| Message ID | 20230310070039.1288927-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers | show |
| Series | USB: gadget: udc: Fix use after free bug in udc_plat_remove due to race condition | expand |
On Fri, Mar 10, 2023 at 03:00:39PM +0800, Zheng Wang wrote: > In udc_plat_probe, &udc->drd_work is bound with > udc_drd_work. udc_drd_work may be called by > usbd_connect_notify to start the work. > > Besides, there is a invoking chain: > udc_plat_probe > ->udc_probe > ->usb_add_gadget_udc_release > ->usb_add_gadget > > It will add a new gadget to the udc class driver > list. In usb_add_gadget, it uses usb_udc_release > as its release function, which will kfree(udc) > to when destroying the gadget. > > If we remove the module which will call udc_plat_remove > to make cleanup, there may be a unfinished work. > The possible sequence is as follows: > > Fix it by finishing the work before cleanup in the udc_plat_remove > > Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > --- > drivers/usb/gadget/udc/snps_udc_plat.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadget/udc/snps_udc_plat.c > index 8bbb89c80348..6228e178cc0a 100644 > --- a/drivers/usb/gadget/udc/snps_udc_plat.c > +++ b/drivers/usb/gadget/udc/snps_udc_plat.c > @@ -230,6 +230,7 @@ static int udc_plat_remove(struct platform_device *pdev) > struct udc *dev; > > dev = platform_get_drvdata(pdev); > + cancel_delayed_work_sync(&dev->drd_work); > > usb_del_gadget_udc(&dev->gadget); > /* gadget driver must not be registered */ > -- > 2.25.1 > Please test this to verify that it actually works. thanks, greg k-h
Greg KH <gregkh@linuxfoundation.org> 于2023年3月24日周五 00:20写道: > > On Fri, Mar 10, 2023 at 03:00:39PM +0800, Zheng Wang wrote: > > In udc_plat_probe, &udc->drd_work is bound with > > udc_drd_work. udc_drd_work may be called by > > usbd_connect_notify to start the work. > > > > Besides, there is a invoking chain: > > udc_plat_probe > > ->udc_probe > > ->usb_add_gadget_udc_release > > ->usb_add_gadget > > > > It will add a new gadget to the udc class driver > > list. In usb_add_gadget, it uses usb_udc_release > > as its release function, which will kfree(udc) > > to when destroying the gadget. > > > > If we remove the module which will call udc_plat_remove > > to make cleanup, there may be a unfinished work. > > The possible sequence is as follows: > > > > Fix it by finishing the work before cleanup in the udc_plat_remove > > > > Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > --- > > drivers/usb/gadget/udc/snps_udc_plat.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadget/udc/snps_udc_plat.c > > index 8bbb89c80348..6228e178cc0a 100644 > > --- a/drivers/usb/gadget/udc/snps_udc_plat.c > > +++ b/drivers/usb/gadget/udc/snps_udc_plat.c > > @@ -230,6 +230,7 @@ static int udc_plat_remove(struct platform_device *pdev) > > struct udc *dev; > > > > dev = platform_get_drvdata(pdev); > > + cancel_delayed_work_sync(&dev->drd_work); > > > > usb_del_gadget_udc(&dev->gadget); > > /* gadget driver must not be registered */ > > -- > > 2.25.1 > > > > Please test this to verify that it actually works. > Hi, Sorry for my late reply. I will try to simulate a device in qemu to test. Best regards, Zheng > thanks, > > greg k-h
diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadget/udc/snps_udc_plat.c index 8bbb89c80348..6228e178cc0a 100644 --- a/drivers/usb/gadget/udc/snps_udc_plat.c +++ b/drivers/usb/gadget/udc/snps_udc_plat.c @@ -230,6 +230,7 @@ static int udc_plat_remove(struct platform_device *pdev) struct udc *dev; dev = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&dev->drd_work); usb_del_gadget_udc(&dev->gadget); /* gadget driver must not be registered */
In udc_plat_probe, &udc->drd_work is bound with udc_drd_work. udc_drd_work may be called by usbd_connect_notify to start the work. Besides, there is a invoking chain: udc_plat_probe ->udc_probe ->usb_add_gadget_udc_release ->usb_add_gadget It will add a new gadget to the udc class driver list. In usb_add_gadget, it uses usb_udc_release as its release function, which will kfree(udc) to when destroying the gadget. If we remove the module which will call udc_plat_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the udc_plat_remove Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> --- drivers/usb/gadget/udc/snps_udc_plat.c | 1 + 1 file changed, 1 insertion(+)