From: Greg KH <gregkh@linuxfoundation.org>
To: Sicong Huang <congei42@163.com>
Cc: peter.chen@kernel.org, pawell@cadence.com, rogerq@kernel.org,
linux-usb@vger.kernel.org
Subject: Re: [PATCH v1] usb: cdns3: cdns3-gadget: fix use-after-free bug in cdns3_gadget_exit due to race
Date: Tue, 4 Jun 2024 15:11:57 +0200 [thread overview]
Message-ID: <2024060444-delay-surgical-c8ff@gregkh> (raw)
In-Reply-To: <20240513021948.133039-1-congei42@163.com>
On Mon, May 13, 2024 at 10:19:48AM +0800, Sicong Huang wrote:
> This bug exists in drivers/usb/cdns3/cdns3-gadget.c. Function
> __cdns3_gadget_init will call cdns3_gadget_start to do futher jobs
> during the initialization proccess of cdns3 gadget. In cdns3_gadget_start,
> &priv_dev->pending_status_wq is bound with cdns3_pending_setup_status_handler.
> Then this work will be added to system_freezable_wq in cdns3_gadget_ep0_queue.
> Here is the code.
> queue_work(system_freezable_wq, &priv_dev->pending_status_wq);
>
> If we call cdns3_gadget_exit to remove the device and make cleanup,
> there are some unfinished works. This function will call cdns3_free_all_eps to
> free all the endpoints. However, if cdns3_pending_setup_status_handler is
> scheduled to run after the free job, it will cause use-after-free error as
> cdns3_pending_setup_status_handler will use the endpoint in the following code.
> request->complete(&priv_dev->eps[0]->endpoint, request);
>
> The possible execution flow that may lead to this issue is as follows:
> CPU0 CPU1
> | __cdns3_gadget_init
> | cdns3_gadget_start
> cdns3_gadget_exit |
> cdns3_free_all_eps |
> devm_kfree (free) |
> | cdns3_pending_setup_status_handler
> | &priv_dev->eps[0]->endpoint (use)
>
> Fix it by cleaning the work in cdns3_gadget_exit.
>
> Signed-off-by: Sicong Huang <congei42@163.com>
> ---
> drivers/usb/cdns3/cdns3-gadget.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
> index fd1beb10bba7..0f2e143bd17a 100644
> --- a/drivers/usb/cdns3/cdns3-gadget.c
> +++ b/drivers/usb/cdns3/cdns3-gadget.c
> @@ -3252,6 +3252,9 @@ static void cdns3_gadget_exit(struct cdns *cdns)
> pm_runtime_mark_last_busy(cdns->dev);
> pm_runtime_put_autosuspend(cdns->dev);
>
> + cancel_work_sync(&priv_dev->pending_status_wq);
> + cancel_work_sync(&priv_dev->aligned_buf_wq);
> +
> usb_del_gadget(&priv_dev->gadget);
> devm_free_irq(cdns->dev, cdns->dev_irq, priv_dev);
>
> --
> 2.34.1
What commit id does this fix?
thanks,
greg k-h
next prev parent reply other threads:[~2024-06-04 13:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-13 2:19 [PATCH v1] usb: cdns3: cdns3-gadget: fix use-after-free bug in cdns3_gadget_exit due to race Sicong Huang
2024-06-04 13:11 ` Greg KH [this message]
2024-06-05 2:36 ` sicong
2024-06-05 8:41 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024060444-delay-surgical-c8ff@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=congei42@163.com \
--cc=linux-usb@vger.kernel.org \
--cc=pawell@cadence.com \
--cc=peter.chen@kernel.org \
--cc=rogerq@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.