From: Greg KH <gregkh@linuxfoundation.org>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"Peter Chen" <peter.chen@kernel.org>,
"Felipe Balbi" <balbi@kernel.org>,
johannes.berg@intel.com,
"Pengutronix Kernel Team" <kernel@pengutronix.de>,
"Alvin Šipraga" <ALSI@bang-olufsen.dk>
Subject: Re: [BUG] use-after-free after removing UDC with USB Ethernet gadget
Date: Tue, 25 Oct 2022 10:12:53 +0200 [thread overview]
Message-ID: <Y1eahQ66OcpsECNf@kroah.com> (raw)
In-Reply-To: <fd36057a-e8d9-38a3-4116-db3f674ea5af@pengutronix.de>
On Tue, Oct 25, 2022 at 08:54:58AM +0200, Ahmad Fatoum wrote:
> Hi everybody,
>
> I am running v6.0.2 and can reliably trigger a use-after-free by allocating
> a USB gadget, binding it to the chipidea UDC and the removing the UDC.
How do you remove the UDC?
> The network interface is not removed, but the chipidea SoC glue driver will
> remove the platform_device it had allocated in the probe, which is apparently
> the parent of the network device. When rtnl_fill_ifinfo runs, it will access the
> device parent's name for IFLA_PARENT_DEV_NAME, which is now freed memory.
The gadget removal logic is almost non-existant for most of the function
code. See Lee's patch to try to fix up the f_hid.c driver last week as
one example. I imagine they all have this same issue as no one has ever
tried the "remove the gadget device from the running Linux system"
before as it was not an expected use case.
Is this now an expected use case of the kernel? If so, patches are
welcome to address this in all gadget drivers.
thanks,
greg k-h
next prev parent reply other threads:[~2022-10-25 8:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 6:54 [BUG] use-after-free after removing UDC with USB Ethernet gadget Ahmad Fatoum
2022-10-25 8:12 ` Greg KH [this message]
2022-10-25 9:28 ` Ahmad Fatoum
2022-10-25 10:29 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1eahQ66OcpsECNf@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ALSI@bang-olufsen.dk \
--cc=a.fatoum@pengutronix.de \
--cc=balbi@kernel.org \
--cc=johannes.berg@intel.com \
--cc=kernel@pengutronix.de \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peter.chen@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).