Possible double free in iowarrior.ko

From: Anton Volkov
Date: Tue Aug 22 2017 - 10:51:21 EST

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH v2 04/19] perf, tools: Tighten detection of BPF events"
Previous message: Koichiro Den: "Re: [PATCH] vhost: fix end of range for access_ok"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

While searching for races in the Linux kernel I've come across "drivers/usb/misc/iowarrior.ko" module. Here are questions that I came up with while analyzing results. Lines are given using the info from Linux v4.12.

Consider the following case:

Thread 1: Thread 2:
iowarrior_release iowarrior_disconnect
mutex_lock(&dev->mutex)
dev->present = 0
(iowarrior.c: line 889)
mutex_lock(&dev->mutex) mutex_unlock(&dev->mutex)
dev->opened = 0
(iowarrior.c: line 666) if(dev->opened){
if(dev->present){ //dev->opened == 0
//dev->present ==0
} else { } else {
mutex_unlock(&dev->mutex) iowarrior_delete(dev)
iowarrior_delete(dev) }
}

In this case double free of several pointers inside iowarrior_delete becomes possible and no calls to usb_kill_urb() and wake_up_interruptible() are present. Is this feasible from your point of view? If so, maybe it is a good idea to move mutex_unlock(&dev->mutex) in iowarrior_disconnect() further down like in iowarrior_release() in both 'if' branches?

Thank you for your time

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@xxxxxxxxx

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH v2 04/19] perf, tools: Tighten detection of BPF events"
Previous message: Koichiro Den: "Re: [PATCH] vhost: fix end of range for access_ok"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]