New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 883959 link

Starred by 1 user
Status: Fixed
Owner:
mka@chromium.org
Last visit > 30 days ago
Closed: Sep 14
Cc:
briannorris@chromium.org
groeck@chromium.org
diand...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

kernel v4.4: Use after free in xhci_free_virt_device

Project Member Reported by mka@chromium.org, Sep 13 
When booting on scarlet with a UNITEK Y-3470B USB to Ethernet adapter connected (directly or through an Ableconn USBC-4APD) the kernel detects a use after free:

[    4.694871] -----------------------------------------------------------------------------

[    4.704507] Disabling lock debugging due to kernel taint
[    4.709808] INFO: 0xffffffc0eb853810-0xffffffc0eb853813. First byte 0x0 instead of 0x6b
[    4.717807] INFO: Allocated in usb_alloc_dev+0x34/0x288 age=1100 cpu=4 pid=138
[    4.725026] 	alloc_debug_processing+0xf8/0x168
[    4.729467] 	___slab_alloc+0x1e0/0x62c
[    4.733209] 	__kmalloc+0x27c/0x2a0
[    4.736604] 	usb_alloc_dev+0x34/0x288
[    4.740262] 	hub_event+0x730/0xda4
[    4.743658] 	worker_thread+0x28c/0x8c8
[    4.747399] 	kthread+0xec/0xfc
[    4.750448] 	ret_from_fork+0x10/0x30
[    4.754019] INFO: Freed in usb_release_dev+0x58/0x68 age=384 cpu=4 pid=138
[    4.760887] 	free_debug_processing+0x118/0x340
[    4.765333] 	kfree+0x478/0x6f4
[    4.768384] 	usb_release_dev+0x58/0x68
[    4.772133] 	device_release+0x38/0x90
[    4.775791] 	kobject_cleanup+0x68/0x84
[    4.779532] 	kobject_put+0x5c/0x68
[    4.782926] 	put_device+0x20/0x2c
[    4.786233] 	usb_put_dev+0x20/0x2c
[    4.789628] 	hub_event+0xa7c/0xda4
[    4.793023] 	worker_thread+0x28c/0x8c8
[    4.796763] 	kthread+0xec/0xfc
[    4.799812] 	ret_from_fork+0x10/0x30

KASAN points towards xhci_free_virt_device():

[    8.524589] Call trace:
[    8.527044] [<ffffffc000210018>] dump_backtrace+0x0/0x3a8
[    8.532443] [<ffffffc00021000c>] show_stack+0x20/0x2c
[    8.537497] [<ffffffc0009a5e90>] __dump_stack+0x20/0x28
[    8.542721] [<ffffffc0009a5e48>] dump_stack+0xd0/0xf8
[    8.547774] [<ffffffc00052b3e4>] print_trailer+0x160/0x170
[    8.553258] [<ffffffc00052b1b0>] object_err+0x48/0x58
[    8.558311] [<ffffffc000532810>] kasan_report+0x380/0x47c
[    8.563711] [<ffffffc0005329a8>] __asan_report_load4_noabort+0x2c/0x38
[    8.570237] [<ffffffc000e63cd4>] xhci_free_virt_device+0x3b8/0x3d8
[    8.576408] [<ffffffc000e711d8>] handle_cmd_completion+0x620/0x1c9c
[    8.582673] [<ffffffc00117e2b0>] xhci_irq+0x854/0x41b0
[    8.587812] [<ffffffc000dd5408>] usb_hcd_irq+0x8c/0xac

The offending code is:

if (dev->udev && dev->udev->slot_id)
  dev->udev->slot_id = 0;

udev already was freed in usb_release_dev()

groeck@ reported this issue upstream and there is a fix for it:

commit 44a182b9d17765514fa2b1cc911e4e65134eef93
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu May 3 17:30:07 2018 +0300

    xhci: Fix use-after-free in xhci_free_virt_device


The fix was integrated in at least some -stable branches (v4.14), but didn't make it into v4.4-stable
dmesg.log
72.8 KB View Download
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 14

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/439d815e28b7993970b4b2ed7089fe91d0b4b72b

commit 439d815e28b7993970b4b2ed7089fe91d0b4b72b
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Fri Sep 14 06:56:37 2018

BACKPORT: xhci: Fix use-after-free in xhci_free_virt_device

KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
where xhci_free_virt_device() sets slot id to 0 if udev exists:
if (dev->udev && dev->udev->slot_id)
	dev->udev->slot_id = 0;

dev->udev will be true even if udev is freed because dev->udev is
not set to NULL.

set dev->udev pointer to NULL in xhci_free_dev()

The original patch went to stable so this fix needs to be applied
there as well.

Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
Cc: <stable@vger.kernel.org>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 44a182b9d17765514fa2b1cc911e4e65134eef93)

Conflicts:
  drivers/usb/host/xhci.c
    upstream introduced xhci_disable_slot(), set dev->udev to NULL
    before queuing the TRB_DISABLE_SLOT command or directly calling
    xhci_free_virt_device()

BUG= chromium:883959 
TEST=boot on scarlet with UNITEK Y-3470B USB to Ethernet adapter
  connected
    => no logs about use after free

Change-Id: I1e54b92ba591b5ed0db4c004f700f6e933b94fe7
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1225831
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/439d815e28b7993970b4b2ed7089fe91d0b4b72b/drivers/usb/host/xhci.c

Comment 2 by mka@chromium.org, Sep 14

Status: Fixed (was: Started)

Sign in to add a comment