usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
authorShuah Khan (Samsung OSG) <shuah@kernel.org>
Thu, 18 Oct 2018 16:19:29 +0000 (10:19 -0600)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 13 Nov 2018 19:15:03 +0000 (11:15 -0800)
commit255624a35b4ca228bac9a1f135263e28c27c4640
tree283952b080b3b7c772e90a9cc75ca1df8b203754
parentacc14d41da801242ef7ad21c55a7f2569a1fd2f1
usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten

commit e28fd56ad5273be67d0fae5bedc7e1680e729952 upstream.

In rmmod path, usbip_vudc does platform_device_put() twice once from
platform_device_unregister() and then from put_vudc_device().

The second put results in:

BUG kmalloc-2048 (Not tainted): Poison overwritten error or
BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is
enabled.

[  169.042156] calling  init+0x0/0x1000 [usbip_vudc] @ 1697
[  169.042396] =============================================================================
[  169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs
[  169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten
[  169.044509] -----------------------------------------------------------------------------
...
[  169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693
[  169.057852]  kobject_put+0x86/0x1b0
[  169.057853]  0xffffffffc0c30a96
[  169.057855]  __x64_sys_delete_module+0x157/0x240

Fix it to call platform_device_del() instead and let put_vudc_device() do
the platform_device_put().

Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/usbip/vudc_main.c