On Fri, Mar 17, 2023 at 02:27:05AM +0800, Zheng Hacker wrote: > 在 2023年3月17日星期五,Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx> 写道: > > > On 3/16/23 12:09, Zheng Wang wrote: > > > >> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with > >> v_timer. > >> > >> When it calls usbip_sockfd_store, it will call v_start_timer to start the > >> timer work. > >> > >> When we call vudc_remove to remove the driver, theremay be a sequence as > >> follows: > >> > >> Fix it by shutdown the timer work before cleanup in vudc_remove. > >> > >> Note that removing a driver is a root-only operation, and should never > >> happen. > >> > >> CPU0 CPU1 > >> > >> |v_timer > >> vudc_remove | > >> kfree(udc); | > >> //free shost | > >> |udc->gadget > >> |//use > >> > >> This bug was found by static analysis. > >> > > > > Tell me which static analysis tool did you use to find this and > > the output from the tool. > > > This is found by codeql,the rule is complicated. It finally found > there is no timer stop behavior in remove function. When using tools like this, you are required to follow the rules in Documentation/process/researcher-guidelines.rst Please do so here. thanks, greg k-h
