Possible null pointer dereference in adutux.ko

From: Anton Volkov
Date: Tue Aug 15 2017 - 08:59:59 EST

Next message: Mark Rutland: "Re: [PATCH v4 5/6] perf: hisi: Add support for HiSilicon SoC DDRC PMU driver"
Previous message: Roman Gushchin: "Re: [v5 2/4] mm, oom: cgroup-aware OOM killer"
Next in thread: Oliver Neukum: "Re: Possible null pointer dereference in adutux.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

While searching for races in the Linux kernel I've come across "drivers/usb/misc/adutux.ko" module. Here is a question that I came up with while analyzing results. Lines are given using the info from Linux v4.12.

Consider the following case:

Thread 1: Thread 2:
adu_release
->adu_release_internal adu_disconnect
<READ &dev->udev->dev> dev->udev = NULL
(adutux.c: line 298) (adutux.c: line 771)
usb_deregister_dev

Comments in the source code point at the possibility of adu_release() being called separately from adu_disconnect(). adu_release() and adu_disconnect() acquire different mutexes, so they are not protected from one another. If adu_disconnect() changes dev->udev before its value is read in adu_release_internal() there will be a NULL pointer dereference on a read attempt. Is this case feasible from your point of view?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@xxxxxxxxx

Next message: Mark Rutland: "Re: [PATCH v4 5/6] perf: hisi: Add support for HiSilicon SoC DDRC PMU driver"
Previous message: Roman Gushchin: "Re: [v5 2/4] mm, oom: cgroup-aware OOM killer"
Next in thread: Oliver Neukum: "Re: Possible null pointer dereference in adutux.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]