From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sascha Hauer <s.hauer@pengutronix.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
posteuca@mutex.one, wsa+renesas@sang-engineering.com,
yang.lee@linux.alibaba.com, richard.leitner@skidata.com,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 04/11] usb: gadget: u_ether: Do not make UDC parent of the net device
Date: Fri, 23 Dec 2022 20:31:54 -0500 [thread overview]
Message-ID: <20221224013202.393372-4-sashal@kernel.org> (raw)
In-Reply-To: <20221224013202.393372-1-sashal@kernel.org>
From: Sascha Hauer <s.hauer@pengutronix.de>
[ Upstream commit 321b59870f850a10dbb211ecd2bd87b41497ea6f ]
The UDC is not a suitable parent of the net device as the UDC can
change or vanish during the lifecycle of the ethernet gadget. This
can be illustrated with the following:
mkdir -p /sys/kernel/config/usb_gadget/mygadget
cd /sys/kernel/config/usb_gadget/mygadget
mkdir -p configs/c.1/strings/0x409
echo "C1:Composite Device" > configs/c.1/strings/0x409/configuration
mkdir -p functions/ecm.usb0
ln -s functions/ecm.usb0 configs/c.1/
echo "dummy_udc.0" > UDC
rmmod dummy_hcd
The 'rmmod' removes the UDC from the just created gadget, leaving
the still existing net device with a no longer existing parent.
Accessing the ethernet device with commands like:
ip --details link show usb0
will result in a KASAN splat:
==================================================================
BUG: KASAN: use-after-free in if_nlmsg_size+0x3e8/0x528
Read of size 4 at addr c5c84754 by task ip/357
CPU: 3 PID: 357 Comm: ip Not tainted 6.1.0-rc3-00013-gd14953726b24-dirty #324
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x58/0x70
dump_stack_lvl from print_report+0x134/0x4d4
print_report from kasan_report+0x78/0x10c
kasan_report from if_nlmsg_size+0x3e8/0x528
if_nlmsg_size from rtnl_getlink+0x2b4/0x4d0
rtnl_getlink from rtnetlink_rcv_msg+0x1f4/0x674
rtnetlink_rcv_msg from netlink_rcv_skb+0xb4/0x1f8
netlink_rcv_skb from netlink_unicast+0x294/0x478
netlink_unicast from netlink_sendmsg+0x328/0x640
netlink_sendmsg from ____sys_sendmsg+0x2a4/0x3b4
____sys_sendmsg from ___sys_sendmsg+0xc8/0x12c
___sys_sendmsg from sys_sendmsg+0xa0/0x120
sys_sendmsg from ret_fast_syscall+0x0/0x1c
Solve this by not setting the parent of the ethernet device.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://lore.kernel.org/r/20221104131031.850850-2-s.hauer@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/u_ether.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index 64ef97ab9274..0a8a0119cabb 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -795,7 +795,6 @@ struct eth_dev *gether_setup_name(struct usb_gadget *g,
net->max_mtu = GETHER_MAX_MTU_SIZE;
dev->gadget = g;
- SET_NETDEV_DEV(net, &g->dev);
SET_NETDEV_DEVTYPE(net, &gadget_type);
status = register_netdev(net);
@@ -869,8 +868,6 @@ int gether_register_netdev(struct net_device *net)
struct usb_gadget *g;
int status;
- if (!net->dev.parent)
- return -EINVAL;
dev = netdev_priv(net);
g = dev->gadget;
@@ -901,7 +898,6 @@ void gether_set_gadget(struct net_device *net, struct usb_gadget *g)
dev = netdev_priv(net);
dev->gadget = g;
- SET_NETDEV_DEV(net, &g->dev);
}
EXPORT_SYMBOL_GPL(gether_set_gadget);
--
2.35.1
next prev parent reply other threads:[~2022-12-24 1:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-24 1:31 [PATCH AUTOSEL 5.10 01/11] kset: fix memory leak when kset_register() returns error Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 02/11] USB: core: Change configuration warnings to notices Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 03/11] usb: gadget: aspeed: fix buffer overflow Sasha Levin
2022-12-24 1:31 ` Sasha Levin [this message]
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 05/11] usb: gadget: f_ecm: Always set current gadget in ecm_bind() Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 06/11] chardev: Fix potential memory leak when cdev_add() failed Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 07/11] usb/usbip: Fix v_recv_cmd_submit() to use PIPE_BULK define Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 08/11] xhci: disable U3 suspended ports in S4 hibernate poweroff_late stage Sasha Levin
2022-12-24 1:31 ` [PATCH AUTOSEL 5.10 09/11] ACPICA: Fix operand resolution Sasha Levin
2022-12-24 1:32 ` [PATCH AUTOSEL 5.10 10/11] exfat: fix overflow in sector and cluster conversion Sasha Levin
2022-12-24 1:32 ` [PATCH AUTOSEL 5.10 11/11] fbdev: smscufx: fix error handling code in ufx_usb_probe Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221224013202.393372-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=posteuca@mutex.one \
--cc=richard.leitner@skidata.com \
--cc=s.hauer@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=wsa+renesas@sang-engineering.com \
--cc=yang.lee@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox