From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55B16C7EE45 for ; Thu, 8 Jun 2023 13:09:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236512AbjFHNJE (ORCPT ); Thu, 8 Jun 2023 09:09:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232139AbjFHNJD (ORCPT ); Thu, 8 Jun 2023 09:09:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D94F1988; Thu, 8 Jun 2023 06:09:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A2FCC64D67; Thu, 8 Jun 2023 13:09:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF4E8C433EF; Thu, 8 Jun 2023 13:09:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1686229742; bh=XJFyzxyzQog03Y2H8SeTcQtE79dhC9sQakEAuil2jm0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=cX5KA6wERDqpAZubEQUCvUoHTzVVo13JHxluW9SV1bfTnbnEFXQ//RyyxhOojGYze ADVkS7ItlgonD3M9nO2F8Rl5Okj88hKxtzT8pAADaF8+sAene36qINELweca3Jnrw7 fpmOuc8PDUGxjbl8+9+a2JwOSOfyo8mxx6wcPyYwa+AIFSMiHUvRsbxU9HVDAsCxRY VJlDfZXplN+wz4mBfzBdbKPGDfQgHVXV0zTCjcXL5DIr5sq/MSvWog7pF1uIVCS1nJ Lr7O9++v+MngJQ6FT79yG/kQyuYVc4VDZbpY422NhRpHl/bG1Q14dLYJxjd/cI03J+ eQPAzEolN9kvg== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1q7FOJ-0007xj-JZ; Thu, 08 Jun 2023 15:09:27 +0200 Date: Thu, 8 Jun 2023 15:09:27 +0200 From: Johan Hovold To: Manivannan Sadhasivam Cc: Johan Hovold , Thinh Nguyen , Greg Kroah-Hartman , Andy Gross , Bjorn Andersson , Konrad Dybcio , Krishna Kurapati , linux-usb@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Li Jun , Sandeep Maheswaram Subject: Re: [PATCH 2/2] USB: dwc3: fix use-after-free on core driver unbind Message-ID: References: <20230607100540.31045-1-johan+linaro@kernel.org> <20230607100540.31045-3-johan+linaro@kernel.org> <20230608130246.GF5672@thinkpad> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230608130246.GF5672@thinkpad> Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Thu, Jun 08, 2023 at 06:32:46PM +0530, Manivannan Sadhasivam wrote: > On Wed, Jun 07, 2023 at 12:05:40PM +0200, Johan Hovold wrote: > > Some dwc3 glue drivers are currently accessing the driver data of the > > child core device directly, which is clearly a bad idea as the child may > > not have probed yet or may have been unbound from its driver. > > > > As a workaround until the glue drivers have been fixed, clear the driver > > data pointer before allowing the glue parent device to runtime suspend > > to prevent its driver from accessing data that has been freed during > > unbind. > > @@ -1929,6 +1929,11 @@ static int dwc3_remove(struct platform_device *pdev) > > pm_runtime_disable(&pdev->dev); > > pm_runtime_dont_use_autosuspend(&pdev->dev); > > pm_runtime_put_noidle(&pdev->dev); > > + /* > > + * HACK: Clear the driver data, which is currently accessed by parent > > + * glue drivers, before allowing the parent to suspend. > > + */ > > + platform_set_drvdata(pdev, NULL); > > This is required because you have seen the glue driver going to runtime suspend > once the below pm_runtime_set_suspended() is completed? This is based on analysis of the code. The parent (glue) can not suspend while the child (core) is in the active state, but once we set the suspended state that could happen. > > > > dwc3_free_event_buffers(dwc); Johan