linux/drivers/usb/usbip
Shuah Khan (Samsung OSG) e28fd56ad5 usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
In rmmod path, usbip_vudc does platform_device_put() twice once from
platform_device_unregister() and then from put_vudc_device().

The second put results in:

BUG kmalloc-2048 (Not tainted): Poison overwritten error or
BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is
enabled.

[  169.042156] calling  init+0x0/0x1000 [usbip_vudc] @ 1697
[  169.042396] =============================================================================
[  169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs
[  169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten
[  169.044509] -----------------------------------------------------------------------------
...
[  169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693
[  169.057852] 	kobject_put+0x86/0x1b0
[  169.057853] 	0xffffffffc0c30a96
[  169.057855] 	__x64_sys_delete_module+0x157/0x240

Fix it to call platform_device_del() instead and let put_vudc_device() do
the platform_device_put().

Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-18 19:44:39 +02:00
..
Kconfig usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS 2018-03-09 09:16:18 -08:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
README
stub_dev.c usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
stub_main.c usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-16 18:52:13 +02:00
stub_rx.c Merge 4.15.0-rc6 into usb-next 2018-01-02 15:13:41 +01:00
stub_tx.c usbip: stub: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
stub.h usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
usbip_common.c Merge 4.15-rc8 into usb-next 2018-01-15 15:00:11 +01:00
usbip_common.h usbip: vhci_hcd: Fix usb device and sockfd leaks 2018-04-22 14:45:11 +02:00
usbip_event.c usbip: usbip_event: fix to not print kernel pointer address 2018-04-22 14:45:12 +02:00
vhci_hcd.c usbip: vhci_hcd: check rhport before using in vhci_hub_control() 2018-04-22 14:45:11 +02:00
vhci_rx.c usbip: vhci: fix spelling mistake: "synchronuously" -> "synchronously" 2018-01-04 17:05:55 +01:00
vhci_sysfs.c usbip: vhci_sysfs: fix potential Spectre v1 2018-05-24 18:14:28 +02:00
vhci_tx.c usbip: vhci: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
vhci.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_dev.c usb: usbip: remove redundant pointer ep 2018-07-13 15:41:55 +02:00
vudc_main.c usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten 2018-10-18 19:44:39 +02:00
vudc_rx.c usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input 2018-01-04 17:07:26 +01:00
vudc_sysfs.c usbip: vudc: fix null pointer dereference on udc->lock 2018-03-09 10:01:07 -08:00
vudc_transfer.c USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_tx.c usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer 2018-01-04 17:07:27 +01:00
vudc.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00

TODO:
	- more discussion about the protocol
	- testing
	- review of the userspace interface
	- document the protocol

Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>