_uevent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 23, 2022 at 05:00:12PM +0100, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> On Wed, Feb 23, 2022 at 09:38:20AM -0500, stern@xxxxxxxxxxxxxxxxxxx wrote:
> > Which bus locks are you referring to? I'm not aware of any locks
> > that synchronize dev_uevent() with anything (in particular, with
> > driver unbinding).
>
> The locks in the driver core that handle the binding and unbinding of
> drivers to devices.
>
> > And as far as I know, usb_gadget_remove_driver() doesn't play any
> > odd tricks with pointers.
>
> Ah, I never noticed that this is doing a "fake" bus and does the
> bind/unbind itself outside of the driver core. It should just be a
> normal bus type and have the core do the work for it, but oh well.
>
> And there is a lock that should serialize all of this already, so it's
> odd that this is able to be triggered at all.

>>I guess at a minimum the UDC core should hold the device lock when it registers, unregisters, binds, or unbinds UDC and gadget devices.
>>Would that be enough to fix the problem? I really don't understand how sysfs file access gets synchronized with device removal.

Agree with you, in usb_gadget_remove_driver() function, the udc->dev.driver and udc->gadget->dev.driver be set to null
without any protection, so when the udevd accessed the dev->driver, this address may be invalid at this time.
maybe the operation of dev->driver can be protected by device_lock().

Thanks,
Zqiang

> Unless the device is being removed at the same time it was manually
> unbound from the driver? If so, then this really should be fixed up
> to use the driver core logic instead...
>>
>>Device removal does of course trigger unbinding, but they always take place in the same thread so it isn't an issue.
>>
>>Probably part of the reason people don't want to use the driver core here is so that they can specify which UDC a gadget driver should bind to. The driver core would always bind each new gadget to the first registered gadget driver.
>>
>>When Dave Brownell originally wrote the gadget subsystem, I believe he didn't bother to integrate it with the driver core because it was a "bus" with only a single device and a single driver. The ability to have multiple UDCs in the system was added later.
>>
>>Alan Stern

Next message: Lu, Aaron: "Re: [PATCH 5/6] mm/page_alloc: Free pages in a single pass during bulk free"
Previous message: Mimi Zohar: "Re: [PATCH v5 3/8] fs-verity: define a function to return the integrity protected file digest"
In reply to: stern@xxxxxxxxxxxxxxxxxxx: "Re: [syzbot] KASAN: use-after-free Read in dev_uevent"
Next in thread: Zhang, Qiang1: "RE: [syzbot] KASAN: use-after-free Read in dev_uevent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]