From: Greg KH <gregkh@linuxfoundation.org>
To: sicong <congei42@163.com>
Cc: johan@kernel.org, elder@kernel.org, greybus-dev@lists.linaro.org,
linux-kernel@vger.kernel.org
Subject: Re: Bug report: greybus/interface.c: use-after-free bug in gb_interface_release due to race condition
Date: Tue, 16 Apr 2024 06:49:43 +0200 [thread overview]
Message-ID: <2024041624-oxford-sabbath-9f6a@gregkh> (raw)
In-Reply-To: <280ee5e5.4936.18ee4d93bae.Coremail.congei42@163.com>
On Tue, Apr 16, 2024 at 11:00:25AM +0800, sicong wrote:
> greybus/interface.c: use-after-free bug in gb_interface_release due to
> race condition.
>
> In gb_interface_create, &intf->mode_switch_completion is bound with
> gb_interface_mode_switch_work. Then it will be started by
> gb_interface_request_mode_switch. Here is the code.
> if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
> ...
> }
>
> If we call gb_interface_release to make cleanup, there may be an
> unfinished work. This function will call kfree to free the object
> "intf". However, if gb_interface_mode_switch_work is scheduled to
> run after kfree, it may cause use-after-free error as
> gb_interface_mode_switch_work will use the object "intf".
> The possible execution flow that may lead to the issue is as follows:
>
> CPU0 CPU1
>
> | gb_interface_create
> | gb_interface_request_mode_switch
> gb_interface_release |
> kfree(intf) (free) |
> | gb_interface_mode_switch_work
> | mutex_lock(&intf->mutex) (use)
>
> This bug may be fixed by adding the following code before kfree.
> cancel_work_sync(&intf->mode_switch_work);
Wonderful, please submit a patch with this information and we will be
glad to review it.
thanks,
greg k-h
prev parent reply other threads:[~2024-04-16 4:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 3:00 Bug report: greybus/interface.c: use-after-free bug in gb_interface_release due to race condition sicong
2024-04-16 4:49 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024041624-oxford-sabbath-9f6a@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=congei42@163.com \
--cc=elder@kernel.org \
--cc=greybus-dev@lists.linaro.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.