From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
To: Xu Yang <xu.yang_2@nxp.com>
Cc: gregkh@linuxfoundation.org, linux@roeck-us.net,
rdbabiera@google.com, badhri@google.com,
frank.wang@rock-chips.com, kyletso@google.com,
zhipeng.wang_1@nxp.com, aisheng.dong@nxp.com, jun.li@nxp.com,
linux-usb@vger.kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH] usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()
Date: Tue, 12 Mar 2024 12:24:01 +0200 [thread overview]
Message-ID: <ZfAtQVGLIDuBTY+e@kuha.fi.intel.com> (raw)
In-Reply-To: <20240311065219.777037-1-xu.yang_2@nxp.com>
On Mon, Mar 11, 2024 at 02:52:19PM +0800, Xu Yang wrote:
> When unregister pd capabilitie in tcpm, KASAN will capture below double
> -free issue. The root cause is the same capabilitiy will be kfreed twice,
> the first time is kfreed by pd_capabilities_release() and the second time
> is explicitly kfreed by tcpm_port_unregister_pd().
>
> [ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc
> [ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10
> [ 4.001206]
> [ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53
> [ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
> [ 4.017569] Workqueue: events_unbound deferred_probe_work_func
> [ 4.023456] Call trace:
> [ 4.025920] dump_backtrace+0x94/0xec
> [ 4.029629] show_stack+0x18/0x24
> [ 4.032974] dump_stack_lvl+0x78/0x90
> [ 4.036675] print_report+0xfc/0x5c0
> [ 4.040289] kasan_report_invalid_free+0xa0/0xc0
> [ 4.044937] __kasan_slab_free+0x124/0x154
> [ 4.049072] kfree+0xb4/0x1e8
> [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc
> [ 4.056725] tcpm_register_port+0x1dd0/0x2558
> [ 4.061121] tcpci_register_port+0x420/0x71c
> [ 4.065430] tcpci_probe+0x118/0x2e0
>
> To fix the issue, this will remove kree() from tcpm_port_unregister_pd().
>
> Fixes: cd099cde4ed2 ("usb: typec: tcpm: Support multiple capabilities")
> cc: <stable@vger.kernel.org>
> Suggested-by: Aisheng Dong <aisheng.dong@nxp.com>
> Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 3d505614bff1..afbb0d832db2 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -6940,9 +6940,7 @@ static void tcpm_port_unregister_pd(struct tcpm_port *port)
> port->port_source_caps = NULL;
> for (i = 0; i < port->pd_count; i++) {
> usb_power_delivery_unregister_capabilities(port->pd_list[i]->sink_cap);
> - kfree(port->pd_list[i]->sink_cap);
> usb_power_delivery_unregister_capabilities(port->pd_list[i]->source_cap);
> - kfree(port->pd_list[i]->source_cap);
> devm_kfree(port->dev, port->pd_list[i]);
> port->pd_list[i] = NULL;
> usb_power_delivery_unregister(port->pds[i]);
> --
> 2.34.1
--
heikki
prev parent reply other threads:[~2024-03-12 10:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 6:52 [PATCH] usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd() Xu Yang
2024-03-12 10:24 ` Heikki Krogerus [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfAtQVGLIDuBTY+e@kuha.fi.intel.com \
--to=heikki.krogerus@linux.intel.com \
--cc=aisheng.dong@nxp.com \
--cc=badhri@google.com \
--cc=frank.wang@rock-chips.com \
--cc=gregkh@linuxfoundation.org \
--cc=imx@lists.linux.dev \
--cc=jun.li@nxp.com \
--cc=kyletso@google.com \
--cc=linux-usb@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=rdbabiera@google.com \
--cc=xu.yang_2@nxp.com \
--cc=zhipeng.wang_1@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.