gregkh@xxxxxxxxxxxxxxxxxxx <gregkh@xxxxxxxxxxxxxxxxxxx> 于2023年3月17日周五 03:09写道: > > On Fri, Mar 17, 2023 at 02:27:05AM +0800, Zheng Hacker wrote: > > 在 2023年3月17日星期五,Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx> 写道: > > > > > On 3/16/23 12:09, Zheng Wang wrote: > > > > > >> In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with > > >> v_timer. > > >> > > >> When it calls usbip_sockfd_store, it will call v_start_timer to start the > > >> timer work. > > >> > > >> When we call vudc_remove to remove the driver, theremay be a sequence as > > >> follows: > > >> > > >> Fix it by shutdown the timer work before cleanup in vudc_remove. > > >> > > >> Note that removing a driver is a root-only operation, and should never > > >> happen. > > >> > > >> CPU0 CPU1 > > >> > > >> |v_timer > > >> vudc_remove | > > >> kfree(udc); | > > >> //free shost | > > >> |udc->gadget > > >> |//use > > >> > > >> This bug was found by static analysis. > > >> > > > > > > Tell me which static analysis tool did you use to find this and > > > the output from the tool. > > > > > > This is found by codeql,the rule is complicated. It finally found > > there is no timer stop behavior in remove function. > > When using tools like this, you are required to follow the rules in > Documentation/process/researcher-guidelines.rst > > Please do so here. > Thanks for your assistance. I'll read it carefully and keep that in mind. And I'll append more information in the next version of patch. Best regards, Zheng > thanks, > > greg k-h
