Hello.

While searching for races in the Linux kernel I've come across "drivers/usb/misc/adutux.ko" module. Here is a question that I came up with while analyzing results. Lines are given using the info from Linux v4.12.

Consider the following case:

Thread 1:                   Thread 2:
adu_release
->adu_release_internal      adu_disconnect
    <READ &dev->udev->dev>    dev->udev = NULL
    (adutux.c: line 298)      (adutux.c: line 771)
                              usb_deregister_dev

Comments in the source code point at the possibility of adu_release() being called separately from adu_disconnect(). adu_release() and adu_disconnect() acquire different mutexes, so they are not protected from one another. If adu_disconnect() changes dev->udev before its value is read in adu_release_internal() there will be a NULL pointer dereference on a read attempt. Is this case feasible from your point of view?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avol...@ispras.ru

Reply via email to